search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.16k stars 911 forks source link

Playbooks - 'Enrich Knowledge' step fails to execute #8250

Open damians-filigran opened 2 weeks ago

damians-filigran commented 2 weeks ago

Description

When a playbook is excecuted, the 'Enrich Knowledge' step fails to run. This means enrichments such as VirusTotal cannot be automated.

Environment

  1. SaaS
  2. OpenCTI version: 6.2.18
  3. OpenCTI client: Frontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create an Incident Response case with some observables contained in the case
  2. Create a playbook with the following steps:
    • Listen for knowledge (filter for the case)
    • Apply Predefined Rule > Resolve container references (add in bundle)
    • Reduce knowledge (Filter for Entity Type = IPv4 address)
    • Enrich through connector (VirusTotal)
    • Send for ingestion

Expected Output

The playbook runs through all 5 steps

Actual Output

The playbook runs through the first three steps, and does not continue. There is no error

Additional information

The enrichment connector was tested with various different enrichments; all gave the same outcome

Screenshots (optional)

image image image
Jipegien commented 2 weeks ago

https://testing.octi.staging.filigran.io/dashboard/data/processing/automation/07f06c59-e28d-4550-b593-73ba5448cffc

aHenryJard commented 6 days ago

@Jipegien @damians-filigran For your information, from my differents tests enrich knowledge is working correctly on normal usage. The issue on the linked playbook in comment is that a report is send for enrichment to a connector that does not enrich report and raise an error. So the issue here is more that when enrichment issue occurs there is no feedback from connector to playbook.

aHenryJard commented 6 days ago

I think it relates to https://github.com/OpenCTI-Platform/opencti/issues/8353 (cc @romain-filigran )

romain-filigran commented 6 days ago

I confirm @aHenryJard's observation. Currently, if an enrichment connector doesn't produce any results (which is the case if the connector is not able to process the entity type or if it simply doesn't return anything (case of hygiene on a non-malicious IP)) the playbook stops. We need to do something about this. cc @richard-julien

richard-julien commented 6 days ago

Connectors must be adapted to follow the initial bundle if nothing is executed, only in playbook mode.

aHenryJard commented 5 days ago

Ok I go that way then.

richard-julien commented 5 days ago

You can sync with integration team @aHenryJard , i think its important for them to take ownership of this

damians-filigran commented 4 days ago

I wonder also if it's a question of documentation / best practices. The docs are reasonably good for playbooks in general, but some demonstrations of "this is the bundle", and "this is how you need to filter in/out the elements the enrichment will work on", before enriching. Also troubleshooting. Some graphics showing an example playbook and the flow of STIX icons that are directed through branches and down each path, etc.

helene-nguyen commented 3 days ago

Discussed with @aHenryJard I will check