search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.29k stars 930 forks source link

TLPs based on the default marking by the group of the entity-creating user are not given when fetching TAXII feeds #8422

Open hiitisui opened 4 weeks ago

hiitisui commented 4 weeks ago

Description

Environment

  1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. } Ubuntu 22.04 LTS
  2. OpenCTI version: { e.g. OpenCTI 1.0.2 } OpenCTI 6.3.1
  3. OpenCTI client: { e.g. frontend or python } frontend
  4. Other environment details: Fronend 1 node, Injestion node 4 nodes(4 nodes workers per injestion node) Search engine: elk - 8.15.0 RabbitMQ: 3.12.14 Redis: 7.4.0

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create a group that includes the user who will create the TAXII feed. Associate the group with the Connectors role.
  2. Configure the following TLP-related settings for the group:
    • Enable the option to "Automatically apply new data markings to this group."
    • In the "Marking" settings, check all TLPs under "Allowed Marking Definitions."
    • Set TLP:AMBER+STRICT as the "Default Marking."
  3. Create a user within the group that will be used to create the TAXII feed.
  4. From the GUI, go to Injestion > TAXII Feeds and configure the feed. Set the user created in step 3 as the "User responsible for data creation."
  5. Start retrieving the feed.
  6. In Customization > Entity types, enable MARKINGS as the DEFAULT VALUES for Indicator, Report, Malware, and Attack Pattern.

Expected Output

TLP:AMBER+STRICT is set for the Indicator, Report, Malware, and Attack Pattern entities

Actual Output

TLP is not set in Marking for entities fetched as Indicator etc. and is displayed as NONE.

nino-filigran commented 4 weeks ago

@hiitisui just to be clear: do the entity that are send to your feed have a marking before the ingestion?

hiitisui commented 4 weeks ago

@nino-filigran Contents of the TAXII feeds before it is ingested does not contain any TLP. Also, just to be sure, entities created from the TAXII feed and entities existing on OpenCTI do not overlap.

nino-filigran commented 3 weeks ago

Hey @hiitisui This is not a bug though, but a normal behavior. I'll switch this to a feature request.

Indeed, the Default marking when creating entities does not apply when ingesting through a taxii feed, since we do not alter the data. Indeed, the default marking would kick in only when you "really" create new data (i.e manually creating data in your platform). Indeed, otherwise, there could be a risk for instance that you remove a TLP:RED marking with a lower marking for instance. However, I understand your issue & maybe it could make sense to apply this default marking if the entities ingested through the taxii feed would not have any marking.

hiitisui commented 3 weeks ago

@nino-filigran Thank you for your confirmation. I undeerstood that it is a specification that does not function for automated processes. As you mentioned, I would like to request a feature to overwrite the TLP for each Connector as a feature request. I believe the risk of being downgraded to a lower marking can be avoided by allowing conditions such as setting default marking only when TLP is not assigned.

nino-filigran commented 3 weeks ago

That is right, we should have such mechanism in place if we implement this behavior. When/if we would work on this, we would assign a milestone & add details regarding the chosen solution & its details.