Livetstream filtering of containers does not send event of ref being shared

nino-filigran commented 2 days ago

Description

Environment

OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
OpenCTI version: { e.g. OpenCTI 1.0.2 }
OpenCTI client: { e.g. frontend or python }
Other environment details:

Reproducible Steps

EDIT: based on discovery on our testing platform, read comments below before trying those steps

Steps to create the smallest reproducible scenario:

Have an org segration in place (main platform org) - ex filigran
Set up a stream (data sharing) with filter on Reports
In another platform, set up an ingestion of this stream
In your main platform, create a report & add some entities (IOCs, Files, Domains, IPs)
In your report, create multiple relations between your entities
Share the report with the org - ex a new org
login with a user pertaining to "the new org" on the platform where you set up the ingestion of the opencti stream

Expected Output

You should see all entities, observables and relations (assuming you have the correct marking)

Actual Output

Relations are missing & some entities too.

Additional information

Screenshots (optional)

lndrtrbn commented 2 days ago

After some testing, it seems we have an issue with events created in streams. Consider using organization sharing, when we add an entity or an observable in a report, there is a event in the stream to tell "Share this entity with the organization". But when adding a relationship, there is no such event.

For example:

In a platform using organization sharing

create a stream listening to label 'aaa'

create a report with label 'aaa'

share this report with

add a malware to this report

add a threat actor group to this report

create a relationship 'uses' between the malware and the threat actor group

look the stream

You have an update event "adds 'YOUR ORGA' in 'Shared with'" for the malware and the TAG but not for the relationship. Here a trace of the stream I had executing the scenario above: stream.txt (I added some comments to ease the read)

First step is to analyze and fix this issue.

To add extra information, some elements are not concerned by organization sharing, you can find the list in the array STIX_ORGANIZATIONS_UNRESTRICTED. It's the case for ref relationships for example. But in our scenario 'uses' is not a ref so we should have an event in the stream.

richard-julien commented 1 day ago

Its a design choice to not auto share the SRO. No to be requalified and discussed as a feature request

nino-filigran commented 1 day ago

After discussion, the issue is the following:

basically, the stream filters on report
Therefore, when you create your report & add some entities and then share the report, these entities will be shared because they are part of refs of the container (report).
However if you add addiitonal entities or relations to the report, they will not be shared because the event of sharing is applied on the entity (or the relation) in itself, and not on the ref. To be clear, we send an update event based on the entity or the relation and not on the container. And because we're filtering on report, this event is not received by the stream.

OpenCTI-Platform / opencti