OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.36k stars 938 forks source link

Livetstream filtering of containers does not send event of ref being shared #8843

Open nino-filigran opened 2 days ago

nino-filigran commented 2 days ago

Description

Environment

  1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
  2. OpenCTI version: { e.g. OpenCTI 1.0.2 }
  3. OpenCTI client: { e.g. frontend or python }
  4. Other environment details:

Reproducible Steps

EDIT: based on discovery on our testing platform, read comments below before trying those steps

Steps to create the smallest reproducible scenario:

  1. Have an org segration in place (main platform org) - ex filigran
  2. Set up a stream (data sharing) with filter on Reports
  3. In another platform, set up an ingestion of this stream
  4. In your main platform, create a report & add some entities (IOCs, Files, Domains, IPs)
  5. In your report, create multiple relations between your entities
  6. Share the report with the org - ex a new org
  7. login with a user pertaining to "the new org" on the platform where you set up the ingestion of the opencti stream

Expected Output

You should see all entities, observables and relations (assuming you have the correct marking)

Actual Output

Relations are missing & some entities too.

Additional information

Screenshots (optional)

lndrtrbn commented 2 days ago

After some testing, it seems we have an issue with events created in streams. Consider using organization sharing, when we add an entity or an observable in a report, there is a event in the stream to tell "Share this entity with the organization". But when adding a relationship, there is no such event.

For example:

In a platform using organization sharing

  • create a stream listening to label 'aaa'
  • create a report with label 'aaa'
  • share this report with
  • add a malware to this report
  • add a threat actor group to this report
  • create a relationship 'uses' between the malware and the threat actor group
  • look the stream

You have an update event "adds 'YOUR ORGA' in 'Shared with'" for the malware and the TAG but not for the relationship. Here a trace of the stream I had executing the scenario above: stream.txt (I added some comments to ease the read)

First step is to analyze and fix this issue.

To add extra information, some elements are not concerned by organization sharing, you can find the list in the array STIX_ORGANIZATIONS_UNRESTRICTED. It's the case for ref relationships for example. But in our scenario 'uses' is not a ref so we should have an event in the stream.

richard-julien commented 1 day ago

Its a design choice to not auto share the SRO. No to be requalified and discussed as a feature request

nino-filigran commented 1 day ago

After discussion, the issue is the following: