Livetstream filtering of containers does not send event of ref being shared

[nino-filigran]

Description

Environment

1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
2. OpenCTI version: { e.g. OpenCTI 1.0.2 }
3. OpenCTI client: { e.g. frontend or python }
4. Other environment details:

Reproducible Steps

EDIT: based on discovery on our testing platform, read comments below before trying those steps

Steps to create the smallest reproducible scenario:

1. Have an org segration in place (main platform org) - ex filigran
2. Set up a stream (data sharing) with filter on Reports
3. In another platform, set up an ingestion of this stream
4. In your main platform, create a report & add some entities (IOCs, Files, Domains, IPs)
5. In your report, create multiple relations between your entities
6. Share the report with the org - ex a new org
7. login with a user pertaining to "the new org" on the platform where you set up the ingestion of the opencti stream

Expected Output

You should see all entities, observables and relations (assuming you have the correct marking)

Actual Output

Relations are missing & some entities too.

Additional information

Screenshots (optional)

[lndrtrbn]

After some testing, it seems we have an issue with events created in streams. Consider using organization sharing, when we add an entity or an observable in a report, there is a event in the stream to tell "Share this entity with the organization". But when adding a relationship, there is no such event.

For example:

In a platform using organization sharing

• create a stream listening to label 'aaa'
• create a report with label 'aaa'
• share this report with
• add a malware to this report
• add a threat actor group to this report
• create a relationship 'uses' between the malware and the threat actor group
• look the stream

You have an update event "adds 'YOUR ORGA' in 'Shared with'" for the malware and the TAG but not for the relationship. Here a trace of the stream I had executing the scenario above: stream.txt (I added some comments to ease the read)

First step is to analyze and fix this issue.

To add extra information, some elements are not concerned by organization sharing, you can find the list in the array STIX_ORGANIZATIONS_UNRESTRICTED. It's the case for ref relationships for example. But in our scenario 'uses' is not a ref so we should have an event in the stream.

[richard-julien]

Its a design choice to not auto share the SRO. No to be requalified and discussed as a feature request

[nino-filigran]

After discussion, the issue is the following:

• basically, the stream filters on report
• Therefore, when you create your report & add some entities and then share the report, these entities will be shared because they are part of refs of the container (report).
• However if you add addiitonal entities or relations to the report, they will not be shared because the event of sharing is applied on the entity (or the relation) in itself, and not on the ref. To be clear, we send an update event based on the entity or the relation and not on the container. And because we're filtering on report, this event is not received by the stream.