search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.42k stars 947 forks source link

The description of the relationship between an object and a TTP is not displayed #8981

Open lightw1s3 opened 5 days ago

lightw1s3 commented 5 days ago

Description

¡Hello!, I have detected a change in the behavior when creating a relationship between any entity and an 'Attack Pattern'. Currently, when an attack pattern is introduced from the entity (for example a Threat Actor or a Campaign) despite writing a description in the relationship itself identifying the detail of the use of such TTP, the description that comes out in the “Kill Chain View” window is the one of the TTP object itself and not the one written by the analyst. This did not happen in version 6.2.0 (version I had before, so it is the one I have identified), in the steps section I will show you examples.

Environment

  1. OS: docker.
  2. OpenCTI version: 6.3.8
  3. OpenCTI client: frontend
  4. Other details: It has been checked by deploying version 6.3.11 and the operation is exactly the same.

Reproducible Steps // Actual output -> + Screenshots

Steps to create the smallest reproducible scenario for version 6.3.8:

  1. Create a Threat Actors (group) named FIN8 and access 'Knowledge'. In turn, access the Attack patterns section.

Image

  1. A new TTP is added, in this case the one shown in the image, and in the description field an example text is written to simulate the explanation of how an actor performs the TTP.

Image

Image

  1. The creation of the TTP is displayed and, as can be seen, the TTP definition itself appears in the description field (Moreover it is not shown in the correct kill chain but I will report this in another bug :( )

Image

Expected Output -> + Screenshots

Steps to create the smallest reproducible scenario for version 6.2.0:

  1. Create a Threat Actors (group) called Issue OpenCTI and go to 'Knowledge'. In turn, access the Attack patterns section, in this case it is empty.

Image

  1. A new TTP is added, in this case the one shown in the image, and in the description field the same example text is written to simulate the explanation of how an actor performs the TTP.

Image

Image

  1. Once the same TTP has been created, it is possible to check how the result is different by showing the description of the relationship and not the description of the TTP object.

Image

nino-filigran commented 4 days ago

@lightw1s3 indeed, we've noticed this change: when working on this view, a unwated side effect has been created which is that the perspective behind these screens have changed from relation to entity as you have noticed. We have a task to adress this change: https://github.com/OpenCTI-Platform/opencti/issues/8835

lightw1s3 commented 4 days ago

Great! Sorry for the repetition, thank you very much for your answer.