Do opencti tend to discard the relationship even if it is explicitly mentioned in the stix file ?
I have a scenario which i am currently facing where relationship between an artifact and individual is not being displayed in the knowledge graph(Relationship-type : related-to) of the report and no relationship is present inside the artifact as well . It contains other sdo's as well which are all related to that "individual" but some of them are being discarded even after the relationship is mentioned in stix file.
For better understanding review the ss and the stix objects mentioned .
Environment
OS (where OpenCTI server runs): AWS t2.large Ubuntu 22.04
OpenCTI version: OpenCTI 6.3.13
OpenCTI client: frontend
This is how it currently is:
And this is how it should be:
I created it manually but it should be created automatically right?
Stix object (Altered for security reasons):
So in this ... only the individual A relationship is displayed and individual B relationship is discarded . But the desired outcome should be like this
(Note: The individual between all the oobjets is the {individual B})
{
"type": "threat-actor",
"spec_version": "2.1",
"id": "threat-actor--bc3f610a-5644-4f23-b1c4-d373e0589bdc",
"created": "2023-10-20T11:11:24.000Z",
"modified": "2024-07-15T12:26:43.000Z",
"name": "....",
"description": "...",
"threat_actor_types": [
"individual"
],
"aliases": [
"['....']"
]
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837",
"mime_type": "text/plain",
"url": "....",
"hashes": {
"SHA-256": "e60c5ed7bf6900f35509234dbf2713b07befc3fb99161509ef158c85c0715c51"
}
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--352b6b03-1c08-4fe5-8b47-d21f3c34c48a",
"created": "2024-11-16T09:31:51.680741Z",
"modified": "2024-11-16T09:31:51.680741Z",
"relationship_type": "related-to",
"description": "....",
"source_ref": "threat-actor--bc3f610a-5644-4f23-b1c4-d373e0589bdc",
"target_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--6bf10e55-2463-4b89-8ffb-7ce89590140d",
"created": "2024-11-16T09:31:51.680831Z",
"modified": "2024-11-16T09:31:51.680839Z",
"abstract": "....",
"content": "....",
"authors": [
".."
],
"object_refs": [
"artifact--341a491f-121f-4bc7-8c38-01fbf65bf837"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bcb20611-7561-42c8-ad78-a7beeb97e578",
"created": "2024-11-16T09:31:51.680942Z",
"modified": "2024-11-16T09:31:51.680942Z",
"relationship_type": "related-to",
"description": "...",
"source_ref": "note--6bf10e55-2463-4b89-8ffb-7ce89590140d",
"target_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837"
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--cab54e2d-1af9-4496-8430-90fa774f912c",
"created": "2024-11-16T09:31:51.681014Z",
"modified": "2024-11-16T09:31:51.681014Z",
"name": "A",
"identity_class": "individual"
},{
"type": "identity",
"spec_version": "2.1",
"id": "identity--419a57f5-8ead-41e6-a4e6-09881ca446b1",
"created": "2024-11-16T09:31:51.681149Z",
"modified": "2024-11-16T09:31:51.681149Z",
"name": "B",
"identity_class": "individual"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--65d2dc1d-6d95-4804-bb15-7b4ced52637b",
"created": "2024-11-16T09:31:51.681082Z",
"modified": "2024-11-16T09:31:51.681082Z",
"relationship_type": "related-to",
"description": "the user: A",
"source_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837",
"target_ref": "identity--cab54e2d-1af9-4496-8430-90fa774f912c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a85965cf-33f0-4fb3-9236-f2e2e1ffa939",
"created": "2024-11-16T09:31:51.681217Z",
"modified": "2024-11-16T09:31:51.681217Z",
"relationship_type": "related-to",
"description": " the user: B",
"source_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837",
"target_ref": "identity--419a57f5-8ead-41e6-a4e6-09881ca446b1"
},
further all the relationships and objects are containerised correctly in a report file .
Description
Do opencti tend to discard the relationship even if it is explicitly mentioned in the stix file ? I have a scenario which i am currently facing where relationship between an artifact and individual is not being displayed in the knowledge graph(Relationship-type : related-to) of the report and no relationship is present inside the artifact as well . It contains other sdo's as well which are all related to that "individual" but some of them are being discarded even after the relationship is mentioned in stix file.
For better understanding review the ss and the stix objects mentioned .
Environment
This is how it currently is:
And this is how it should be: I created it manually but it should be created automatically right?
Stix object (Altered for security reasons):
So in this ... only the individual A relationship is displayed and individual B relationship is discarded . But the desired outcome should be like this
(Note: The individual between all the oobjets is the {individual B})
{
"type": "threat-actor",
"spec_version": "2.1",
"id": "threat-actor--bc3f610a-5644-4f23-b1c4-d373e0589bdc",
"created": "2023-10-20T11:11:24.000Z",
"modified": "2024-07-15T12:26:43.000Z",
"name": "....",
"description": "...",
"threat_actor_types": [
"individual"
],
"aliases": [
"['....']"
]
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837",
"mime_type": "text/plain",
"url": "....",
"hashes": {
"SHA-256": "e60c5ed7bf6900f35509234dbf2713b07befc3fb99161509ef158c85c0715c51"
}
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--352b6b03-1c08-4fe5-8b47-d21f3c34c48a",
"created": "2024-11-16T09:31:51.680741Z",
"modified": "2024-11-16T09:31:51.680741Z",
"relationship_type": "related-to",
"description": "....",
"source_ref": "threat-actor--bc3f610a-5644-4f23-b1c4-d373e0589bdc",
"target_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--6bf10e55-2463-4b89-8ffb-7ce89590140d",
"created": "2024-11-16T09:31:51.680831Z",
"modified": "2024-11-16T09:31:51.680839Z",
"abstract": "....",
"content": "....",
"authors": [
".."
],
"object_refs": [
"artifact--341a491f-121f-4bc7-8c38-01fbf65bf837"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bcb20611-7561-42c8-ad78-a7beeb97e578",
"created": "2024-11-16T09:31:51.680942Z",
"modified": "2024-11-16T09:31:51.680942Z",
"relationship_type": "related-to",
"description": "...",
"source_ref": "note--6bf10e55-2463-4b89-8ffb-7ce89590140d",
"target_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837"
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--cab54e2d-1af9-4496-8430-90fa774f912c",
"created": "2024-11-16T09:31:51.681014Z",
"modified": "2024-11-16T09:31:51.681014Z",
"name": "A",
"identity_class": "individual"
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--419a57f5-8ead-41e6-a4e6-09881ca446b1",
"created": "2024-11-16T09:31:51.681149Z",
"modified": "2024-11-16T09:31:51.681149Z",
"name": "B",
"identity_class": "individual"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--65d2dc1d-6d95-4804-bb15-7b4ced52637b",
"created": "2024-11-16T09:31:51.681082Z",
"modified": "2024-11-16T09:31:51.681082Z",
"relationship_type": "related-to",
"description": "the user: A",
"source_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837",
"target_ref": "identity--cab54e2d-1af9-4496-8430-90fa774f912c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a85965cf-33f0-4fb3-9236-f2e2e1ffa939",
"created": "2024-11-16T09:31:51.681217Z",
"modified": "2024-11-16T09:31:51.681217Z",
"relationship_type": "related-to",
"description": " the user: B",
"source_ref": "artifact--341a491f-121f-4bc7-8c38-01fbf65bf837",
"target_ref": "identity--419a57f5-8ead-41e6-a4e6-09881ca446b1"
},
further all the relationships and objects are containerised correctly in a report file .