search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.45k stars 948 forks source link

TAXII ingestor ignores `valid_until` property on `Indicator` objects #9045

Open r-smith opened 5 days ago

r-smith commented 5 days ago

Description

The TAXII feed ingestor ignores the valid_until property when ingesting STIX Indicator objects.

Environment

  1. OS (where OpenCTI server runs): Ubuntu 24.04
  2. OpenCTI version: 6.3.13
  3. OpenCTI client: fontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Point the TAXII ingestor to a TAXII server that returns the following sample STIX indicator: 
    {
"objects": [
{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--a831dcab-392e-5927-8ed7-9b8c3b343526",
  "indicator_types": [
    "malicious-activity"
  ],
  "pattern": "[ipv4-addr:value = '127.0.0.1']",
  "pattern_type": "stix",
  "created": "2024-11-16T12:12:30.000Z",
  "modified": "2024-11-16T12:12:30.000Z",
  "valid_from": "2024-11-16T12:12:30.000Z",
  "valid_until": "2025-01-16T12:12:30.000Z"
}
]
}

Expected Output

valid_until should be set to the timestamp specified in the STIX Indicator object.

Actual Output

valid_until is ignored and always set to a fixed 9 months.