OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.52k stars 961 forks source link

No graph produced on Correlation view of report with correlated reports #9198

Open dominictory opened 3 days ago

dominictory commented 3 days ago

Description

We have a report created by the CIRCL MISP feed connector. On the Overview page, we see multiple correlated reports:

Image

On the Knowledge tab, we see a graph. However, when attempting to use Correlation view, no graph is produced:

Image

Environment

6.4.0

Reproducible Steps

Expected Output

Graph is produced in Correlation view showing correlations

Actual Output

No graph produced in Correlation view. This occurs for other reports as well.

nino-filigran commented 2 days ago

@dominictory we know that this area of the app does not work well, that is why we are currentlyworking on a task to align the graph & the data contained in the container overview. https://github.com/OpenCTI-Platform/opencti/issues/3227. In short, the 2 queries are different, resulting in a different view, as you have rightfully pointed. Therefore, the feature should fix your bug cc @romain-filigran FYI

ckane commented 15 hours ago

I think that I have noticed this on graphs with a large number of correlations. I don't know what, if any, limit we might be running into. I suspect that one of the filters applied in the buildCorrelationData function has a logic flaw in it.

ckane commented 13 hours ago

So I added some instrumentation to my deployment and it seems like when the number of relationships goes above 500, this behavior starts to manifest. I suspect that the hard-coded first: 500 and similar 500-entry limits is being hit somewhere along the way such that the function linked below only gets the first 500 items from the "total objects" list and it ends up not pivoting into ones with related items: