search

threatgrid / ctia

Cisco Threat Intelligence API
Eclipse Public License 1.0
69 stars 26 forks source link

No relationship is returned by CTIA for a sighting which is related to an indicator #766

Closed hshahman closed 5 years ago

hshahman commented 5 years ago

Env: TEST

The problem here is that there is no relations in the sighting tables of the Observables panel. The same issue is happening in the Intelligence page sighting tab of Public Sources.

To reproduce the issue: I made a sighting for SHA256 "4347c1ff3c7f194e6bea4a53a0a59346f9d3445ef1b79343317dd1b68ff5a7c2", and linked the sighting to an indicator via a relationship, all in CTIA. Investigating that SHA256 returns a sighting and an indicator in the observables panel, but there is no relations in the sighting table.

https://visibility.test.iroh.site/#/investigate?q=4347c1ff3c7f194e6bea4a53a0a59346f9d3445ef1b79343317dd1b68ff5a7c2%20

image

CTIA Relationship:

{
  "description": "update relationship by PUT endpoint",
  "schema_version": "1.0.8",
  "target_ref": "https://intel.test.iroh.site:443/ctia/indicator/indicator-acdc4352-0fb9-40d3-afad-66f1cdbe5418",
  "type": "relationship",
  "source": "C371775",
  "external_ids": [
    "qbfVwOQaWYABigrl"
  ],
  "source_uri": "update.relationship.qa.bla",
  "source_ref": "https://intel.test.iroh.site:443/ctia/sighting/sighting-ab849a18-ab05-4f1e-b247-c65073540620",
  "id": "https://intel.test.iroh.site:443/ctia/relationship/relationship-4fab94b1-26ac-4118-bb17-324cc741b2e3",
  "tlp": "green",
  "relationship_type": "indicates"
}

CTIA Sighting:

{
  "description": "C371775",
  "schema_version": "1.0.8",
  "observables": [
    {
      "value": "4347c1ff3c7f194e6bea4a53a0a59346f9d3445ef1b79343317dd1b68ff5a7c2",
      "type": "sha256"
    }
  ],
  "type": "sighting",
  "id": "https://intel.test.iroh.site:443/ctia/sighting/sighting-ab849a18-ab05-4f1e-b247-c65073540620",
  "count": 1,
  "tlp": "white",
  "timestamp": "2018-12-11T20:31:29.143Z",
  "confidence": "Unknown",
  "observed_time": {
    "start_time": "2018-12-11T20:31:29.143Z",
    "end_time": "2018-12-21T20:31:29.143Z"
  }
}

CTIA Indicator:

{
  "tlp": "white",
  "schema_version": "1.0.8",
  "type": "indicator",
  "producer": "AMP Event",
  "id": "https://intel.test.iroh.site:443/ctia/indicator/indicator-acdc4352-0fb9-40d3-afad-66f1cdbe5418",
  "description": "C371775",
  "valid_time": {
    "start_time": "2018-12-11T20:31:29.143Z",
    "end_time": "2018-12-21T20:31:29.143Z"
  },
  "timestamp": "2018-12-11T20:31:29.143Z"
}

Call to iroh-enrich/observe/observables:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer JWT_TOKEN' -d '[{"value": "4347c1ff3c7f194e6bea4a53a0a59346f9d3445ef1b79343317dd1b68ff5a7c2", "type": "sha256"}]' 'https://visibility.test.iroh.site/iroh/iroh-enrich/observe/observables'

Response:

{
  "data": [
    {
      "module": "AMP File Reputation",
      "module-type": "POKEDeliberateModule",
      "data": {
        "verdicts": {
          "count": 0,
          "docs": []
        },
        "judgements": {
          "count": 0,
          "docs": []
        }
      }
    },
    {
      "module": "AMP Global Intel",
      "module-type": "CTIAInvestigateModule",
      "data": {
        "indicators": {
          "count": 1,
          "docs": [
            {
              "valid_time": {
                "start_time": "2018-12-11T20:31:29.143Z",
                "end_time": "2018-12-21T20:31:29.143Z"
              },
              "tlp": "white",
              "producer": "AMP Event",
              "schema_version": "1.0.8",
              "type": "indicator",
              "description": "C371775",
              "id": "https://intel.test.iroh.site:443/ctia/indicator/indicator-acdc4352-0fb9-40d3-afad-66f1cdbe5418",
              "timestamp": "2018-12-11T20:31:29.143Z"
            }
          ]
        },
        "sightings": {
          "count": 1,
          "docs": [
            {
              "description": "C371775",
              "schema_version": "1.0.8",
              "observables": [
                {
                  "value": "4347c1ff3c7f194e6bea4a53a0a59346f9d3445ef1b79343317dd1b68ff5a7c2",
                  "type": "sha256"
                }
              ],
              "type": "sighting",
              "id": "https://intel.test.iroh.site:443/ctia/sighting/sighting-ab849a18-ab05-4f1e-b247-c65073540620",
              "count": 1,
              "tlp": "white",
              "timestamp": "2018-12-11T20:31:29.143Z",
              "confidence": "Unknown",
              "observed_time": {
                "start_time": "2018-12-11T20:31:29.143Z",
                "end_time": "2018-12-21T20:31:29.143Z"
              }
            }
          ]
        }
      }
    },
    {
      "module": "Talos Intelligence",
      "module-type": "SenderBaseInvestigateModule",
      "data": {}
    },
    {
      "module": "Threat Grid - AMP",
      "module-type": "ThreatgridModule",
      "data": {}
    },
    {
      "module": "VirusTotal",
      "module-type": "VirusTotalInvestigateModule",
      "data": {}
    }
  ]
}
hshahman commented 5 years ago

Not an issue