Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hybrid-analysis-sandbox] error when adding relationships with observables after analysis #1160

Closed
yassine-ouaamou opened this issue May 29, 2023 · 4 comments
Closed

[hybrid-analysis-sandbox] error when adding relationships with observables after analysis #1160

yassine-ouaamou opened this issue May 29, 2023 · 4 comments
Assignees
@yassine-ouaamou
Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)

Comments

@yassine-ouaamou
Copy link
Member

Description

Error when using Hybrid-Analysis-Sandbox to enrich a URL.

Environment

  1. OS Windows 10
  2. OpenCTI version: 5.7.6
  3. OpenCTI client: frontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Enrich a URL using hybrid-analysis-sandbox. The URL report must generate IPv4 adresses and Domain names

Expected Output

Actual Output

"errors": [
    {
        "timestamp": "2023-05-29T08:59:59.939Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and Domain-Name'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.098Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and Domain-Name'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.198Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and Domain-Name'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.275Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and Domain-Name'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.299Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and Domain-Name'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.351Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and Domain-Name'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.464Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and Domain-Name'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.487Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and IPv4-Addr'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.514Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and IPv4-Addr'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.626Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and IPv4-Addr'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.641Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and IPv4-Addr'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.678Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and IPv4-Addr'}"
    },
    {
        "timestamp": "2023-05-29T09:00:00.800Z",
        "message": "{'name': 'FunctionalError', 'message': 'The relationship type communicates-with is not allowed between Url and IPv4-Addr'}"
    }
]

Additional information

Screenshots (optional)

image
@yassine-ouaamou yassine-ouaamou self-assigned this May 29, 2023
@yassine-ouaamou yassine-ouaamou added the bug use for describing something not working as expected label May 29, 2023
@Jipegien
Copy link
Member

"Communicates-with" is a relation used in the context of the "Infrastructure" SDO that we will not use for the moment here.

An URL should be associated to a domain-name (possibly the related-to relationship, as I do not see specific one). And a domaine-name can be associated with multiple SCO like IP adresses with "resolve-to" relationship.

@yassine-ouaamou
Copy link
Member Author

Ok!
So a URL is related-to a domain name
What about Url -> IPv4? (Not Domain-Name -> IPv4)
Url -> IPv6 also?

In the STIX spec, no relation is specified between these two objects.

I noticed that there was the same issue between Url -> Attack-Pattern?

@Jipegien
Copy link
Member

There is no direct relation between URL and IPv4 or v6.

Attack-pattern is a high level concept. Linking directly an URL and an Attack-pattern doesn't make sense because an URL cannot be observe in every instance of an Attack-pattern (malicious.com/something is not use in every Spear-Phishing).

@SamuelHassine SamuelHassine added this to the Release 5.12.0 milestone Oct 14, 2023
@SamuelHassine SamuelHassine removed this from the Release 5.12.6 milestone Jan 8, 2024
@SamuelHassine SamuelHassine added this to the Release 5.12.18 milestone Jan 16, 2024
@SamuelHassine
Copy link
Member

Solved!

@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Jan 16, 2024
@SamuelHassine SamuelHassine removed this from the Release 5.12.18 milestone Jan 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yassine-ouaamou yassine-ouaamou

Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SamuelHassine @yassine-ouaamou @Jipegien