Skip to content

Commit

Permalink
[backend] filter observables creation with refs from indicators (#5293)
Browse files Browse the repository at this point in the history
  • Loading branch information
@SouadHadjiat
SouadHadjiat committed Feb 28, 2024
1 parent 67fb440 commit c82e648
Showing 1 changed file with 14 additions and 3 deletions.
17 changes: 14 additions & 3 deletions opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import { BUS_TOPICS, logApp } from '../../config/conf';
import { notify } from '../../database/redis';
import { checkIndicatorSyntax } from '../../python/pythonBridge';
import { DatabaseError, FunctionalError } from '../../config/errors';
import { isStixCyberObservable } from '../../schema/stixCyberObservable';
import { ENTITY_EMAIL_MESSAGE, ENTITY_NETWORK_TRAFFIC, isStixCyberObservable } from '../../schema/stixCyberObservable';
import { RELATION_BASED_ON, RELATION_INDICATES } from '../../schema/stixCoreRelationship';
import {
ABSTRACT_STIX_CYBER_OBSERVABLE,
Expand Down Expand Up @@ -152,6 +152,16 @@ export const findIndicatorsForDecay = (context: AuthContext, user: AuthUser, max
return listAllEntities<BasicStoreEntityIndicator>(context, user, [ENTITY_TYPE_INDICATOR], args);
};

const validateObservableGeneration = (observableType: string, indicatorPattern: string) => {
if (observableType === ENTITY_NETWORK_TRAFFIC && (indicatorPattern.includes('dst_ref') || indicatorPattern.includes('src_ref'))) {
return false; // we can't create this type of observables (issue #5293)
}
if (observableType === ENTITY_EMAIL_MESSAGE && indicatorPattern.includes('from_ref')) {
return false; // we can't create this type of observables (issue #5293)
}
return true;
};

Check warning on line 163 in opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts

View check run for this annotation

Codecov / codecov/patch

opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts#L156-L163 

Added lines #L156 - L163 were not covered by tests

export const createObservablesFromIndicator = async (
context: AuthContext,
user: AuthUser,
Expand All @@ -160,9 +170,10 @@ export const createObservablesFromIndicator = async (
) => {
const { pattern } = indicator;
const observables = extractObservablesFromIndicatorPattern(pattern);
const filteredObservables = observables.filter((obs) => validateObservableGeneration(obs.type, pattern));

Check warning on line 173 in opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts

View check run for this annotation

Codecov / codecov/patch

opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts#L173 

Added line #L173 was not covered by tests
const observablesToLink = [];
for (let index = 0; index < observables.length; index += 1) {
const observable = observables[index];
for (let index = 0; index < filteredObservables.length; index += 1) {
const observable = filteredObservables[index];

Check warning on line 176 in opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts

View check run for this annotation

Codecov / codecov/patch

opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts#L175-L176 

Added lines #L175 - L176 were not covered by tests
const observableInput = {
...R.dissoc('type', observable),
x_opencti_description: indicator.description
Expand Down

0 comments on commit c82e648

Please sign in to comment.