New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
network-traffic
Observable created from a malicious-activity
indicator doesn't have any dst_ref
and linked object
#5293
Comments
Multiple problems to note:
|
We cannot fix it simply. Stix-pattern is not an explicit language. It is not a language made to be parsed, it is a language made to search something. There are too many situation where we cannot decide what to create. So, this is not a bug. We do not know how to create dst_ref, src_ref and from_ref. To be handle that, we need to change our algo massively. #5584 We must stop to import inconsistent data. So we will discard observables creation for email and network traffic when dst_ref or src_ref or from_ref is in the pattern. |
Description
When using OpenCTI import feature to ingest 2023-12-22-Indicator.json, the use of
"x_opencti_create_observables": true
STIX additional property, doesn't properly create a associatednetwork-traffic
observable that contains the observed port and IP address.In our TIP, we ingest a lot of this type of indicators, which result having a lot of associated observables that are created but are the same and share the same STIX ID (and that aren't merged together).
We found that problem when generating report export.
An error was raised due to presence of multiple observables having the same STIX ID:
Environment
Docker version 24.0.7, build afdd53b
)Reproducible Steps
Steps to create the smallest reproducible scenario:
ImportFileStix
connector.network-traffic--8101c72f-3fab-572b-9378-d4a8de84ebb1
, and there should not be any Nested Object on theKnowlegde
tab.Actual Output
Expected Output
An observable should have been created if necessary (in our example, of
"type": "ipv4-addr"
and"value": "127.0.0.1"
) and linked back to the observable, see an export example:{ "type": "bundle", "id": "bundle--dd644d2a-ef7d-4ea3-879f-ecaa1af062fc", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "id": "network-traffic--802413d4-407e-5013-bcee-77eab422b6f2", "spec_version": "2.1", "x_opencti_description": "Simple observable of indicator {Network traffic to 127.0.0.1 on port 443}", "x_opencti_score": 50, "dst_port": 443, "x_opencti_id": "e1b3e270-a7cc-499c-b48e-65f3d99a4065", "x_opencti_type": "Network-Traffic", "type": "network-traffic", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], + "dst_ref": "ipv4-addr--679c6c82-b4be-52e2-9c7a-198689f6f77b" } ] }
The text was updated successfully, but these errors were encountered: