Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Observables : expiration date #58

Closed
Fred-certeu opened this issue Jun 11, 2019 · 6 comments
Closed

Observables : expiration date #58

Fred-certeu opened this issue Jun 11, 2019 · 6 comments
Assignees
@SamuelHassine
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 2.1.2

Comments

@Fred-certeu
Copy link

Fred-certeu commented Jun 11, 2019
edited by richard-julien

Problem to Solve

We use it for selecting observable at SOC level: filter out observables which are too old.

Current Workaround

N/A

Proposed Solution

Calculate an expiration date based on:

  • the last observed date
  • the type of observable (e.g. IP, domain, URL, etc)
  • the TLP

CERT-EU can propose a logic

Additional Information

N/A
@SamuelHassine SamuelHassine added the feature use for describing a new feature to develop label Jun 19, 2019
@HarishHary
Copy link

Can you explain more about the logic used for this here ? How do you plan to compute an expiration date ?

@Fred-certeu
Copy link
Author

We have a logic in our current platform, but we need to revise it based on a few years of experience.
This logic works if the observable source doesn't provide any expiration date.

For each observable, the expiration date is equal to : last observed + TTL (time to live)

The TTL is calculated based on:

  • observable type
  • kill chain
  • TLP

Here is how it works now:

IP addresses
TLP = RED -->TTL = 120 days
TLP = AMBER and killchain = delivery --> TTL = 15 days
TLP = AMBER and killchain TTL != delivery --> TTL = 60 days
TLP = GREEN or WHITE and killchain = delivery --> TTL = 7 days
TLP = GREEN or WHITE and killchain TTL != delivery --> TTL = 30 days

URLs
TLP = RED -->TTL = 180 days
TLP = AMBER and killchain = delivery --> TTL = 30 days
TLP = AMBER and killchain TTL != delivery --> TTL = 180 days
TLP = GREEN or WHITE and killchain = delivery --> TTL = 15 days
TLP = GREEN or WHITE and killchain TTL != delivery --> TTL = 60 days

etc

We have not yet decided for new values.
We will come back with proposals unless someone wants to propose something

@SamuelHassine SamuelHassine added this to the Release 2.1.2 milestone Dec 16, 2019
@SamuelHassine SamuelHassine self-assigned this Dec 16, 2019
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Dec 19, 2019
@HarishHary
Copy link

@Fred-certeu Can you elaborate more on killchain = delivery and killchain TTL != delivery ? Can you provide more information on the other type of IoCs ?

@SamuelHassine
Copy link
Member

@Fred-certeu, @HarishHary: in the next version, the expiration date will be computed here: https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-platform/opencti-graphql/src/domain/indicator.js [Line 23].

@SamuelHassine
Copy link
Member

Please feel free to open other tickets to add new logic based on other types.

@SamuelHassine
Copy link
Member

@HarishHary: For killchainPhase == delivery I implemented the following: isKillChainPhaseDelivery = includes('initial-access', killChainPhasesNames) || includes('execution', killChainPhasesNames) ? 'yes' : 'no';

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SamuelHassine SamuelHassine

Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 2.1.2
Development

No branches or pull requests
3 participants
@SamuelHassine @HarishHary @Fred-certeu