Sample ref not created when importing a bundle STIX

[explorecti]

Description

When a user manually ingests a STIX bundle containing a file SCO and a Malware SDO with a sample_refs property containing the STIX ID of the file SCO, a "sample" relationship is not created between the file SCO and Malware SDO.

Environment

1. OS version: CENTOS 7.9
2. OpenCTI version: 5.12.32
3. OpenCTI client: frontend

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Manually ingests a STIX bundle containing a file SCO and a Malware SDO with a sample_refs property containing the STIX ID of the file SCO.

Expected Output

A "sample" relationship should be created between the file SCO and Malware SDO.

Actual Output

No relationship is created

Workaround

No work around.

[jborozco]

@explorecti could you provide us this STIX Bundle so we can try to reproduce the issue ?

[explorecti]

Do to the nature of the STIX data that request is not possible. Please advise further steps if you cannot reproduce the issue, thank you.

[jborozco]

We created a STIX Bundle to reproduce the issue here:
2024-03-11T09 49 45.944Z_TLP ALL_(ExportFileStix2)_Report-Test_full.json

[explorecti]

Perfect @jborozco thank you for taking the time to troubleshoot this issue further. Will this be corrected for the platform 6.0.6 release?

[jborozco]

@explorecti from the file we created, It seems that you need a proper SRO in your bundle to create a relationship.

sample_ref is an SDO attribute proper to malwares, but it is not enough to create a relationship in the platform.

[explorecti]

@jborozco The "sample_ref": [ "file--9be6a529-5444-45e3-8f8c-dd173ca44be7" ] attribute was created and linked to "type": "malware" and "id": "malware--9gh7n530-5278-86e3-7g9b-gg375hj43be9". The issue still remains.