You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Bulk Search is not returning results for objects that match on given values. When looking in Developer Tools at the GraphQL query, I see it searches these fields for the user-provided values:
name
aliases
x_opencti_aliases
x_mitre_id
value
subject
attribute_abstract
hashes.MD5
hashes.SHA-1
hashes.SHA-256
hashes.SHA-512
x_opencti_additional_names
The GraphQL query returns matches, but are not shown in the GUI. I have looked into the opencti code, and it looks like each object gets a default value, and the user-provided values are matched with these default values. However, sometimes an object will have multiple values that a user would search, like an X509-Certificate or a file. These objects have hashes, so if a user provided a SHA-1 hash, it will show up in the results of the GraphQL query, but not in the bulk search results in the GUI, because the default value is the SHA-256 hash. So the opencti code will try to match the results of the GraphQL query to the user-provided values, and since the default value is the SHA-256 hash, it will not match against the user-provided SHA-1 hash.
Environment
OS (where OpenCTI server runs): Docker image
OpenCTI version: 6.0.8, 6.0.5, 5.12.21
OpenCTI client: frontend
Other environment details:
Reproducible Steps
Steps to create the smallest reproducible scenario:
Find or create an X509-Certificate or File object that has both SHA-1 and SHA-256 hashes.
In bulk search, enter the SHA-1 hash of the object
The SHA-1 hash will show up as unknown
Expected Output
I would expect the user-provided values to match against all of the searched fields to find matches. For example, I would like to be able to find an X509-Certificate in the bulk search by entering a subject, SHA-1, SHA-256, MD5, or SHA-512 hash.
The text was updated successfully, but these errors were encountered:
sweet-mentat
added
bug
use for describing something not working as expected
needs triage
use to identify issue needing triage from Filigran Product team
labels
Mar 30, 2024
Thank you for adding to the Release. While I used the X509-Certificate object as an example, there are many objects that fall into this problem. Is the plan to fix it for just the X509-Certificate object, or for all objects?
Description
The Bulk Search is not returning results for objects that match on given values. When looking in Developer Tools at the GraphQL query, I see it searches these fields for the user-provided values:
name
aliases
x_opencti_aliases
x_mitre_id
value
subject
attribute_abstract
hashes.MD5
hashes.SHA-1
hashes.SHA-256
hashes.SHA-512
x_opencti_additional_names
The GraphQL query returns matches, but are not shown in the GUI. I have looked into the opencti code, and it looks like each object gets a default value, and the user-provided values are matched with these default values. However, sometimes an object will have multiple values that a user would search, like an X509-Certificate or a file. These objects have hashes, so if a user provided a SHA-1 hash, it will show up in the results of the GraphQL query, but not in the bulk search results in the GUI, because the default value is the SHA-256 hash. So the opencti code will try to match the results of the GraphQL query to the user-provided values, and since the default value is the SHA-256 hash, it will not match against the user-provided SHA-1 hash.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
I would expect the user-provided values to match against all of the searched fields to find matches. For example, I would like to be able to find an X509-Certificate in the bulk search by entering a subject, SHA-1, SHA-256, MD5, or SHA-512 hash.
The text was updated successfully, but these errors were encountered: