connectors [Malpedia] ERROR: User effective max confidence level is insufficient to update this element

Description

ERROR {'name': 'FUNCTIONAL_ERROR', 'message': 'User effective max confidence level is insufficient to update this element'} | timestamp=2024-05-15T07:19:09.436999Z name=Malpedia exc_info=Traceback (most recent call last):
  File "/opt/opencti-connector-malpedia/malpedia/core.py", line 152, in run
    knowledge_importer_state = self._run_knowledge_importer(
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/opencti-connector-malpedia/malpedia/core.py", line 197, in _run_knowledge_importer
    return self.knowledge_importer.run(current_state)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/opencti-connector-malpedia/malpedia/knowledge.py", line 70, in run
    self._process_families()
  File "/opt/opencti-connector-malpedia/malpedia/knowledge.py", line 127, in _process_families
    self._add_intrusion_sets_for_malware_id(malware_id, fam)
  File "/opt/opencti-connector-malpedia/malpedia/knowledge.py", line 220, in _add_intrusion_sets_for_malware_id
    self.helper.api.stix_domain_object.add_external_reference(
  File "/usr/local/lib/python3.11/site-packages/pycti/entities/opencti_stix_domain_object.py", line 1675, in add_external_reference
    self.opencti.query(
  File "/usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_client.py", line 353, in query
    raise ValueError(
ValueError: {'name': 'FUNCTIONAL_ERROR', 'message': 'User effective max confidence level is insufficient to update this element'}

Environment

OpenCTI 6.0.10

Reproducible Steps

Implement Malpedia connector Create user for Malpedia in group Connectors

Additional information

Connector is creating entities and relationships even with this error.

May 15 '24 07:05 dominictory

the max confidence level of the associated user does not block creations of Objects, only modification of existing ones with higher confidence level. Do you confirm that already existing Objects with higher confidence level are modified by the connector?

May 17 '24 07:05 Jipegien

the max confidence level of the associated user does not block creations of Objects, only modification of existing ones with higher confidence level. Do you confirm that already existing Objects with higher confidence level are modified by the connector?

The connector doesn't seem to be doing much; it created a few entities on the 15th but since then nothing, and a lot of those errors in the logs.

May 17 '24 07:05 dominictory

Confidence level is currently at entity level. You maybe someone or another connector that have upgrade the confidence. Can you check the current confidence level of the element that cannot be updated and the confidence level of the user associated to the connector? You can have interesting info in the element history.

May 17 '24 12:05 richard-julien

Confidence level is currently at entity level. You maybe someone or another connector that have upgrade the confidence. Can you check the current confidence level of the element that cannot be updated and the confidence level of the user associated to the connector? You can have interesting info in the element history.

Hey, not seeing this issue anymore but will keep checking! I am however seeing a lot of these:

ERROR [API] Some error occurred during yara rule creation | timestamp=2024-05-20T13:46:23.543435Z name=Malpedia exc_info=NoneType: None attributes={"family_name":"win.bookcodesrat"}

May 20 '24 13:05 dominictory

I have observed that some of the bundles are not being processed or rejected by opencti for malpedia. The connector version and opencti version is 6.1.3.

Error: {'name': 'UNSUPPORTED_ERROR', 'message': 'Cant upsert entity. Too many entities resolved'}

May 23 '24 09:05 sudesh0sudesh

Hi @dominictory, Can you give me more details? for example set the log_level environment variable to "info" and share the executed process, a priori this error occurs when there is a problem with the API request.

Hi @sudesh0sudesh, This is expected behavior and the problem lies in the names and aliases.

In fact, if you have 2 different malware corresponding to this set of names and aliases (in your case I see Chrysaor as the name and Pegasus and apk.chryaor as the aliases) then OpenCTI is not able to determine which set of malware to select and then attach the knowledge.

To solve this problem, simply merge your 2 malwares or rework the distribution of aliases in your OpenCTI platform so that it matches the Malpedia data source.

Here is an example: In this picture we see that the name is "Lumma Stealer" and the alias is "LummaC2". Capture d'écran 2024-05-24 072248

And this error occurs because I actually have 2 existing malware : "Lumma Stealer" Capture d'écran 2024-05-24 072058 "LummaC2"

May 24 '24 06:05 Megafredo

Thanks @Megafredo, For some reason Malpedia connector is hitting ratelimit - 429 frequently, not sure what changed.

Jun 10 '24 08:06 sudesh0sudesh

Screenshot 2024-06-10 at 09 59 45

Jun 10 '24 09:06 sudesh0sudesh

Hi @sudesh0sudesh, the connector will make requests for each family, but if the Malpedia API returns error 429 to indicate that we have reached our request limit, then the connector will make sure that when it encounters this error, it waits 20s with a maximum retry of 3, ie 1 min for a request, hence your message with an "INFO" and not in "ERROR" because it will try to wait a maximum of 1 min for the request and at first glance this delay is sufficient.

Jun 11 '24 06:06 Megafredo

Yep, i am assuming something changed on malpedia side, it was not that frequent previously.

Jun 11 '24 07:06 sudesh0sudesh