connectors icon indicating copy to clipboard operation
connectors copied to clipboard
verified publisher icon OpenCTI-Platform

[Crowdstrike] Observable entities in reports are not imported

Open damians-filigran opened this issue 1 year ago • 2 comments

Description

When viewing a report in OCTI, and viewing entities, there will be no observables in the entities screen, even though these existed in the corresponding report in the Crowdstrike platform. The observables will also not be present elsewhere in OCTI, unless another source has ingested them.

Environment

  1. OS (where OpenCTI server runs): SaaS
  2. OpenCTI version:6.3.5
  3. OpenCTI client: Edge on Mac
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. { e.g. Run ... }
  2. { e.g. Click ... }
  3. { e.g. Error ... }

Expected Output

Actual Output

Additional information

Notes in Notion here

Screenshots (optional)

damians-filigran avatar Oct 07 '24 03:10 damians-filigran

Some other Indicators have also been found missing as imported entities, compared to the original CSA report::

  • Indicators (Personas)
  • Indicators (IP Addresses)
  • Indicators (SHA256 hashes) [eg.CSA-230966, CSA-210776, CSA-230339)
  • Indicators (Filename) (CSA-210776)
  • Indicators (URLs, sometimes)
  • Indicators (FQL - Falcon Query Language)

Generally found to be present are:

  • Yara rules
  • Domains

damians-filigran avatar Oct 07 '24 11:10 damians-filigran

This is somewhat related as there are times where the connector runs and gets a new report that was just created but the entities aren't created yet so no entities are returned. https://github.com/OpenCTI-Platform/connectors/issues/2756

brett-fitz avatar Oct 15 '24 15:10 brett-fitz

Not sure if it's related to #2756 as we have the same missing observables/indicators with old reports 🤷‍♀️ @romain-filigran I think this issue shouldn't be labeled as a bug, but as an improvement request. I sent to you my investigation's conclusion for further details.

Powlinett avatar Oct 28 '24 15:10 Powlinett

After investigating, we found that some indicators are missing from the report at the time it’s initially checked, but they must appear in the report later.

Here is the current behavior of the connector:

  • On the CrowdStrike side, the only way to link IOCs to a report is by fetching indicators and locating the reports:[] field to see which reports contain each IOC.
  • Our current connector successfully creates IOCs in the report.
  • However, the reason why IOCs do not appear IMMEDIATELY is that we fetch all reports first, and THEN the IOCs are ingested and added to the report

Here’s an example of a report’s history:

Image

  • November 8: The report is created.
  • November 14: The indicator is added, and everything is up-to-date.

This delay between importing the report and the indicator occurs due to the high volume of indicator data when fetching all indicators from a specific date.

helene-nguyen avatar Nov 14 '24 16:11 helene-nguyen