connectors icon indicating copy to clipboard operation
connectors copied to clipboard
verified publisher icon OpenCTI-Platform

Why `Manufacturing` sector is not present ?

Open Tonnulus opened this issue 3 years ago • 6 comments

Prerequisites

  • [x] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
  • [x] I went through old GitHub issues and couldn't find anything relevant
  • [x] I googled the issue and didn't find anything relevant

Description

Manufacturing sector is not present. But it should be present by default. https://github.com/OpenCTI-Platform/datasets/blob/master/data/sectors.json image

I tried to add it manually (ImportFileStix) without success. I tried to add it via the UI too without success.

opencti-connector logs:

INFO:root:Initiate work for ca2cdb8c-c97c-4491-bd08-6b2b3293c1c8
INFO:root:Update action expectations work_ca2cdb8c-c97c-4491-bd08-6b2b3293c1c8_2022-09-06T08:31:22.528Z - 121
INFO:root:Update action expectations work_ca2cdb8c-c97c-4491-bd08-6b2b3293c1c8_2022-09-06T08:31:22.528Z - 539
INFO:root:Connector successfully run, storing last_run as 1662453082
INFO:root:Reporting work update_received work_ca2cdb8c-c97c-4491-bd08-6b2b3293c1c8_2022-09-06T08:31:22.528Z
INFO:root:Last_run stored, next run in: 7.0 days

connector-import-file-stix logs:

Update action expectations work_c26b9396-683c-4563-8ace-33f4286a3dac_2022-09-06T11:25:34.042Z - 1
Reporting work update_received work_c26b9396-683c-4563-8ace-33f4286a3dac_2022-09-06T11:25:34.042Z
Message (delivery_tag=4) processed, thread terminated

Environment

  1. OS (where OpenCTI server runs): Debian 11
  2. OpenCTI version: 5.3.8
  3. OpenCTI client: WEB
  4. Other environment details:

connector-opencti connector configuration

  connector-opencti:
    image: opencti/connector-opencti:5.3.8
    environment:
      OPENCTI_URL: http://opencti.:8080/opencti
      OPENCTI_TOKEN: ${OPENCTI_C_OPENCTI_TOKEN}
      CONNECTOR_ID: ca2cdb8c-c97c-4491-bd08-6b2b3293c1c8
      CONNECTOR_TYPE: EXTERNAL_IMPORT
      CONNECTOR_NAME: OpenCTI
      CONNECTOR_SCOPE: marking-definition,identity,location,sector,region,country,city
      CONNECTOR_CONFIDENCE_LEVEL: 5
      CONNECTOR_UPDATE_EXISTING_DATA: "true"
      CONNECTOR_RUN_AND_TERMINATE: "false" # update  v5.1.4
      CONNECTOR_LOG_LEVEL: info
      CONFIG_SECTORS_FILE_URL: https://raw.githubusercontent.com/OpenCTI-Platform/datasets/master/data/sectors.json
      CONFIG_GEOGRAPHY_FILE_URL: https://raw.githubusercontent.com/OpenCTI-Platform/datasets/master/data/geography.json
      CONFIG_INTERVAL: 7 # Days

Tonnulus avatar Sep 06 '22 11:09 Tonnulus

Hello @Tonnulus,

Are you sure that the "Manufacturing" alias is not present in any other sectors (due to a bad merging for instance)?

Kind regards, Samuel

SamuelHassine avatar Sep 11 '22 11:09 SamuelHassine

Hello, it is actually present as an alias as shown in the picture below. But then the taxonomy between our preprod instance and prod is not aligned which causes our scripts to crash while ingesting intelligence to prod. image Best,

R3dHash avatar Sep 16 '22 10:09 R3dHash

@R3dHash,

In the history of the entity, which connector / user added this alias to the "Industrial" sector?

Kind regards, Samuel

SamuelHassine avatar Sep 17 '22 11:09 SamuelHassine

@SamuelHassine the history of the entity industrial shows that the MISP connector made changes image

R3dHash avatar Sep 19 '22 17:09 R3dHash

Solution is:

  • Remove the alias
  • Increase the confidence level of the "OpenCTI Datasets" connector to 90
  • Decrease the confidence level of the "MISP" connector lower than 90
  • Reset the OpenCTI Dataset connector state to re-inject the sectors

You will be good!

SamuelHassine avatar Sep 19 '22 17:09 SamuelHassine

(and be sure to be in the latest version so the confidence levels are taken into account everywhere)

SamuelHassine avatar Sep 19 '22 17:09 SamuelHassine