connectors icon indicating copy to clipboard operation
connectors copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

[Mandiant] Connector not parsing reports

Open ay1988 opened this issue 2 years ago • 3 comments

Description

The connector is not able to parse reports returned from the API and not adding them to OpenCTI.

Environment

OpenCTI version 5.3.10

Additional information

Below is a log showing the connector is making the API calls to the reports endpoint with 200 result code, getting results, but not processing them. This is also verified in OpenCTI as no reports are appearing in the UI.

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.intelligence.fireeye.com:443 INFO:root:URL URL + LIMIT https://api.intelligence.fireeye.com/v4/reports?limit=100 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.intelligence.fireeye.com:443 DEBUG:urllib3.connectionpool:https://api.intelligence.fireeye.com:443 "GET /v4/reports?limit=100&next=xxxxxxxxxxxxx==&start_epoch=1662163200 HTTP/1.1" 200 None INFO:root:Result of reports found 9 and to process 0 INFO:root:No more results

ay1988 avatar Sep 08 '22 20:09 ay1988

@ay1988 News analysis is a report Mandiant is trying to make STIX compatible in the near future, and I know currently the integration cannot process those. Another big issue is not having the capability to filter the reports we would like to index and Ill add that capability next week, because the daily vulnerability reports contains way too much data. If you can share an ID of those reports Ill be happy to test and validate it next week.

RaulSokolova avatar Sep 09 '22 19:09 RaulSokolova

@TheImmigrant Thanks for the prompt update. The API currently doesn't have the capability to filter reports by type by a parameter in the request, but Reports can be filtered from the API output, they come under: Objects -> report_type There are 20+ different types of reports in addition to News Analysis and Vulnerability Reports, we found that none of the types are being processed by the connector. Examples of report IDs: 22-00018039, 22-00013977, 22-00003683

ay1988 avatar Sep 09 '22 22:09 ay1988

@ay1988 I just tested the connector with a new build and it's processing reports fine. Can you please try these steps?

  1. Setting these parameters.
    • MANDIANT_COLLECTIONS=report
    • MANDIANT_IMPORT_START_DATE=2022-09-12
  2. Removing reset the state.
  3. Start the connector again.

image

RaulSokolova avatar Sep 14 '22 17:09 RaulSokolova

@SamuelHassine , we probably can close this one.

RaulSokolova avatar Oct 05 '22 13:10 RaulSokolova