opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Malware info not updating and not displayed everywhere

Open remydewa opened this issue 2 years ago • 3 comments

Description

With our LastInfoSec connector, the malware information on the platform not updating from our tactic feed. As a reminder, we reported and exchanged with Samuel on a similar issue with the update of vulnerabilities (via our CVE feed) which has been fixed :). Furthermore, information about malware are not displayed in all pages.

Environment

  1. OS Ubuntu 20.04
  2. OpenCTI version: 5.3.7
  3. OpenCTI client: 5.3.7

Reproducible Steps

I use my LastInfoSec connector (https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/lastinfosec/src) to import updated tactic information about malware every day. Our connector is run with these OpenCTI args.

  • CONNECTOR_UPDATE_EXISTING_DATA: true
  • CONNECTOR_RUN_AND_TERMINATE: true
  • CONNECTOR_ID: 9f4dfabc-e5c2-4a6d-ad64-b854fd2fe2d8
  • CONNECTOR_TYPE: EXTERNAL_IMPORT
  • CONNECTOR_NAME: LastInfoSec-Tactic
  • CONNECTOR_SCOPE: cyber threat intelligen
  • CONFIG_LIS_TACTIC_ENABLED: true
  • CONFIG_LIS_APIKEY: xxx

Expected Output

For this malware example, description should not be empty, ttp, kill chain chain phases neither Screenshot from 2022-07-20 11-41-03

In the knowlege tab, the "distribution of relations should be filed too with the number of vulnerabilities, attack-pattern.... Screenshot from 2022-07-20 11-46-49

The good news, that's why it's strange the information are correctly displayed here so the data from our LastInfoSec Tactic Feed are correctly imported: Screenshot from 2022-07-20 11-51-24 Screenshot from 2022-07-20 11-51-52

remydewa avatar Jul 20 '22 10:07 remydewa

Issue updated

remydewa avatar Aug 04 '22 07:08 remydewa

News upsert policy.

SamuelHassine avatar Aug 04 '22 16:08 SamuelHassine

Thanks @SamuelHassine for your answer! I did the changes and it seems to work but not for all fields. My Formbook page has now a description, I am able to change the is_familty property for all malware present in the platform, add kill chain phases to them but the first_seen and last_seen properties are still set to None while the fields are present in my stix2.1 bundle. (same problem with intrsuin-set). Do you know why?

remydewa avatar Aug 11 '22 15:08 remydewa

Hello @remydewa,

For malware first_seen and last_seen, it is a bug. For intrusion set, it should work. Just check if the intrusion set confidence is not higher than the confidence in your bundles.

Kind regards, Samuel

SamuelHassine avatar Aug 20 '22 11:08 SamuelHassine

Hello @SamuelHassine, just to let you know that it seems to work now! We have first seen and last seen in our malware thanks to pycti 5.3.10. I did the change of confidence and it works for intrusion-set too. We also now have platform in our indicators!

But how to fix the problem describe in the issue: the distribution of relations in our malware is false. We don't see the number of vulnerability and attack-pattern in the knowledge page...I can open a new issue for that if you want.

Thanks again for your help :)

Rémy

remydewa avatar Sep 08 '22 09:09 remydewa