opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Malware, File "samples" relationship is the wrong way

Open securitiz opened this issue 3 years ago • 1 comments

Description

It is not possible to create a relationship that denotes that File -> sample -> Malware

However, it is possible to create Malware -> sample -> File. This doesn't make sense, as files are samples of malware, not the other way around.

This is likely related to the following #1803 . In STIX, the 'samples' relationship is actually 'sample_refs' relationship from Malware -> File. But in OpenCTI, it makes more sense to switch the directionality, since we drop the 'refs' portion.

Perhaps changing the relationship type from sample to sample_of might be clearer

Environment

  1. OS (where OpenCTI server runs): Ubuntu 18.04
  2. OpenCTI version: OpenCTI 5.3.7
  3. OpenCTI client: frontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Go to the Knowledge graph of a Report that has a File and Malware object
  2. Attempt to create a "sample" relationship from the File to the Malware object

Expected Output

"sample" relationship is displayed as an option

Actual Output

only the "linked to" relationship is avaialble

Additional information

Screenshots (optional)

securitiz avatar Aug 16 '22 01:08 securitiz

Hey @securitiz

As already mentioned, here's the explanation for why this relationship is this way around. (https://github.com/OpenCTI-Platform/opencti/issues/1805#issuecomment-1013946606)

But I get your point and I'll have a look to make out of sample a sample_of relationship. (some goes for the other non-verb relationships)

Regards

nor3th avatar Aug 16 '22 21:08 nor3th