opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

[api/front] Add organizations restrictions on top of markings to increase data segregation possibilities (#2188)

Open richard-julien opened this issue 2 years ago • 3 comments

richard-julien avatar Sep 01 '22 19:09 richard-julien

Codecov Report

Base: 65.38% // Head: 64.77% // Decreases project coverage by -0.60% :warning:

Coverage data is based on head (9165fb2) compared to base (88d8c0c). Patch coverage: 47.09% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2317      +/-   ##
==========================================
- Coverage   65.38%   64.77%   -0.61%     
==========================================
  Files         262      265       +3     
  Lines       16406    16760     +354     
  Branches     3234     3329      +95     
==========================================
+ Hits        10727    10857     +130     
- Misses       5679     5903     +224
Impacted Files Coverage Δ
...pencti-platform/opencti-graphql/src/config/conf.js 73.55% <ø> (ø)
...cti-platform/opencti-graphql/src/database/utils.js 95.09% <0.00%> (-0.47%) :arrow_down:
...-platform/opencti-graphql/src/domain/enrichment.js 46.15% <ø> (ø)
...i-platform/opencti-graphql/src/domain/indicator.js 48.45% <ø> (ø)
...latform/opencti-graphql/src/domain/observedData.js 37.50% <ø> (ø)
...cti-platform/opencti-graphql/src/domain/opinion.js 65.21% <ø> (ø)
...ncti-platform/opencti-graphql/src/domain/report.js 76.08% <ø> (ø)
...encti-platform/opencti-graphql/src/domain/rules.ts 96.42% <ø> (ø)
...ncti-platform/opencti-graphql/src/domain/status.ts 45.71% <ø> (ø)
...opencti-graphql/src/domain/stixCoreRelationship.js 52.03% <ø> (ø)
... and 44 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

codecov[bot] avatar Sep 04 '22 16:09 codecov[bot]

Curious if, overall, the proposed changes would allow me to mark an IP Address (or any other entity, but just pulling IP Addr as an example) such that it is:

  • TLP:AMBER+STRICT within my organization (as that might be what "internal restrictions" I might place on anything shared from an external source at TLP:GREEN with my org)
  • TLP:GREEN within "CTI sharing group 1", where someone might have shared it at TLP:GREEN level to me
  • TLP:RED within "CTI sharing group 2", where someone else might have independently shared it TLP:RED with my org as audience

ckane avatar Sep 05 '22 05:09 ckane

Curious if, overall, the proposed changes would allow me to mark an IP Address (or any other entity, but just pulling IP Addr as an example) such that it is:

  • TLP:AMBER+STRICT within my organization (as that might be what "internal restrictions" I might place on anything shared from an external source at TLP:GREEN with my org)
  • TLP:GREEN within "CTI sharing group 1", where someone might have shared it at TLP:GREEN level to me
  • TLP:RED within "CTI sharing group 2", where someone else might have independently shared it TLP:RED with my org as audience

To clarify a bit, its ongoing work, so need to re-define a bit the semantic :)

  • Group = a set of marking. User can be assigned to multiple groups and so get a combination of granted markings
  • Organization = company of a user. A user could be inside multiple organizations. So the PR is more about adding Organization restrictions in top of Group restrictions.

Organization restrictions is another level on top of markings. For me TLP:AMBER+STRICT is a first STIX approach of this problem because it means AMBER but for MY ORG only. For info we decide to do like markings, no organization = all organizations

The big difference between groups and organizations is that group/markings are exclusive and organizations are inclusive For example: User definitions

  • USER01 is part of GROUP_GREEN (TLP:GREEN) - inside organizations COMPANY01
  • USER02 is part of GROUP_RED (TLP:RED) - inside organizations COMPANY01
  • USER03 is part of GROUP_GREEN (TLP:GREEN) - inside organizations RESTRICT

Data Some use cases

  • IP adress 8.8.8.8 created with TLP:GREEN -> USER01, USER02 and USER03 and all have access.
  • IP adress 8.8.8.8 created with TLP:GREEN + COMPANY01 orga restrictions -> Only USER01 and USER02 have access.
  • IP adress 8.8.8.8 created with TLP:RED + COMPANY01 orga restrictions -> Only USER02 have access.

So for your "CTI sharing group 1" i think it will be modelize as an Organization (type circle/sharing) that will have some sub organizations for example COMPANY01 + COMPANY02. So if you add the orga restrictions to "CTI sharing group 1", both organizations will have access to the IP.

Hope this help to understand our vision on this subject. :)

richard-julien avatar Sep 05 '22 10:09 richard-julien

Good pour moi cette PR.

SamuelHassine avatar Oct 25 '22 09:10 SamuelHassine