opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Where to look the Custom properties in OpenCTI

Open Umamahesh-Loginsoft opened this issue 2 years ago • 3 comments

Prerequisites

  • [ ] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
  • [ ] I went through old GitHub issues and couldn't find anything relevant
  • [ ] I googled the issue and didn't find anything relevant

Description

I added the custom properties using the convention "x_opencti_fieldname". I didn't get any error when I pushed it into OpenCTI but I didn't find it where to look these custom properties in OpenCTI

Environment

  1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
  2. OpenCTI version: { e.g. OpenCTI 1.0.2 }
  3. OpenCTI client: { e.g. frontend or python }
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. { e.g. Run ... }
  2. { e.g. Click ... }
  3. { e.g. Error ... }

Additional information

Umamahesh-Loginsoft avatar Sep 23 '22 13:09 Umamahesh-Loginsoft

OpenCTI doesnt accept custom properties. If you try to integrate an unsupported field, it will just be ignored by the platform.

richard-julien avatar Sep 23 '22 13:09 richard-julien

OpenCTI doesnt accept custom properties. If you try to integrate an unsupported field, it will just be ignored by the platform.

Okay thanks for the update!

But what about this allow_custom = True image

Umamahesh-Loginsoft avatar Sep 23 '22 13:09 Umamahesh-Loginsoft

OpenCTI doesnt accept custom properties. If you try to integrate an unsupported field, it will just be ignored by the platform.

Here is the sample data.

In this data how to map the sixgill_ related fields like sixgill_actor, sixgill_confidence etc., and the mitre tactic related details in external references { "created": "2022-06-04T14:51:21.481Z", "description": "Shell access to this domain is being sold on dark web markets", "external_references": [ { "description": "Mitre attack tactics and technique reference", "mitre_attack_tactic": "Resource Development", "mitre_attack_tactic_id": "TA0042", "mitre_attack_tactic_url": "https://attack.mitre.org/tactics/TA0042/", "mitre_attack_technique": "Acquire Infrastructure", "mitre_attack_technique_id": "T1583", "mitre_attack_technique_url": "https://attack.mitre.org/techniques/T1583/", "source_name": "mitre-attack" } ], "id": "indicator--a984ee43-7a0b-4084-a4ee-45fc210f4217", "labels": [ "compromised", "shell", "webshell", "Establish & Maintain Infrastructure", "Compromise 3rd party infrastructure to support delivery" ], "lang": "en", "modified": "2022-06-04T14:51:21.481Z", "object_marking_refs": [ "marking-definition--41eaaf7c-0bc0-4c56-abdf-d89a7f096ac4", "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" ], "pattern": "[domain-name:value = 'dummy.police.gov.bd']", "sixgill_actor": "nemoxxx", "sixgill_confidence": 90, "sixgill_feedid": "darkfeed_001", "sixgill_feedname": "compromised_sites", "sixgill_postid": "6f98571e3e3f6b08d9ad6df634cc2b3e03879243", "sixgill_posttitle": "Test Site https://dummy.police.gov.bd", "sixgill_severity": 70, "sixgill_source": "market_magbo", "spec_version": "2.0", "type": "indicator", "valid_from": "2022-05-30T01:53:54Z" }

Umamahesh-Loginsoft avatar Sep 23 '22 14:09 Umamahesh-Loginsoft

OpenCTI doesnt accept custom properties. If you try to integrate an unsupported field, it will just be ignored by the platform.

Here is the sample data.

In this data how to map the sixgill_ related fields like sixgill_actor, sixgill_confidence etc., and the mitre tactic related details in external references { "created": "2022-06-04T14:51:21.481Z", "description": "Shell access to this domain is being sold on dark web markets", "external_references": [ { "description": "Mitre attack tactics and technique reference", "mitre_attack_tactic": "Resource Development", "mitre_attack_tactic_id": "TA0042", "mitre_attack_tactic_url": "https://attack.mitre.org/tactics/TA0042/", "mitre_attack_technique": "Acquire Infrastructure", "mitre_attack_technique_id": "T1583", "mitre_attack_technique_url": "https://attack.mitre.org/techniques/T1583/", "source_name": "mitre-attack" } ], "id": "indicator--a984ee43-7a0b-4084-a4ee-45fc210f4217", "labels": [ "compromised", "shell", "webshell", "Establish & Maintain Infrastructure", "Compromise 3rd party infrastructure to support delivery" ], "lang": "en", "modified": "2022-06-04T14:51:21.481Z", "object_marking_refs": [ "marking-definition--41eaaf7c-0bc0-4c56-abdf-d89a7f096ac4", "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" ], "pattern": "[domain-name:value = 'dummy.police.gov.bd']", "sixgill_actor": "nemoxxx", "sixgill_confidence": 90, "sixgill_feedid": "darkfeed_001", "sixgill_feedname": "compromised_sites", "sixgill_postid": "6f98571e3e3f6b08d9ad6df634cc2b3e03879243", "sixgill_posttitle": "Test Site https://dummy.police.gov.bd", "sixgill_severity": 70, "sixgill_source": "market_magbo", "spec_version": "2.0", "type": "indicator", "valid_from": "2022-05-30T01:53:54Z" }

@richard-julien Can you help me on this?

Umamahesh-Loginsoft avatar Sep 28 '22 08:09 Umamahesh-Loginsoft