opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Create a new capa to byPass mandatory fields

Open CyberKaizen opened this issue 1 year ago • 3 comments

Problem to Solve

So I found something interesting. If I try to enforce mandatory attributes for the Report entity, it breaks the MITRE Datasets connector. If it breaks MITRE, it likely breaks other connectors handling it. image

The reason a user may want to enforce mandatory attributes on that, is to prevent users from improperly filling out the details for the Report entity.

The error I started getting from the worker logs was: 2023-05-09T22:04:58.235430037Z ERROR:pycti.api:Invalid field createdBy 2023-05-09T22:04:58.235457637Z ERROR:root:{'name': 'ValidationError', 'message': 'Invalid field createdBy'} 2023-05-09T22:04:58.263740311Z ERROR:pycti.api:[SEARCH] Error updating elastic (update) 2023-05-09T22:04:58.263763511Z ERROR:pycti.api:Cannot report expectation

The error pointed to something going wrong with the Author entity or createdBy field. image

The end result is that reports might still get output but certain entities or relationships getting excluded from the Report container.

I believe this error might be caused when certain fields in the STIX bundles have a null createdBy field, leading to that data getting excluded upon matching the mandatory attributes rules.

Current Workaround

To resolve this issue, undoing the enforcement of mandatory attributes on the Report entity causes the problem to go away.

But this means the user becomes unable to make use of the enforce mandatory attributes feature, because it breaks the connectors that handle the Report entity.

Proposed Solution

I believe a sound, interim solution would be to add a new permission that can be added to the Connector Role, that would allow the connector to bypass mandatory field attributes. image

A longer term solution I think should be considered is adopting the concept of internal service users (these handle all backend OpenCTI operations) and regular users. This is because often times, what we want to happen for a front end user is different from the service user (connector).

Final approach

Create a new capa called "Bypass mandatory fields" that would allow admins to enable some custom mandatory attributes so that their connectors for instance will be able to byPass any fields that are marked as required, while analyst will be have to comply with the filling of the needed fields when creating or updating an entity.

CyberKaizen avatar May 09 '23 22:05 CyberKaizen