OpenCTI-Platform
ERROR when creating Indicator Sighting with Bundle
Description
Experiments
-
[ERROR] Adding Sighting objects to the end of the bundle (to ensure it is the last item that OpenCTI adds to the platform) and sending that bundle
send_stix2_bundle -
[ERROR] Submitting to OpenCTI separately in 1 work run with a thread sleep (30 sec, 1 min, 5 min). Thus, submitting all other objects (Observable, Indicators, Relationships) first, then sleeping some time. Then, submitting all Sightings after
-
send_stix2_bundle(observables) -
sleep(300) -
send_stix2_bundle(sightings) -
[OK] Submitting to OpenCTI separately in 2 separate work runs. Thus, submitting all other objects first in 1 run of the connector. Waiting (30 sec, 1 min, 5 min). Then run the connector again but this time only submitting Sightings
With the settings:
- 2 workers
- 2 platform and
- 3 workers
- 1 platform Whatever we do, there is always the Error of Missing Reference, even though we are sure that required Indicators are created.
Environment
- OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
- OpenCTI version: { e.g. OpenCTI 1.0.2 }
- OpenCTI client: { e.g. frontend or python }
- Other environment details:
Reproducible Steps
Those Sighting/Indicators are not created only one time. We create Indicator and Sighting. Then delete them. And create again. I'm not sure if the first creation has error or not. But deleting & creating again for sure raise errors.
Expected Output
Actual Output
Additional information
Screenshots (optional)
Hi @lhviet, can you show us your code that allows you to create observables, indicators, sighting in stix2 format? for the id it is strongly recommended to use the predictive id ! Example : stix_indicator = stix2.Indicator( id=Indicator.generate_id(indicator_name),
Hi @jborozco , I use the below code to generate Indicator
def create_file_indicator_pattern(object_type: str, value: dict) -> IndicatorPattern:
pattern = f'[file:hashes.\'SHA-256\' = \'{value["sha256"]}\''
if "sha1" in value:
pattern += f' OR file:hashes.\'SHA-1\' = \'{value["sha1"]}\''
if "md5" in value:
pattern += f' OR file:hashes.\'MD5\' = \'{value["md5"]}\''
pattern += "]"
main_observable_type = _OBJECT_TYPE_TO_OBSERVABLE_TYPE_MAP[object_type]
return IndicatorPattern(pattern=pattern, main_observable_type=main_observable_type)
//////////
stix2.Indicator(
id=Indicator.generate_id(indicator_pattern.pattern),
created_by_ref=created_by,
name=name,
description=description,
pattern=pattern,
pattern_type=pattern_type,
valid_from=valid_from,
valid_until=valid_until,
labels=labels,
confidence=confidence,
object_marking_refs=object_markings,
custom_properties=custom_properties,
)
And pattern is like the below
[file:hashes.'SHA-256' = 'abc' OR file:hashes.'SHA-1' = 'def' OR file:hashes.MD5 = 'xyz']
Can you provide a complete stix bundle you try to ingest that generate missing reference? Will be very easiest to reproduce and fix if you provide a bundle. Thanks
Hi @richard-julien , I cannot provide a real bundle because of information in it. I think I missed one step in between. Those Sighting/Indicators are not created only one time. We create Indicator and Sighting. Then delete them. And create again. I'm not sure if the first creation has error or not. But deleting & creating again for sure raise errors.
Hi @lhviet! We wanted to follow up to check if you are still experiencing the problem. If we are unable to reproduce the bug within the next few days, we may need to close this ticket.
Please let us know at your earliest convenience. Thank you again for your valuable feedback. We truly appreciate your contribution in helping us improve.
