OpenCTI-Platform
Infrastructure Breaking Investigations
Description
When selecting infrastructure(add only) from a created or existing investigation all targets are shown/expanded.
Environment
- OS: Ubuntu
- OpenCTI version: 6.0.10
- OpenCTI client: Frontend
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Create a new investigation
- Add entities and select TYPE: INFRASTRUCTURE
- Select and click to expand
- Under "All types of target" select Infrastructure
- click EXPAND
- Results show ALL
Expected Output
Should only return Infrastructure target
Actual Output
Returns all targets
Additional information
None
Screenshots (optional)
None
Can't reproduce it.
MalwareA targeting multiple entities. MalwareA targeting Infra1. Creating investigation that contains MalwareA. Expand -> Infrastructure. Only Infra1 appears.
Do you have any additional information about your situation?
@Jipegien Please select Type "Infrastructure" when adding entities then expand just the "All types of targets" and choose "Infrastructure", then it displays all targets. Don't use Malware as the example because that doesn't expose the issue.
@explorecti I confirm, I've been able to reproduce, by first adding the entity type = infra in the graph, then choosing to expand only infra, resulting in having not only infrastructures but all other linked entities added to my graph.
Hi @explorecti as you can see @SarahBocognano assigned herself on the ticket. Before, nobody did work on this. Therefore, this will be fixed soon. The ticket will be updated once done.
Update: This issue is applicable to all entities, example :
- I add a threat Actor in investigation
- I select this threat actor
- I select "Threat Actor" to expand only Result : Every other relationships of this entity if expanded too
