opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

TTPs export from knowledge tab does not work as expected

Open Lhorus6 opened this issue 1 year ago • 3 comments

Description

When we export TTPs from a knowledge tab, we notice that we are exporting relationships. we would expect to export the list of TTPs linked to the intrusion set (so entities, not relations).

Screenshot 2024-04-26 121654

Moreover, given the time it takes to export (it never ends), I wonder which list of relations we're actually exporting. All the platform's relationships?

Environment

OCTI 6.0.10

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Go on an Intrusion set (that have TTPs related)
  2. Go on knowledge tab then Attack pattern
  3. Export

Screenshot 2024-04-26 120600

Expected Output

Export list of linked TTPs

Actual Output

I don't know

Lhorus6 avatar Apr 26 '24 10:04 Lhorus6

I can reproduce. To be clear, the bug consists of 2 things:

  1. The JSON export takes ages, to the point that we can consider it non-functional.
  2. When trying a JSON export of malware, the file is called "date.xxxZ_Marking_(typeOfEpxort)stix_Core_Objects_full " and not date.xxxZ_Marking(typeOfEpxort)_stix_Core_Relationship_full

nino-filigran avatar Apr 29 '24 07:04 nino-filigran

If I go into a malware view, and click export:

  • if you're on a "entity list view", you would export the list of malware (at least it's my assumption since the file is called date.xxxZ_Marking_(typeOfEpxort)stix_Core_Objects_full)
  • if you're on a "relation view" you would export the list of malware linked to the intrusion set (at least it's my assumption since the file is called date.xxxZ_Marking(typeOfEpxort)_stix_Core_Relationship_full)

As a result, in the panel Attack Pattern, I would expect that:

  • you export the list of attack patterns linked to the intrusion set (entities and not relations).

nino-filigran avatar May 03 '24 08:05 nino-filigran

"you export the list of attack patterns linked to the intrusion set (entities and not relations)." -> This is what I'm expecting yes

Lhorus6 avatar May 03 '24 08:05 Lhorus6

When trying to reproduce, I have now this error :

image

is it another issue ?

Detailed error when running locally : export-file-stix.py\", line 138, in _process_message\n list_params[\"orderBy\"],\nKeyError: 'orderBy'"}

SouadHadjiat avatar May 13 '24 15:05 SouadHadjiat

Hi @SouadHadjiat, Indeed, I tried on demo and testing, and got the same error. It wasn't there before.

Lhorus6 avatar May 13 '24 16:05 Lhorus6