opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Investigation with thousands of entities will not open

Open Jermain-N opened this issue 1 year ago • 4 comments

Description

I have created a grouping that contains 114 reports. The reports, all together, contain 4819 indicators. WHen I expand the reports in the investigation to dhow all the indicators, it takes a couple minutes to refresh the page and add the indicators to the investigation.

Environment

  1. OS (where OpenCTI server runs): hosted in Filigran Cloud
  2. OpenCTI version: OpenCTI 6.1.8
  3. OpenCTI client: Frontend
  4. Other environment details: navigating OpenCTI with Chrome v125

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create a grouping and add to it a large volume of reports (over 110) that contain, all together, a VERY large volme of indicators (over 4800 indicators).
  2. Create a new investigation.
  3. Add the grouping to the investigation.
  4. Select and expand the grouping.
  5. Select and expand the reports (just expand indicators, not the other elements).
  6. Navigate away from the investigation (e.g. go to a dashboard) OR just refresh the investigation page (press F5).
  7. Error appears on screen.

Expected Output

Expecting the investigation entities to reappear. There is nothing in the documentation detailing an explicit limit on how many entities can be displayed in an investigation.

Actual Output

Error message (see screenshot)

Additional information

I suspect it's the too large volume of entities being displayed that is causing the error.

Screenshots (optional)

image

image

image

image

Jermain-N avatar Jun 04 '24 08:06 Jermain-N

My Investigation simply crashed when I tried to expand (around 6000 IOCs). I'm removing the triage.

nino-filigran avatar Jun 05 '24 07:06 nino-filigran

@nino-filigran Hi Nino, do we have an exact number on how many IOCs can be displayed in the investigation feature?

Jermain-N avatar Jun 19 '24 11:06 Jermain-N

I don't have the answer @Jermain-N but can try to find it. Overall this would not be about IOCs only but about any type of entities.

nino-filigran avatar Jun 19 '24 15:06 nino-filigran

@nino-filigran Yes that was an "abus de langage" on my behalf, the maximum number of any entities in a knowledge graph is the number I'm looking for.

Jermain-N avatar Jun 19 '24 18:06 Jermain-N

Given we have done something in 6.6 to be able to load big grpah by paginating the loading, I'm closing this bug for now.

nino-filigran avatar Apr 02 '25 13:04 nino-filigran

Confirmed: it should now work correctly in 6.6.0, after the major refactoring we've done in the graph code base. Loading has been improved with pagination and progress bar for user feedback.

labo-flg avatar Apr 07 '25 08:04 labo-flg