opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

ImportFileStix2 - Importing STIX file from within a Grouping does not add the imported objects to the Grouping

Open sweet-mentat opened this issue 1 year ago • 15 comments

Description

Using the ImportFIleStix2 connector to import a STIX file from within a Grouping did not function as expected. It ingested the objects into the OpenCTI system just fine, but it failed to add the ingested objects to the Grouping. After ingesting the file I checked the Knowledge, Entities, and Observables tabs, and nothing was listed.

Environment

  1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
  2. OpenCTI version: 6.2.3
  3. OpenCTI client: frontend
  4. Other environment details:

image

sweet-mentat avatar Aug 05 '24 16:08 sweet-mentat

Hmm, I'm not able to reproduce this issue. Could you go step by step and explain your process? Be sure to:

  • wait that the entities are loaded and appear in the workbench before importing (could take a bit of time)
  • when you validate, if you toggle off the "update the entity" it shold work.

Let me know about the result.

nino-filigran avatar Aug 06 '24 08:08 nino-filigran

I tried this with different stix files and still saw the same results. Here's my process:

  1. Create a Grouping
  2. Navigate to Data tab
  3. Click on the icon to upload a file; choose my stix file
  4. Click on the import icon next to my file.
  5. Select ImportFileStix2 connector
  6. Wait until the status says "ImportFileStix2 41/41" (or however many objects there are)
  7. Check the Observables and Entities tabs in the Grouping - there is nothing
  8. Search OpenCTI for the objects that were supposed to be ingested from the STIX file - they are in the system.

sweet-mentat avatar Aug 06 '24 19:08 sweet-mentat

I also tried this in version 6.2.7 and got the same results. And the objects in the STIX file are new to the system.

sweet-mentat avatar Aug 06 '24 19:08 sweet-mentat

Can you try the following steps?

Create a Grouping Navigate to Data tab Click on the icon to upload a file; choose my stix file Click on the import icon next to my file. Select ImportFileStix2 connector Wait until the status says "ImportFileStix2 41/41" (or however many objects there are) A Workbench should have been created Open the workbench, wait for the entities/observables to appear and validate your workbench Wait for the import to be completed Check the Observables and Entities tabs in the Grouping - it should be updated.

nino-filigran avatar Aug 07 '24 07:08 nino-filigran

https://github.com/user-attachments/assets/a605dd22-7e1f-4b8f-a907-10aee4402294

nino-filigran avatar Aug 07 '24 07:08 nino-filigran

I have the environment variable CONNECTOR_VALIDATE_BEFORE_IMPORT set to false for the Import STIX File Connector. Is it required to be set to true for it to work properly?

sweet-mentat avatar Aug 07 '24 15:08 sweet-mentat

I did switch the CONNECTOR_VALIDATE_BEFORE_IMPORT to true, and followed the steps in the video. Unfortunately it still did not attach the objects to the Grouping :(

sweet-mentat avatar Aug 07 '24 15:08 sweet-mentat

https://github.com/user-attachments/assets/33fa7e6a-74f9-4f33-a968-1678d0f6800c

This is on an out-of-the-box install of the OpenCTI Docker image version 6.2.7

sweet-mentat avatar Aug 07 '24 16:08 sweet-mentat

It seems that you workbench already contains a report: therefore, the list of entities/observable should be in this report and not your grouping. image

nino-filigran avatar Aug 08 '24 14:08 nino-filigran

The entities and observables are in the report, but the relationships are not. I was expecting to add everything in the bundle (including the report) to the grouping. Is this not a good assumption? I wanted to use an Investigation to visualize the bundle, relationships and all. Are you saying that if the stix file contains a container object, nothing will be added to the grouping? If so, I am not in love with that implementation. Not even the report gets attached to the Grouping. For the record, I would still consider this a bug.

sweet-mentat avatar Aug 08 '24 15:08 sweet-mentat

Thanks for your feedback @sweet-mentat. Yes, it's what I'm saying: I've tried to remove manually the report from the workbench & to replace it with the grouping. As a result, all entities have been added to the grouping. I can confirm that if you upload a file in a container & this file already contains a container, the entities in your file will be added to the container of your file.

This behavior seems right to me: ignoring the container in your file and importing the entities present in your file in another container would mean that we override the information contained in your file.

I guess, the middle ground should be to at least add the container present in your file to the container in which you upload your file, so that can easily "link" them. I'll discuss this internally and come back to you.

Few things:

  • if you look at the screenshot above, you can see that no relations are extracted from your document.
  • To perform your investigation, you can still use the report contained in your document, even though I suspect that you wanted only the susbset of entities contained in your document.

nino-filigran avatar Aug 09 '24 08:08 nino-filigran

I definitely agree that ignoring the container in my STIX file is not the way to go. What I was assuming would happen is that all of the objects in my STIX file would be ingested into OpenCTI and added to the grouping. The objects were ingested into OpenCTI, but I would like the report added to the Grouping, and all of the objects in the STIX file to also be added to the grouping - all domain objects, cyber observables, and relationships. I have another file that I was using to test that contained relationships, and they were extracted and ingested into OpenCTI. I did try to use an investigation to view the report, but the report did not include the relationship objects as reference objects. Is this possible? To ingest the report container object with all of it's reference objects attached, and also attach all the objects in the STIX bundle to the grouping? Otherwise, what is the point of importing the STIX file in the context of the grouping?

sweet-mentat avatar Aug 09 '24 16:08 sweet-mentat

Hey @sweet-mentat sorry for my delayed answer. Currently, it's not possible to ingest the report container object with all of it's reference objects attached and attach all the objects in the stix bundle to the grouping. Currently, you would need to import your report. Then create an investigation, in which you add your report, expand it, and add all the entities/refs/relations into your grouping.

Your use case makes sense though, and I'll raise it internally. The fix should be:

  • if a stix file contains a container but is imported in the context of another container, all entities/relationships & object refs in the bundle should also be added to the uploaded container, given that it's an action that we allow through a manual process.

nino-filigran avatar Aug 14 '24 07:08 nino-filigran

This issue should be fixed at the same time that https://github.com/OpenCTI-Platform/opencti/issues/8178 is fixed

JeremyCloarec avatar Oct 16 '24 09:10 JeremyCloarec

yay! thank you!

sweet-mentat avatar Oct 21 '24 22:10 sweet-mentat