opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

[backend] display created field for csv mapper (#7226)

Open frapuks opened this issue 1 year ago • 2 comments

Proposed changes

  • Remove created from INTERNAL_ATTRIBUTES list
  • Display created field into csv mapper creation form

Related issues

  • close #7226

Checklist

  • [x] I consider the submitted work as finished
  • [x] I tested the code for its functionality
  • [ ] I wrote test cases for the relevant uses case (coverage and e2e)
  • [ ] I added/update the relevant documentation (either on github or on notion)
  • [ ] Where necessary I refactored code to improve the overall quality

Further comments

  • created from INTERNAL_ATTRIBUTES list manage 2 different field : created field in Cases entities, and Original creation date in all other entities.
  • I remove Original creation date manually, not sure it is the best practice

frapuks avatar Aug 06 '24 09:08 frapuks

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 66.14%. Comparing base (031c567) to head (73e4a69). Report is 4 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #7966   +/-   ##
=======================================
  Coverage   66.13%   66.14%           
=======================================
  Files         597      597           
  Lines       60375    60374    -1     
  Branches     6191     6192    +1     
=======================================
+ Hits        39930    39934    +4     
+ Misses      20445    20440    -5

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Aug 07 '24 13:08 codecov[bot]

CURENTLY : We have 2 different attributes with the same name : 'created' :

  • a general attributes referenced in attribute-definition.ts (line 366)
  • a specific attribute referenced for example in case-incident.ts (line 39)
  • The only condition to filter results is based on the INTERNAL_ATTRIBUTES list, created with only the property name

TARGET : The fix should be able to separate these two attributes and only return the second.

PROPOSALS :

  • [ ] remove created.name from INTERNAL_ATTRIBUTES and filter manually the created (general) attribute ? => this PR
  • [ ] update INTERNAL_ATTRIBUTES to list all attribute properties (not only the name) ?
  • [ ] update the name of geneal attribute ?
  • [ ] update the name of specific attribute ?
  • [ ] keep INTERNAL_ATTRIBUTES and filter on the attribute.mandatoryType === 'external' ?

frapuks avatar Aug 26 '24 09:08 frapuks

@frapuks & @SouadHadjiat I'm not sure to understand this issue between create name internal and general. Could you elaborate?

  • I see that a date (incident date/RFI date...) is needed when creating manually a case. Does this "created" attribute correspond to this date field?
  • Can we simply ensure that we have this field displayed in the CSV mapper for these 3 entities? If any of the solutions you offered @frapuks are working then it's good for me.

nino-filigran avatar Sep 10 '24 07:09 nino-filigran

created field is not internal, it's the "original creation date" of the entity and it's part of stix, we have another field createdAt that is the date the entity has been created in the platform (and this is internal). So my question is why created is considered internal? Why don't we display this field in the CSV representation for all entities? @nino-filigran @frapuks

image

image

SouadHadjiat avatar Sep 10 '24 16:09 SouadHadjiat

I think we can indeed add it in the CSV, but not as a mandatory field, especially useful if the entity has been created in the past before being imported in OpenCTI.

nino-filigran avatar Sep 12 '24 08:09 nino-filigran

Decision with @SouadHadjiat and @nino-filigran : Display the field created for all entities.

frapuks avatar Sep 19 '24 06:09 frapuks