opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Unknown type "ThreatActorsFiltering

Open BCS251 opened this issue 1 year ago • 8 comments

Prerequisites

  • [ X] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
  • [X ] I went through old GitHub issues and couldn't find anything relevant
  • [ X] I googled the issue and didn't find anything relevant

Description

I am encountering an issue with frequent GraphQL validation errors clogging my platform logs. The error message repeatedly states: Unknown type "ThreatActorsFiltering". Did you mean "ThreatActorsOrdering", "ThreatActorConnection", "ThreatActorEdge", "ThreatActorGroup", or "ThreatActorGroupEdge"?

This error seems to be occurring due to a reference to an unknown type in GraphQL queries. The continuous logging of this error is causing excessive log generation and clogging the logs, which affects the overall platform performance and makes it harder to identify other potential issues.

Environment

  • OS (where OpenCTI server runs): Ubuntu
  • OpenCTI version: 6.2.15
  • OpenCTI client: Python

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Run some sort of GraphQL query that includes a type named ThreatActorsFiltering.
  2. Observe the error generated in the logs with the message about the unknown type.
  3. The error persists and clogs the logs with multiple entries.

Steps Taken to Mitigate

I have attempted the following steps to resolve the issue, but the error persists:

  • Updated to the latest version of OpenCTI (6.2.15).
  • Cleaned up and removed unused or outdated connectors.
  • Matched the version of the connectors to ensure compatibility with the platform version.
  • Cleared the messaging queue to remove any stuck or outdated messages.

Additional Information

  • The continuous generation of these errors is affecting the readability of the platform logs.

Attached below is a sample error log for reference:

{ "category": "APP", "errors": [ { "attributes": {}, "message": "Unknown type \"ThreatActorsFiltering\". Did you mean \"ThreatActorsOrdering\", \"ThreatActorConnection\", \"ThreatActorEdge\", \"ThreatActorGroup\", or \"ThreatActorGroupEdge\"?", "name": "GRAPHQL_VALIDATION_FAILED", "stack": "GraphQLError: Unknown type \"ThreatActorsFiltering\"..." } ], "inner_relation_creation": 0, "level": "error", "message": "Unknown type \"ThreatActorsFiltering\"...", "operation": "Unspecified", "query_attributes": [ [] ], "size": 85, "source": "backend", "time": 6, "timestamp": "2024-08-28T13:44:04.632Z", "type": "READ_ERROR", "user": { "group_ids": ["06f043c9-d963-48f1-aabd-75a6b6d7e9a7"], "ip": "::ffff:172.18.0.1", "organization_ids": ["08dc458d-f8f4-4782-b5f9-1f7b8765ca5a"], "socket": "query", "user_id": "88ec0c6a-13ce-5e39-b486-354fe4a7084f", "user_metadata": {} }, "version": "6.2.15" } image

Thank you in advance! Have a nice day !

BCS251 avatar Aug 28 '24 14:08 BCS251

GraphQL queries that includes a type named ThreatActorsFiltering are not correct queries since the filters migration of 5.12.

Archidoit avatar Aug 29 '24 12:08 Archidoit

You should do your queries with the new filters format (use the FilterGroup type). Here is a link to our documentation : https://docs.opencti.io/6.2.X/reference/filters-migration/?h=filters

Archidoit avatar Aug 29 '24 12:08 Archidoit

Hi @Archidoit . Thank you for the answer . I'm not quite sure what you mean by these queries. As far as I know, there aren't any queries running in the deployment, apart from the default ones. We don't have any custom implementations in place right now. This issue seemed to have started on its own some time ago.

BCS251 avatar Aug 29 '24 12:08 BCS251

@BCS251 Ah yes, I thought you run your own queries because you wrote 'Run some sort of GraphQL query that includes a type named ThreatActorsFiltering.' in the reproductible steps... So the errors come just by running an instance?

Archidoit avatar Aug 29 '24 12:08 Archidoit

Did you update your client-python and your connectors to the last version?

Archidoit avatar Aug 29 '24 12:08 Archidoit

Yes, they started occurring at some point during the 5.x.x versions . I initially thought these might be remnants from a decommissioned connector, with these errors remaining in the message queue. However, even after purging the queue and consistently updating to the latest versions, these errors continue to appear. Yes , Python also to the latest version.

BCS251 avatar Aug 29 '24 12:08 BCS251

Maybe it is due to some connectors (community connectors, ...) that we don't support and that have not been correctly updated after the filters migration... May you use such connectors?

Archidoit avatar Aug 29 '24 13:08 Archidoit

I am unsure which of the connectors are community made . I'll have to ask my team . Meantime I can leave you a list of connectors I can see in the platform

  • Anyrun Feed
  • Anyrun task
  • Abuse.ch SSL Blacklist
  • Abuse.ch URLhaus
  • AbuseIPDB
  • Alienvault
  • CISA KEV
  • CVE
  • MISP-feed
  • MITRE
  • Malpedia
  • Malware Bazaar
  • Sekoia.io

As far as I can tell , I'm guessing Malpedia and URL haus could be community related connectors but checking the containers I can't see logs similar to the one I find in the platform ( Unknown Type ThreatActors... )

BCS251 avatar Aug 29 '24 14:08 BCS251

Hello @BCS251, Here you can find an exhaustive list of all connectors and whether they have been verified by our team or not. https://filigran.notion.site/OpenCTI-Ecosystem-868329e9fb734fca89692b2ed6087e76 Kind regards, Alice

alice-debra avatar May 30 '25 07:05 alice-debra

Hello, Due to a lack of recent activity on this issue, we will proceed to close it for now. We sincerely thank you for your feedback. Please don’t hesitate to reopen the issue if you still have any questions. Kind regards, Alice

alice-debra avatar Jun 25 '25 08:06 alice-debra