opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Indicator pattern and standard id are not updated through stream sync

Open labo-flg opened this issue 1 year ago • 3 comments

Description

While working on another topic, we added a test backend side that updates an indicator pattern. This causes issue in raw sync tests. see repro in PR #8610

Error is

{"category":"APP","errors":[{"attributes":{"genre":"BUSINESS","http_status":400},"message":"Cannot delete the stix element, indicator--ac07b543-765f-57b4-868d-6b2be61629a8 cannot be found.","name":"FUNCTIONAL_ERROR","stack":"GraphQLError: Cannot delete the stix element, indicator--ac07b543-765f-57b4-868d-6b2be61629a8 cannot be found.\n at error (/tmp/raw-start-platform/opencti-graphql/src/config/errors.js:7:10)\n at FunctionalError (/tmp/raw-start-platform/opencti-graphql/src/config/errors.js:94:50)\n at stixDelete (/tmp/raw-start-platform/opencti-graphql/src/domain/stix.js:51:9)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)"}],"inner_relation_creation":0,"level":"error","message":"Cannot delete the stix element, indicator--ac07b543-765f-57b4-868d-6b2be61629a8 cannot be found.","operation":"Unspecified","query_attributes":[[{"arguments":[],"name":"delete"}]],"size":56,"source":"backend","time":6,"timestamp":"2024-10-04T13:30:33.689Z","type":"WRITE_ERROR","user":{"group_ids":["5fb5f176-131f-4db5-9515-34f71e9342ce"],"ip":"::ffff:192.168.192.12","organization_ids":[],"socket":"query","user_id":"88ec0c6a-13ce-5e39-b486-354fe4a7084f","user_metadata":{}},"version":"6.3.5"}

Environment

from [email protected]

details & repro

I've reproduced this issue with 2 opencti platforms synchronizing through live streams.

  • Open a stream in the Source, for indicators created by myself only (to limit the throughput)
  • Listen to this source in the Destination
  • Create an indicator in the source, a domain name with stix pattern [domain-name:value = 'www.some.test'] for instance
  • The indicator appears in the Destination ✅
  • Update the indicator name in the Source
  • The indicator name is updated in the Destination ✅
  • Update the indicator pattern in the Source (=> this causes a stix id change)
  • The indicator pattern and stix id are NOT updated in the Destination ❌
  • Delete the indicator in the Source
  • Error in the Destination "GraphQLError: Cannot delete the stix element, indicator--ac07b543-765f-57b4-868d-6b2be61629a8 cannot be found.

labo-flg avatar Oct 04 '24 13:10 labo-flg

I've tested with reports, changing the name (that causes a change of stix id, similar to pattern for indicators) and it works well. SO limited to indicators for now.

labo-flg avatar Oct 04 '24 15:10 labo-flg

It reminds me of something we saw some time ago, could be interesting to test the same with Organizations.

Kedae avatar Oct 10 '24 16:10 Kedae

@labo-flg , just pushed the branch https://github.com/OpenCTI-Platform/opencti/tree/issue/8611 Dont have any time to test the exact repro case for now.

richard-julien avatar Oct 17 '24 11:10 richard-julien

I've tested your branch and it solved the repro case. I'll open a PR, add some unit tests

labo-flg avatar Oct 25 '24 10:10 labo-flg