[RST Cloud - Report Hub] Several issues #2767
Comments
Lhorus6
added
bug
romain-filigran
added
community support
|
Hi @Lhorus6! thanks for your comments! Based on these comments and previous experience with clients, I believe you may still have the AlienVault connector enabled. When both connectors are enabled, and data from OTX arrives after reports are imported from the Report Hub (some reports we provide are also covered by OTX), this leads to a merge in OpenCTI, which creates the extra 'related-to' entries and makes everything look weird. Answering to all comments. Feel free to reach out [email protected]
We provide 'targets' relationships between intrusion sets/malware and countries/sector where this can be extracted from the context by the engine. Sometimes countries are mentioned in the context that a particular IP is located in 'Country A'. This does not mean that the intrusion set is 'related-to', 'originated-from', or 'targets' this country. All of these 3 relationships are supported by the engine but not always are set.
When possible the engine adds 'uses' between the 'intrusion-sets' and 'attack-patterns'. This is a standard feature. Attaching an example.
If a TI report contains indicators of compromise, we create indicators based on them. If the report includes 'noisy' indicators (such as an indicator for putty or other tool that can be dropped by an attacker) or, for example, well-known domains/URLs used for geo-location (when, let's say, a stealer checks if it is allowed to operate in a certain country), we create these objects as Observables. So far this logic was ok for the clients and we did not have a request to duplicate each indicator with a corresponding observable.
Please provide more information on which particular object is not being created, including the error description. This is not normal. Should be 0 errors.
This is exactly how it is done. Each human-readable report is transformed into a STIX bundle, which includes a Report object with notes and all other associated objects. The only thing is that we keep referencing all objects as then you can see in what reports you can find information on what object. It’s possible that, in step 4, the actual Report object is not created.
We have added markings as per your request. Please re-download.
Thanks. We’ve added 'Author' to our unique patterns and Notes. For the T* patterns, clients usually sync them from MITRE anyway, and our values are only used for mapping with the MITRE definitions. |
|
Hi @k1r10n,
I filtered on “Creator”, which means that all objects (entities and relationships), whether or not they were merged afterwards, have been created by your connector. The merge does not create extra object, it simply deduplicates.
100% agree. If you're already doing 'originated-from', or 'targets' relationships when you have the information, that's perfect. It only requires to stop creating 'related-to' relationships in this case.
That's great, in this case I'll give you the same answer as before. Just avoid making any more 'related to' relationships.
A good practice is to always create an Observable when you create an Indicator (the reverse is not true). This comes from the fact that functionalities are linked to Observables. For example, many enrichment connectors run on Observables, and not on Indicators. Having only Indicators can limit users. It's not a duplication. The two entities are closely related, but they represent different things and meet different needs.
Indeed, sorry, I should have provided it in the first place. On rechecking, it appears that I no longer have any errors. When I look in the logs of my container at the time I created this issue, I find this log (perhaps unrelated) for 4 days in a row:
I think we can consider this point resolved ✅
You're right, I now have reports with all the information. Indeed, it's possible that it's linked to point 4. Each object is linked to a report, so the External Reference may only be applied to the report. Both ways are acceptable.
Solved too ✅
Thank you! Solved ✅
Thank you! Solved ✅ TLDRAll that remains are points 1, 2 and 3. Points 1 and 2 are blocking because they create relationships that create "noise" in the database and can cause misunderstanding for users and potentially distort dashboard values. |
|
@Lhorus6 Regarding points 1 and 2, I believe I need to elaborate more. The 'related-to' relationship is not just noise; it serves a purpose. It just so happens that many integrations overuse 'related-to' everywhere. Which relationship would you choose for a text like 'Malware A avoids infecting Russia, Belarus, and other CIS countries'? This might lead you to conclude that the authors of the malware are possibly from the CIS, but in doing so, you lose the connection to the named countries and the fact that the malware does not attack these particular entities in this region. I'm sure you can think of several other cases where neither 'originated-from' nor 'targets' would be appropriate. Also, 'targets' and 'originated-from' are basic types. We will further expand our engine capabilities to automatically extract relationships like 'authored-by', 'variant-of', 'downloads', 'drops', etc., but for now, we have recorded them as 'related-to'. Additionally, the STIX 2.1 taxonomy cannot fully cover all types of relationships, so 'related-to' serves as a fallback in some cases. We could create custom types (and the standard allows for that), but then we would face interoperability issues, as different Threat Intel Platforms would need to interpret these new 'custom' relationships. It would be nice to get your view on this. Our RST Report Hub engine isn't perfect, as it is a machine that parses near all public threat intelligence articles and reports, and there are fluctuations. However, if the same task was assigned to 5 analysts, I doubt they would avoid making any mistakes or complete the task at the same speed (if they could even complete it at all, given there are more than 40,000 articles on the topic annually). Additionally, the cost of having the machine pre-parse the data is about 30 times cheaper than hiring 5 people. So, we currently aim to handle the heavy lifting and leave really detailed refinements to the user. Regarding point 3, I think we can add a configuration option for the connector: create_observables: True|False in the next release. It hasn't been a priority for our clients so far, but it’s cheap to add, and I believe there are cases where people may want it. |
Indeed, 'related-to' is a kind of garbage relationship, as it exists between any type of entity.
My opinion would be: no relation at all.
My opinion is that if you choose to represent different information using the same type of relationship, these relationships will be useless. This is because when you'll see these relations, you'll have no idea what they mean, as they can represent many different things + statistics on them won't make sense. So my advice would be not to create them. What do you think?
I couldn't agree with you more!!
There is no subject at this level. I'm not familiar with your tool, but looking at the data that comes in, it seems effective yes. I'm only talking about modeling choices here, not the efficiency of your tool.
It could be perfect. Many connectors leave the choice like this. So, the creation of the Observable, and the relationship "Indicator -> Based on -> Observable". |
helene-nguyen
added
the
solved
Description
Many issues have been identified. As is, the connector can be deployed in production but its quality is very low.
Blocking problem
Non-blocking problem
Other improvements
Environment
OCTI 6.3.5
Reproducible Steps
Steps to create the smallest reproducible scenario:
The text was updated successfully, but these errors were encountered: