Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sentinel-intel]: Incorrect File indicator metadata sent to Azure Sentinel resulting in incorrect STIX Pattern #3424

Closed
romain-filigran opened this issue Feb 13, 2025 · 0 comments · Fixed by #3425
Closed

[sentinel-intel]: Incorrect File indicator metadata sent to Azure Sentinel resulting in incorrect STIX Pattern #3424

romain-filigran opened this issue Feb 13, 2025 · 0 comments · Fixed by #3425
Assignees
@helene-nguyen
Labels
bug use for describing something not working as expected filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 6.5.3

Comments

@romain-filigran
Copy link
Member

Description

When converting a File STIX indicator to Azure tiIndicator, some invalid file metadata is published. This is the case for :

  • filename where we take the name of the STIX indicator and not the file name
  • filesize where we default to 0 because we don't have this property on an STIX tag
  • fileCreatedDateTime where we set the indicator's creation date, which does not correspond to the file's creation date.

This bad mapping results in a bad STIX pattern creation on the Azure Sentinel side like :

_[file:ctime = '2/13/2025 10:11:36 PM +00:00' AND file:hashes.MD5 = '81BBD0D10663DF88CB07BC5EB67EEEB2' AND file:name = '81BBD0D10663DF88CB07BC5EB67EEEB2' AND file:size = '0']__.

Todo : Do not fill in such information on files to avoid creating invalid STIX patterns on Sentinel side.

Environment

OpenCTI version: 6.5.1
@romain-filigran romain-filigran added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. and removed needs triage use to identify issue needing triage from Filigran Product team labels Feb 13, 2025
@romain-filigran romain-filigran added this to the Bugs backlog milestone Feb 13, 2025
romain-filigran added a commit that referenced this issue Feb 13, 2025
@romain-filigran
https://github.com/OpenCTI-Platform/connectors/issues/3424
9158c6a
@romain-filigran romain-filigran mentioned this issue Feb 13, 2025
Merged
4 tasks
helene-nguyen pushed a commit that referenced this issue Feb 20, 2025
@romain-filigran
[sentinel-intel] Fix (MD5/SHA-1 support & Fix with file metadata) (#3424
aa84436 
 / #3423 / #3289 / #3177)
@helene-nguyen helene-nguyen self-assigned this Feb 20, 2025
@helene-nguyen helene-nguyen linked a pull request Feb 20, 2025 that will close this issue
[sentinel-intel] Fix (MD5/SHA-1 support & Fix with file metadata) #3425
Merged
4 tasks
@helene-nguyen helene-nguyen added the solved use to identify issue that has been solved (must be linked to the solving PR) label Feb 20, 2025
baptiste-fourmont pushed a commit to baptiste-fourmont/connectors that referenced this issue Feb 25, 2025
@romain-filigran @baptiste-fourmont
[sentinel-intel] Fix (MD5/SHA-1 support & Fix with file metadata) (Op…
2b47983 
…enCTI-Platform#3424 / OpenCTI-Platform#3423 / OpenCTI-Platform#3289 / OpenCTI-Platform#3177)
maximus-debski pushed a commit to maximus-debski/connectors that referenced this issue Feb 26, 2025
@romain-filigran @maximus-debski
[sentinel-intel] Fix (MD5/SHA-1 support & Fix with file metadata) (Op…
d28de14 
…enCTI-Platform#3424 / OpenCTI-Platform#3423 / OpenCTI-Platform#3289 / OpenCTI-Platform#3177)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@helene-nguyen helene-nguyen

Labels
bug use for describing something not working as expected filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 6.5.3
Development

Successfully merging a pull request may close this issue.

[sentinel-intel] Fix (MD5/SHA-1 support & Fix with file metadata) OpenCTI-Platform/connectors
3 participants
@SamuelHassine @helene-nguyen @romain-filigran