Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ransomware live] Create relationships with the wrong sectors #3506

Open
Lhorus6 opened this issue Feb 26, 2025 · 0 comments
Open

[Ransomware live] Create relationships with the wrong sectors #3506

Lhorus6 opened this issue Feb 26, 2025 · 0 comments
Assignees
@Megafredo
Labels
bug use for describing something not working as expected filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. to verify use to identified for Verified
Milestone
Bugs backlog

Comments

@Lhorus6
Copy link
Contributor

Lhorus6 commented Feb 26, 2025

Description

The Ransomware live connector is incorrectly fetching sectors, which makes relationships with the wrong entities. The problem is in this query: https://github.com/OpenCTI-Platform/connectors/blob/881e881c79865291945f8ca1ffc3bdee0dcf1bee/external-import/ransomwarelive/src/lib/ransom_conn.py#L291C7-L292C7

The "search" operator is used instead of "eq". This produces this kind of problem:

If I have the sector "Food and drinks businesses" in my platform and I search with this filter for the sector "Business Services", I can get as a result of my query the sector "Food and drinks businesses" even if I have "Business Services" in my platform.

To make sure to fetch the right sector, the "search" operator should be replaced by "eq".

However, rather than searching for an existing sector, the connector should only create a sector (create the stix object) without worrying about what exists in the platform. This is how the connectors should work.

Environment

OCTI 6.5.3

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Ingest the sectors using the OpenCTI dataset connector
  2. Enable the Ransomware live connector
  3. Review the relationship done by the connector and compare to the relationship that should normally have been made (example with "Food and drinks businesses" vs "Business Services")
@Lhorus6 Lhorus6 added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Feb 26, 2025
@nino-filigran nino-filigran added the filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. label Mar 4, 2025
@romain-filigran romain-filigran removed the needs triage use to identify issue needing triage from Filigran Product team label Mar 4, 2025
@romain-filigran romain-filigran added this to the Bugs backlog milestone Mar 4, 2025
@helene-nguyen helene-nguyen added the to verify use to identified for Verified label Mar 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Megafredo Megafredo

Labels
bug use for describing something not working as expected filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. to verify use to identified for Verified
Projects
None yet
Milestone
Bugs backlog
Development

No branches or pull requests
5 participants
@Megafredo @Lhorus6 @helene-nguyen @nino-filigran @romain-filigran