Imported sightings' confidence level is always "5 - Improbable" #6835
Comments
misje
added
bug
Jipegien
removed
the
needs triage
|
As admin, we can't reproduce with this bundle |
|
Hi @misje ! When you validate a workbench in the UI, the confidence level used is the one of the user who validates the workbench. |
|
Could you please check the value in 0-100 (by editing the sighting) for "5-Improbable". |
|
Thank you for looking into this. Since my attempt of reproducing the issue using STIX export and import using the workbench failed, and since it isn't really reproducing the issue through an enrichment connector, I'll create a bare-bones enrichment connector snippet running on the latest release. I'll get back to you with the results. |
|
Here is a very simple example connector. Run with As far as I understand, I should not need to set confidence on entities. The confidence is set to 100 for the admin user for all SDOs and relationships, but not for sightings. I can set the confidence to 100 using the stix property, which is reflected in the platform (at least in the latest version). However, why do I need to do this for sightings and not other objects? |
|
I can't answer this question with certainty.. |
|
The example references all the versions for 6.1.3 as per the OpenCTI docker project, i.e. the latest release. |
|
Here is how it is supposed to work: When the platform ingest a bundle from a connector, the confidence can come from:
If the confidence of the element is set, once ingested it is capped with the confidence of the user associated to the connector. In your case, the sighting has a specific value which is apparently wrong. But what is this value on the 0-100 scale? |
|
Do your sighting end up with the confidence of linked observable ? |
This does not work for sightings.
Observables do not have confidence, as far as I understand. I was told in Slack that it doesn't make much sense (I agree), and it is not visible in the platform. I assume that there is one in the object anyway. If so, what is the confidence on a SCO when it is created in the platform? Is it that of the user, i.e. 100 when admin?
Where can I see this in the platform? Do I have to export the STIX? |
You're right, my bad!
When you edit an object, you can see the full confidence value and not only the admiralty scale. |
|
I'm not sure if this resolves your issue, but we checked how the confidence level of an indicator is set with a connector. Even if the user's confidence level is set to 100, the confidence level of the connector overwrite the indicator's confidence level. You no longer need to set confidence levels in the connectors.
If you override the maximum confidence level for an indicator on the platform, this override takes precedence. But for the sightings, the confidence level and the override must not exist.
Have you set a confidence level for your user? |
|
@misje I see no activity on this ticket for a while. Can we consider this as fixed? Or do you have a different issue? |
|
My solution to this was to set confidence manually to 100 for sightings as a workaround. I don't have time to investigate this any more, I'm sorry. |
|
My bad I misread your comment. The issue still exists then and needs to be fixed. If for relation we manage to have the correct confidence level, there should not be any reason that it's not the case on sightings, which are a type of relation. |
Jipegien
added
the
ingestion
JeremyCloarec
added
the
solved
Description
Imported sightings' confidence level is always "5 - Improbable"
Environment
Reproducible Steps
The code in question is an enrichment connector producing a sighting between an observable and a identity (system), using a dummy indicator as sighting_of_ref. The code is not public yet. The connector runs as a user with max confidence set to 100, and confidence is set correctly on other entities and relationships.
I was hoping to provide a minimal STIX JSON example, but OpenCTI fails to import my sighting. There are no errors in the worker logs. The wokbench lists the sighting, but only the observable and entity are available in the database. The JSON is attached. It was produced from an investigation with a simple File observable, System identity and a sighting between them. It was attempted imported using the workbench and ImportFileStix.
sighting.json
Expected Output
The sighting imported from STIX should have the confidence from the user/group running the import/connector.
Actual Output
The confidence is "5 - Improbable", regardless of the user's max confidence level, or the confidence set in STIX. The confidence is correct for entities and relationships.
Additional information
The text was updated successfully, but these errors were encountered: