Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG/FEATURE] 5.4.0 Upgrade Revoking Indicators w/o valid_until set on upgrade

See original GitHub issue

Description

On upgrade to 5.4.0 any indicators that dont have valid_until set on them (Misp connector does this for example), have valid_until set to the value of valid_from. So upon upgrading to 5.4.0 I had %95 off the indicators get revoked this morning

Environment

OS (where OpenCTI server runs): CentOS Stream 8
OpenCTI version: 5.4.0
OpenCTI client: N/A
Other environment details: Kubernetes Deployment

Reproducible Steps

Steps to create the smallest reproducible scenario:

Import the attached bundle on 5.3.xx
Upgrade to 5.4.0
valid_until should be stomped and set to valid_from
Indicator is revoked 😕

Expected Output

So 2 things here:

Bug on upgrade
Can we make a platform setting for default indicator lifetime, and write that to the stix json if not set?

Actual Output

Additional information

test bundle

{
    "id": "bundle--4e645764-5b96-4a59-92e4-70115ff5db57",
    "objects": [
        {
            "confidence": 100,
            "created": "2022-11-18T21:37:13.708996Z",
            "description": ":|",
            "id": "indicator--f9a864d7-7e97-4e91-91ff-035ce82177f9",
            "indicator_types": [
                "malicious-activity"
            ],
            "modified": "2022-11-18T21:37:13.708996Z",
            "name": "1.1.1.1",
            "pattern": "[ipv4-addr:value = '1.1.1.1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "spec_version": "2.1",
            "type": "indicator",
            "valid_from": "2022-11-18T13:37:13Z",
            "x_opencti_detection": true,
            "x_opencti_main_observable_type": "IPv4-Addr",
            "x_opencti_score": 100
        }
    ],
    "type": "bundle"
}

Screenshots (optional)

Issue Analytics

State:
Created 10 months ago
Comments:8 (5 by maintainers)

Top GitHub Comments

2reactions

richard-juliencommented, Nov 22, 2022

Job done to resolve the situation.

valid_from Will be compute in this order. valid_from > if not found > created > if not found > current date.
valid_until Computed from the valid_from + a statically configured ttl (for now, will be added in the platform settings later). Depending of the max TLP and main observable type.

export const DEFAULT_INDICATOR_TTL = 365;
const INDICATOR_TTL_DEFINITION: Array<TTL_DEFINITION> = [
  {
    target: ['IPv4-Addr', 'IPv6-Addr'],
    definition: {
      [MARKING_TLP_CLEAR]: 30,
      [MARKING_TLP_GREEN]: 30,
      [MARKING_TLP_AMBER]: 30,
      [MARKING_TLP_AMBER_STRICT]: 60,
      [MARKING_TLP_RED]: 60,
    },
    default: 60
  },
  {
    target: ['File'],
    default: DEFAULT_INDICATOR_TTL
  },
  {
    target: ['Url'],
    definition: {
      [MARKING_TLP_CLEAR]: 60,
      [MARKING_TLP_GREEN]: 60,
      [MARKING_TLP_AMBER]: 180,
      [MARKING_TLP_AMBER_STRICT]: 180,
      [MARKING_TLP_RED]: 180,
    },
    default: 180
  },
];

0reactions

richard-juliencommented, Nov 22, 2022

Ok, quick status.

Invalid valid_until There is a bug when markings or killChain are in the indicator that prevent the creation or put the valid_until to current date. Will be fixed.
empty valid_from in bundle If the bundle doesnt specify a valid_from et will be set to the valid_until date. Of course depending of the “Invalid valid_until” problem, it can also be set to current date.