Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backend/frontend] Threat actor group should not be part-of threat actor individual (#9576) #9649

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[backend/frontend] Threat actor group should not be part-of threat actor individual (#9576) #9649

wants to merge 2 commits into from
+124 −31

Conversation

SarahBocognano
Copy link
Member

Proposed changes

  • Restric relation between a group and an individual
  • Some UI in details, the goal section was a mess (title not truncated, resulting in a bad UI if long goal name)

Related issues

@SarahBocognano SarahBocognano added the filigran team use to identify PR from the Filigran team label Jan 20, 2025
@SarahBocognano SarahBocognano self-assigned this Jan 20, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 20, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 65.25%. Comparing base (9298197) to head (3bd5d9b).
Report is 4 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9649      +/-   ##
==========================================
- Coverage   65.26%   65.25%   -0.02%     
==========================================
  Files         630      630              
  Lines       60244    60237       -7     
  Branches     6760     6762       +2     
==========================================
- Hits        39319    39307      -12     
- Misses      20925    20930       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@labo-flg
Copy link
Member

@SarahBocognano there is a bit more to do to solve the issue.

  1. The model should be as follow:

TAI -> part of -> TAG
TAI -> cooperates with -> TAG
TAI -> derived from -> TAG
TAI -> related to -> TAG
TAG -> cooperates with -> TAI
TAG -> derived from -> TAI
TAG -> related to -> TAI

  1. Default relation: cooperates with (available on both directions)

  2. Implement a migration to turn all the relationships that are no longer possible to the generic related-to type.

labo-flg
labo-flg requested changes Jan 20, 2025
View reviewed changes
Copy link
Member

@labo-flg labo-flg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

partial solution ; see my comment in the PR.

labo-flg
labo-flg reviewed Jan 24, 2025
View reviewed changes
opencti-platform/opencti-graphql/src/migrations/migration-threat-actors-relationships.js
const context = executionContext('migration');
logApp.info('[MIGRATION] Transform invalid relationships to "related-to"');

// Définition des relations valides avec direction
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in english please :)

labo-flg
labo-flg reviewed Jan 24, 2025
View reviewed changes
opencti-platform/opencti-graphql/src/migrations/migration-threat-actors-relationships.js
Comment on lines +28 to +40
const invalidRelationshipsQuery = {
bool: {
must_not: validRelations.map((relation) => ({
bool: {
must: [
{ term: { 'fromType.keyword': relation.fromType } },
{ term: { 'toType.keyword': relation.toType } },
{ term: { 'relationship_type.keyword': relation.relationType } },
],
},
})),
},
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure to understand. This query will give you all relationships that are NOT one of the validRelations above, am I right ?

If so, you would get also valid relationships not listed in your array, like a campaign targeting a country.

Can't you instead search for invalid relationship directly ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@labo-flg labo-flg labo-flg requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@SarahBocognano SarahBocognano

Labels
filigran team use to identify PR from the Filigran team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SarahBocognano @labo-flg