Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decay manager is wrongly skipping computation when revoke score is zero and no decay points are setup #9512

Open
aHenryJard opened this issue Jan 7, 2025 · 0 comments
Open

Decay manager is wrongly skipping computation when revoke score is zero and no decay points are setup #9512

aHenryJard opened this issue Jan 7, 2025 · 0 comments
Labels
bug use for describing something not working as expected
Milestone
Bugs backlog

Comments

@aHenryJard
Copy link
Member

Description

This warn in log on Decay manager run

{"category":"APP","cause":{"extensions":{"code":"UNSUPPORTED_ERROR","data":{"genre":"BUSINESS","http_status":500,"input":[]}},"message":"Cannot validate an empty or invalid input"},"id":"6f1ca64f-589a-47af-a283-d25fd78482ff","level":"warn","message":"[OPENCTI-MODULE] Error when processing decay, skipping.","source":"backend","timestamp":"2025-01-07T08:44:37.927Z","version":"6.4.5"}

Relates to slack discussion here: https://filigran-community.slack.com/archives/C06CF1N302W/p1736160175127409

Environment

  1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
  2. OpenCTI version: { e.g. OpenCTI 1.0.2 }
  3. OpenCTI client: { e.g. frontend or python }
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Enable decay manager

In kibana run (please update index name if needed):

POST opencti_stix_domain_objects-000001/_create/6f1ca64f-589a-47af-a283-d25fd78482bb
{
    "x_opencti_stix_ids": [],
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "pattern": "[domain-name:value = 'filigran.io']",
    "name": "filigran.io",
    "description": "This is an indicator to reproduce issue",
    "indicator_types": null,
    "valid_from": "2024-11-21T02:02:36.000Z",
    "valid_until": "2025-03-23T02:02:36.000Z",
    "confidence": 50,
    "revoked": false,
    "lang": "en",
    "x_opencti_score": 40,
    "x_opencti_detection": false,
    "x_opencti_main_observable_type": "Domain-Name",
    "x_mitre_platforms": null,
    "created": "2024-01-25T16:15:30.000Z",
    "modified": "2024-11-21T03:10:21.654Z",
    "decay_next_reaction_date": "2024-07-20T15:42:59.416Z",
    "decay_base_score": 40,
    "decay_base_score_date": "2024-11-21T02:02:36.000Z",
    "decay_applied_rule": {
        "decay_revoke_score": 0,
        "decay_pound": 1,
        "decay_lifetime": 122,
        "decay_points": [],
        "decay_rule_id": "9885cb8f-7a65-4a41-95d7-3ec3a26f52a7"
    },
    "decay_history": [
        {
            "score": 90,
            "updated_at": "2024-01-25T16:15:30.000Z"
        },
        {
            "score": 80,
            "updated_at": "2024-04-15T08:48:59.453Z"
        },
        {
            "score": 50,
            "updated_at": "2024-04-15T08:50:03.566Z"
        },
        {
            "score": 20,
            "updated_at": "2024-07-20T15:43:07.905Z"
        },
        {
            "score": 40,
            "updated_at": "2024-11-21T02:02:36.000Z"
        }
    ],
    "entity_type": "Indicator",
    "internal_id": "6f1ca64f-589a-47af-a283-d25fd78482bb",
    "standard_id": "indicator--8a389987-b701-5064-94cb-968bdad74909",
    "creator_id": [
        "c3881ed5-c727-4d4c-a1a7-081957d519ed"
    ],
    "created_at": "2024-04-15T08:48:37.423Z",
    "updated_at": "2024-11-21T03:10:21.654Z",
    "id": "6f1ca64f-589a-47af-a283-d25fd78482bb",
    "base_type": "ENTITY",
    "parent_types": [
        "Basic-Object",
        "Stix-Object",
        "Stix-Core-Object",
        "Stix-Domain-Object"
    ],
    "rel_created-by.internal_id": [
        "31cf3b17-8892-4f92-833a-44c38204d693"
    ]
}

Expected Output

No warn, and indicator is processed correctly (revoked)

Actual Output

{"category":"APP","cause":{"extensions":{"code":"UNSUPPORTED_ERROR","data":{"genre":"BUSINESS","http_status":500,"input":[]}},"message":"Cannot validate an empty or invalid input"},"id":"6f1ca64f-589a-47af-a283-d25fd78482ff","level":"warn","message":"[OPENCTI-MODULE] Error when processing decay, skipping.","source":"backend","timestamp":"2025-01-07T08:44:37.927Z","version":"6.4.5"}

Additional information

Bug source from fist analyses: it's because newStableScore ===0 means false, and so all of that is skip. So patch value is empty because of let patch: IndicatorPatch = {}; above. => If score === revoke score indicator should be revoke and no have an empty patch.

opencti/opencti-platform/opencti-graphql/src/modules/indicator/indicator-domain.ts

Lines 368 to 369 in f2e7d91

const newStableScore = model.decay_points.find((p) => (p || indicator.x_opencti_score) < indicator.x_opencti_score) || model.decay_revoke_score;
if (newStableScore) {

Screenshots (optional)
@aHenryJard aHenryJard added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Jan 7, 2025
@romain-filigran romain-filigran removed the needs triage use to identify issue needing triage from Filigran Product team label Jan 7, 2025
@romain-filigran romain-filigran added this to the Bugs backlog milestone Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug use for describing something not working as expected
Projects
None yet
Milestone
Bugs backlog
Development

No branches or pull requests
2 participants
@aHenryJard @romain-filigran