Network Object is deduplicating

[sudesh0sudesh]

Description

I was testing a new feed and creating network objects. When a new network object is created or pushed for the same port with a new destination IP, it is not creating a new network object; instead, it is replacing the existing network object's destination IP address. This behavior is not ideal or expected.

Environment

OpenCTI version: 6.2.11

Expected Output

Actual Output

Additional information

Screenshots (optional)

[sudesh0sudesh]

[sudesh0sudesh]

I think deduplication or replacement should be perfromed if atleast two common parameters match and not solely on port number in network object. On the other hand, Maybe be custom observable for port is not a bad idea.

[nino-filigran]

@sudesh0sudesh I would need slightly more information to help out. Could you provide me with reproduction steps (which type of feed are you trying to ingest, its link if possible, if it's ingested through a CSV the mapping of the corresponding CSV...) since reading your ticket and trying to reproduce manually was not successful on my side.

[sudesh0sudesh]

So, I have basically tried creating a connector and feeding it through connector api. Feed is just a network feed. For example, in a network on port 80 multiple devices might start communicating. Here when a new Network object is created with different IP and same port . Instead of creating a new network object. It is simply replace the IP in the network object

[richard-julien]

Can you check if the source is not sending the same stix id?
We will need to have the 2 stix bundles responsible for this situation to try to reproduce.
Thanks

[sudesh0sudesh]

I am sure that It is not sending same stix IDs for network objects because I pushed thousands of them on various ports and it happened to all of them. All of them are created using stix2 library.

[richard-julien]

Hi @sudesh0sudesh. Can you please give us a example of 2 stix bundles that produce this problem ?
Thanks

[sudesh0sudesh]

I don't think i have one @richard-julien , I have modified that connector to do different set of actions. If you need one I can try to reproduce the same. I have tried to ingest data that has port information so converted into network objects

[nino-filigran]

@sudesh0sudesh yes, we would need precise example when this happens to be able to reproduce. Even if it's two example crafted by hand, that would help us.