Imported sightings' confidence level is always "5 - Improbable" #6835
Labels
bug
use for describing something not working as expected
Milestone
Comments
misje
added
bug
Jipegien
removed
the
needs triage
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Imported sightings' confidence level is always "5 - Improbable"
Environment
Reproducible Steps
The code in question is an enrichment connector producing a sighting between an observable and a identity (system), using a dummy indicator as sighting_of_ref. The code is not public yet. The connector runs as a user with max confidence set to 100, and confidence is set correctly on other entities and relationships.
I was hoping to provide a minimal STIX JSON example, but OpenCTI fails to import my sighting. There are no errors in the worker logs. The wokbench lists the sighting, but only the observable and entity are available in the database. The JSON is attached. It was produced from an investigation with a simple File observable, System identity and a sighting between them. It was attempted imported using the workbench and ImportFileStix.
sighting.json
Expected Output
The sighting imported from STIX should have the confidence from the user/group running the import/connector.
Actual Output
The confidence is "5 - Improbable", regardless of the user's max confidence level, or the confidence set in STIX. The confidence is correct for entities and relationships.
Additional information
The text was updated successfully, but these errors were encountered: