Comments (2)
Hi there - apologies for the delay in getting back on this. I wanted to update to 6.1.2 from 6.0.10 before looking into it. I have not observed this behavior on my instance before or since updating, so I am not able to make an educated guess based just upon the errors above. It appears there are two errors in the "Actual Output" - first is a failure to connect to abuse.ch, and second is the MISSING_REFERENCE_ERROR
. The timestamp wasn't included in the connection failure error, so I don't have any way to determine how close these two occurred in time to each other.
It is entirely possible that there could have been a platform update/outage/bug occurring upstream at Malware Bazaar, and the error is a result of corrupted/incomplete data attempted to be consumed from Malware Bazaar during the course of this event.
Would have to see more examples of this happening to get an idea for what is going on. That said, from my experience the Malware Bazaar Recent Additions connector seems to fetch all of the recent additions of the past 60 minutes, regardless of the last connector state (https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/malwarebazaar-recent-additions/src/malwarebazaar-recent-additions.py#L187), and then will try to determine if the entity was already consumed into OpenCTI by performing a query (https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/malwarebazaar-recent-additions/src/malwarebazaar-recent-additions.py#L117) before ingest. In this particular case, the MISSING_REFERENCE_ERROR
in the upload_artifact
call suggests that the upload failed and the entity was not constructed (correct me if this assumption is a wrong interpretation of the error message).
So, hypothetically if this occurred once and the connector is configured to attempt a pull multiple times per hour, and then successive attempts to pull recent additions don't fail, then the entities in question can reasonably be presumed to have been consumed successfully.
If you set the log level to info
instead of error
for the connector, then if this error keeps occurring over and over, the connector will also report above it which item from Malware Bazaar was attempting to be ingested at that time (https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/malwarebazaar-recent-additions/src/malwarebazaar-recent-additions.py#L92), and in that case the raw data from MBRA can be pulled down and we can look at what is missing from the data.
from connectors.
@ckane I see that you participate to the code "recently". Do you have any idea about how to fix this? For me it might be that some entities are not created before a relationship that link them but I might be wrong.
from connectors.
Related Issues (20)
- [Mandiant] Add scheduler to align with the new way to handle interval (opencti/issue/6325)
- [Sekoia] Add scheduler to align with the new way to handle interval (opencti/issue/6325)
- [WIZ] Create the connector feature
- [AlienVault] Add scheduler to align with the new way to handle interval (opencti/issue/6325)
- [Mandiant] Connectors exceptions are not logged (only "Terminated")
- [splunk] Connection errors are not logged HOT 2
- [Recorded Future] Add scheduler to align with the new way to handle interval (opencti/issue/6325)
- [urlscan-enrichment] API key error lead to cryptic error messages
- [Ironnet] Fix import
- [FR] AssemblyLine for OpenCTI
- [Misp] Error outside the main connector process is not logged HOT 2
- [DNSTwist] Possible improvement on the connector
- [AlienVault] Connector crashing with "Invalid loading of batched element"
- [Sekoia] Import "related threat" from Sekoia connector
- /graphql OpenCTI API is not reachable (AlienVault & AbuseIPDB)
- How to add IPQS enrichment connector to playbook/automation page? HOT 1
- [CISA KEV] Add scheduler to align with the new way to handle interval (opencti/issue/6325)
- [Google DNS] Make the Google DNS enrichment connector “playbook compatible”
- [Data not displayed] Error in custom connector HOT 1
- [IPQS] Make the IPQS enrichment connector “playbook compatible”
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from connectors.