[Recorded Future] Invalid valid_from/valid_until logic affecting decay mechanisms on OpenCTI Platform

[helene-nguyen]

Description

A problem has been identified in the RF connector that could potentially impact other connectors and compromise best practices for developing import connectors.

Problem:

The valid_from and valid_until fields generated in Python within the RF connector logic are not predictive, contrary to the expectations of OpenCTI platform's mechanisms. These fields, like IDs, must always be predictive. Otherwise, it is preferable to leave them empty, allowing the platform to populate them with its algorithms and rules.

Currently, using now for these fields when no data is provided disrupts the decay logic and other business processes implemented within OpenCTI. Moreover, this approach is redundant, as the platform already defaults to now when the fields are left empty.

In the case of RF, it is expected behavior for the platform to receive the same indicator multiple times if it is modified over time. However, overriding the decay logic with now creates issues:

• Misalignment with OpenCTI's predictive and decay logic.
• Reduced reliability of the business rules and algorithms in place.

Proposed Solution:

• Preferred: Use a creation date (original and immutable) provided by RF in the valid_from field.
• Alternative: If no such date is available, leave the valid_from and valid_until fields empty to allow the platform to handle them automatically.

Impact:

This issue affects the decay mechanisms and business logic that rely on accurate and predictive timestamps. Addressing this is critical to maintaining data integrity and ensuring adherence to development best practices for connectors.