OpenCTI-Platform · PaigeByNumbers · Mar 3, 2025 · Mar 3, 2025 · Mar 3, 2025 · Mar 3, 2025
diff --git a/internal-enrichment/add-indicators-in-report/Dockerfile b/internal-enrichment/add-indicators-in-report/Dockerfile
@@ -0,0 +1,18 @@
+FROM python:3.12-alpine
+ENV CONNECTOR_TYPE=INTERNAL_ENRICHMENT
+
+# Copy the connector
+COPY src /opt/opencti-add-indicators-in-report
+
+# Install Python modules
+RUN apk update && apk upgrade && \
+    apk --no-cache add git build-base libmagic libffi-dev libxml2-dev libxslt-dev
+
+RUN cd /opt/opencti-add-indicators-in-report && \
+    pip3 install --no-cache-dir -r requirements.txt && \
+    apk del git build-base
+
+# Expose and entrypoint
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/internal-enrichment/add-indicators-in-report/README.md b/internal-enrichment/add-indicators-in-report/README.md
@@ -0,0 +1,9 @@
+# OpenCTI Internal Enrichment
+
+## Introduction
+
+A connector to automaticaly add (create if needed) indicators to a report based on the Observables already contained in the report.
+
+## Usage
+
+1. In a report, enrich the report with the connector -> The indicators and the relation "based-on" are added to the report.Ò
diff --git a/internal-enrichment/add-indicators-in-report/docker-compose.yml b/internal-enrichment/add-indicators-in-report/docker-compose.yml
@@ -0,0 +1,14 @@
+version: '3'
+services:
+  connector-add-indicators-in-report:
+    image: opencti/connector-add-indicators-in-report:6.5.3
+    environment:
+      - OPENCTI_URL=http://localhost
+      - OPENCTI_TOKEN=ChangeMe
+      - CONNECTOR_ID=ChangeMe
+      - CONNECTOR_NAME=Add Indicators In Report
+      - CONNECTOR_SCOPE=Report
+      - CONNECTOR_AUTO=false
+      - CONNECTOR_CONFIDENCE_LEVEL=100 # From 0 (Unknown) to 100 (Fully trusted)
+      - CONNECTOR_LOG_LEVEL=error
+    restart: always
diff --git a/internal-enrichment/add-indicators-in-report/entrypoint.sh b/internal-enrichment/add-indicators-in-report/entrypoint.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cd /opt/opencti-add-indicators-in-report
+
+python3 main.py
diff --git a/internal-enrichment/add-indicators-in-report/src/config.yml.sample.yml b/internal-enrichment/add-indicators-in-report/src/config.yml.sample.yml
@@ -0,0 +1,12 @@
+opencti:
+  url: 'http://opencti:8080'
+  token: "changeme"
+
+connector:
+  id: "changeme"
+  type: 'INTERNAL_ENRICHMENT'
+  name: 'Adding Indicators'
+  scope: 'Report' # MIME type or SCO
+  auto: false # Enable/disable auto-enrichment of observables
+  confidence_level: 100 # From 0 (Unknown) to 100 (Fully trusted)
+  log_level: 'info'
diff --git a/internal-enrichment/add-indicators-in-report/src/main.py b/internal-enrichment/add-indicators-in-report/src/main.py
@@ -0,0 +1,87 @@
+import os
+import traceback
+from typing import Dict
+
+import yaml
+from pycti import OpenCTIConnectorHelper
+
+
+class ConnecteurEnrichReportWithStixIndicatorsFromObservables:
+    def __init__(self):
+        config_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
+        config = (
+            yaml.load(open(config_path), Loader=yaml.FullLoader)
+            if os.path.isfile(config_path)
+            else {}
+        )
+        self.helper = OpenCTIConnectorHelper(config, playbook_compatible=True)
+
+    def _process_message(self, data: Dict):
+        stix_objects = data["stix_objects"]
+        for stix_object in stix_objects:
+            if stix_object["type"] == "report":
+                for object_contained_in_report in stix_object["object_refs"]:
+                    is_observable = self.helper.api.stix_cyber_observable.read(
+                        id=object_contained_in_report
+                    )
+                    if not is_observable:
+                        continue
+
+                    based_on_relationships = (
+                        self.helper.api.stix_core_relationship.list(
+                            toId=object_contained_in_report,
+                            relationship_type="based-on",
+                        )
+                    )
+
+                    # If no relationship of type "based-on" exists
+                    if based_on_relationships == [] or based_on_relationships is None:
+                        # Create the stix indicator and the relation
+                        indicator = self.helper.api.stix_cyber_observable.promote_to_indicator_v2(
+                            id=object_contained_in_report
+                        )
+                        # Add the indicator to the report
+                        self.helper.api.report.add_stix_object_or_stix_relationship(
+                            id=stix_object["id"],
+                            stixObjectOrStixRelationshipId=indicator["id"],
+                        )
+                        # Get relationship and add it to the report
+                        based_on_relationships = (
+                            self.helper.api.stix_core_relationship.list(
+                                fromId=indicator["id"],
+                                toId=indicator["observables"][0]["id"],
+                                relationship_type="based-on",
+                            )
+                        )
+                        self.helper.api.report.add_stix_object_or_stix_relationship(
+                            id=stix_object["id"],
+                            stixObjectOrStixRelationshipId=based_on_relationships[0][
+                                "id"
+                            ],
+                        )
+                    else:
+                        for based_on_relationship in based_on_relationships:
+                            self.helper.api.report.add_stix_object_or_stix_relationship(
+                                id=stix_object["id"],
+                                stixObjectOrStixRelationshipId=based_on_relationship[
+                                    "from"
+                                ]["id"],
+                            )
+                            self.helper.api.report.add_stix_object_or_stix_relationship(
+                                id=stix_object["id"],
+                                stixObjectOrStixRelationshipId=based_on_relationship[
+                                    "id"
+                                ],
+                            )
+
+    def run(self) -> None:
+        self.helper.listen(message_callback=self._process_message)
+
+
+if __name__ == "__main__":
+    try:
+        connector = ConnecteurEnrichReportWithStixIndicatorsFromObservables()
+        connector.run()
+    except Exception:
+        traceback.print_exc()
+        exit(1)
diff --git a/internal-enrichment/add-indicators-in-report/src/requirements.txt b/internal-enrichment/add-indicators-in-report/src/requirements.txt
@@ -0,0 +1 @@
+pycti==6.5.3