[FlashPoint] Implement parameter guess_relationships (#3920)

Author: pdamoune

external-import/flashpoint/.env.sample

@@ -14,4 +14,5 @@ FLASHPOINT_IMPORT_INDICATORS=true
 FLASHPOINT_IMPORT_ALERTS=true
 FLASHPOINT_ALERT_CREATE_RELATED_ENTITIES=false
 FLASHPOINT_IMPORT_COMMUNITIES=false
-FLASHPOINT_COMMUNITIES_QUERIES=cybersecurity,cyberattack
+FLASHPOINT_COMMUNITIES_QUERIES=cybersecurity,cyberattack
+FLASHPOINT_GUESS_RELATIONSHIPS_FROM_REPORTS=false

external-import/flashpoint/README.md

@@ -58,18 +58,19 @@ Priority: **YAML > .env > environment > defaults**.
 
 ### Connector extra parameters environment variables
 
-| Parameter                              | config.yml                    | Docker environment variable                | Default                     | Mandatory | Description                                                                                                                                            |
-| -------------------------------------- | ----------------------------- | ------------------------------------------ | --------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| API access key                         | api_access_key                | `FLASHPOINT_API_KEY`                       | /                           | Yes       | Flashpoint API access key.                                                                                                                             |
-| Import interval (minutes) (Deprecated) | interval                      | `FLASHPOINT_INTERVAL`                      | 5                           | No        | Interval (in minutes) to import data from Flashpoint. This option option is deprecated. Please use 'duration_period' instead                           |
-| Import start date                      | import_start_date             | `FLASHPOINT_IMPORT_START_DATE`             | "P30D"                      | No        | An ISO 8601 string specifying either a period of time or a start date for data import, e.g. 'P30D' (last 30 days) or '2025-05-01' (since May 1, 2025). |
-| Import reports                         | import_reports                | `FLASHPOINT_IMPORT_REPORTS`                | true                        | No        | Import reports from Flashpoint.                                                                                                                        |
-| Indicators in reports                  | indicators_in_reports         | `FLASHPOINT_INDICATORS_IN_REPORTS`         | false                       | No        | Include indicators in the reports imported from MispFeed.                                                                                              |
-| Import indicators                      | import_indicators             | `FLASHPOINT_IMPORT_INDICATORS`             | true                        | No        | Import indicators of compromise (IoCs).                                                                                                                |
-| Import alerts                          | import_alerts                 | `FLASHPOINT_IMPORT_ALERTS`                 | true                        | No        | Import alert data from Flashpoint.                                                                                                                     |
-| Create alert related entities          | alert_create_related_entities | `FLASHPOINT_ALERT_CREATE_RELATED_ENTITIES` | false                       | No        | Create alert related Channel entity and Media-Content observable                                                                                       |
-| Import communities                     | import_communities            | `FLASHPOINT_IMPORT_COMMUNITIES`            | false                       | No        | Import community data.                                                                                                                                 |
-| Communities queries                    | communities_queries           | `FLASHPOINT_COMMUNITIES_QUERIES`           | "cybersecurity,cyberattack" | No        | Comma-separated list of community queries to execute.                                                                                                  |
+| Parameter                              | config.yml                       | Docker environment variable                | Default                     | Mandatory | Description                                                                                                                                            |
+| -------------------------------------- |----------------------------------|--------------------------------------------|-----------------------------| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| API access key                         | api_access_key                   | `FLASHPOINT_API_KEY`                       | /                           | Yes       | Flashpoint API access key.                                                                                                                             |
+| Import interval (minutes) (Deprecated) | interval                         | `FLASHPOINT_INTERVAL`                      | 5                           | No        | Interval (in minutes) to import data from Flashpoint. This option option is deprecated. Please use 'duration_period' instead                           |
+| Import start date                      | import_start_date                | `FLASHPOINT_IMPORT_START_DATE`             | "P30D"                      | No        | An ISO 8601 string specifying either a period of time or a start date for data import, e.g. 'P30D' (last 30 days) or '2025-05-01' (since May 1, 2025). |
+| Import reports                         | import_reports                   | `FLASHPOINT_IMPORT_REPORTS`                | true                        | No        | Import reports from Flashpoint.                                                                                                                        |
+| Indicators in reports                  | indicators_in_reports            | `FLASHPOINT_INDICATORS_IN_REPORTS`         | false                       | No        | Include indicators in the reports imported from MispFeed.                                                                                              |
+| Import indicators                      | import_indicators                | `FLASHPOINT_IMPORT_INDICATORS`             | true                        | No        | Import indicators of compromise (IoCs).                                                                                                                |
+| Import alerts                          | import_alerts                    | `FLASHPOINT_IMPORT_ALERTS`                 | true                        | No        | Import alert data from Flashpoint.                                                                                                                     |
+| Create alert related entities          | alert_create_related_entities    | `FLASHPOINT_ALERT_CREATE_RELATED_ENTITIES` | false                       | No        | Create alert related Channel entity and Media-Content observable                                                                                       |
+| Import communities                     | import_communities               | `FLASHPOINT_IMPORT_COMMUNITIES`            | false                       | No        | Import community data.                                                                                                                                 |
+| Communities queries                    | communities_queries              | `FLASHPOINT_COMMUNITIES_QUERIES`           | "cybersecurity,cyberattack" | No        | Comma-separated list of community queries to execute.                                                                                                  |
+| Guess relationships                    | guess_relationships_from_reports | `GUESS_RELATIONSHIPS_FROM_REPORTS`         | false                       | No        | Enable or disable the guessing of relationships between entities.                                                                                      |
 
 ⚠️ Please be aware that `CONNECTOR_DURATION_PERIOD` default value takes precedence over `FLASHPOINT_INTERVAL` default value if none of them are set.
 

external-import/flashpoint/docker-compose.yml

@@ -20,4 +20,5 @@ services:
       - FLASHPOINT_ALERT_CREATE_RELATED_ENTITIES=false
       - FLASHPOINT_IMPORT_COMMUNITIES=false
       - FLASHPOINT_COMMUNITIES_QUERIES=cybersecurity,cyberattack
+      - FLASHPOINT_GUESS_RELATIONSHIPS_FROM_REPORTS=false
     restart: always

external-import/flashpoint/src/config.yml.sample

@@ -30,4 +30,4 @@ flashpoint:
   alert_create_related_entities: false
   import_communities: false
   communities_queries: 'cybersecurity,cyberattack'
-
+  guess_relationships_from_reports: false

external-import/flashpoint/src/flashpoint_connector/config_loader.py

@@ -248,6 +248,10 @@ class FlashpointConfig(ConfigBaseModel):
         description="List of community queries to execute.",
         default=["cybersecurity", "cyberattack"],
     )
+    guess_relationships_from_reports: bool = Field(
+        description="Whether to guess relationships between entities or not.",
+        default=False,
+    )
 
 
 class ConfigLoader(BaseSettings):

external-import/flashpoint/src/flashpoint_connector/connector.py

@@ -64,7 +64,7 @@ def _import_reports(self, start_date):
         for report in reports:
             try:
                 stix_report_objects = self.converter_to_stix.convert_flashpoint_report(
-                    report
+                    report, self.config.flashpoint.guess_relationships_from_reports
                 )
                 bundle = self.helper.stix2_create_bundle(stix_report_objects)
                 self._send_bundle(work_id=work_id, serialized_bundle=bundle)

external-import/flashpoint/src/flashpoint_connector/converter_to_stix.py

@@ -79,7 +79,7 @@ def create_relation(self, source_id, target_id, relation):
             message = f"An error occurred while creating relation: {source_id} {relation} {target_id}, error: {ex}"
             self.helper.connector_logger.error(message)
 
-    def _guess_knowledge_graph(self, tags):
+    def _guess_knowledge_graph(self, tags, guess_relationships_from_reports):
         """
         :param tags:
         :return:
@@ -209,51 +209,57 @@ def _guess_knowledge_graph(self, tags):
                                 allow_custom=True,
                             )
                         )
-
-                for attack_pattern in elements["attack_patterns"]:
-                    threats = (
-                        elements["threat_actors"]
-                        + elements["intrusion_sets"]
-                        + elements["malwares"]
-                    )
-                    for threat in threats:
-                        relationship_uses = self.create_relation(
-                            source_id=threat.id,
-                            target_id=attack_pattern.id,
-                            relation="uses",
-                        )
-                        report_objects.append(relationship_uses)
-
-                for malware in elements["malwares"]:
-                    threats = elements["threat_actors"] + elements["intrusion_sets"]
-                    for threat in threats:
-                        relationship_uses = self.create_relation(
-                            source_id=threat.id, target_id=malware.id, relation="uses"
+                if guess_relationships_from_reports:
+                    for attack_pattern in elements["attack_patterns"]:
+                        threats = (
+                            elements["threat_actors"]
+                            + elements["intrusion_sets"]
+                            + elements["malwares"]
                         )
-                        report_objects.append(relationship_uses)
+                        for threat in threats:
+                            relationship_uses = self.create_relation(
+                                source_id=threat.id,
+                                target_id=attack_pattern.id,
+                                relation="uses",
+                            )
+                            report_objects.append(relationship_uses)
+
+                    for malware in elements["malwares"]:
+                        threats = elements["threat_actors"] + elements["intrusion_sets"]
+                        for threat in threats:
+                            relationship_uses = self.create_relation(
+                                source_id=threat.id,
+                                target_id=malware.id,
+                                relation="uses",
+                            )
+                            report_objects.append(relationship_uses)
 
-                for tool in elements["tools"]:
-                    threats = elements["threat_actors"] + elements["intrusion_sets"]
-                    for threat in threats:
-                        relationship_uses = self.create_relation(
-                            source_id=threat.id, target_id=tool.id, relation="uses"
-                        )
-                        report_objects.append(relationship_uses)
+                    for tool in elements["tools"]:
+                        threats = elements["threat_actors"] + elements["intrusion_sets"]
+                        for threat in threats:
+                            relationship_uses = self.create_relation(
+                                source_id=threat.id, target_id=tool.id, relation="uses"
+                            )
+                            report_objects.append(relationship_uses)
 
-                victims = (
-                    elements["regions"] + elements["countries"] + elements["sectors"]
-                )
-                for victim in victims:
-                    threats = (
-                        elements["threat_actors"]
-                        + elements["intrusion_sets"]
-                        + elements["malwares"]
+                    victims = (
+                        elements["regions"]
+                        + elements["countries"]
+                        + elements["sectors"]
                     )
-                    for threat in threats:
-                        relationship_uses = self.create_relation(
-                            source_id=threat.id, target_id=victim.id, relation="targets"
+                    for victim in victims:
+                        threats = (
+                            elements["threat_actors"]
+                            + elements["intrusion_sets"]
+                            + elements["malwares"]
                         )
-                        report_objects.append(relationship_uses)
+                        for threat in threats:
+                            relationship_uses = self.create_relation(
+                                source_id=threat.id,
+                                target_id=victim.id,
+                                relation="targets",
+                            )
+                            report_objects.append(relationship_uses)
                 report_objects = (
                     report_objects
                     + elements["regions"]
@@ -267,7 +273,7 @@ def _guess_knowledge_graph(self, tags):
                 )
         return report_objects
 
-    def convert_flashpoint_report(self, report):
+    def convert_flashpoint_report(self, report, guess_relationships_from_reports):
         """
         :param report:
         :return:
@@ -276,7 +282,9 @@ def convert_flashpoint_report(self, report):
         # Try to resolve
         tags = report["tags"]
         actors = report["actors"]
-        report_objects = self._guess_knowledge_graph(tags + actors)
+        report_objects = self._guess_knowledge_graph(
+            tags + actors, guess_relationships_from_reports
+        )
         object_refs = []
         for report_object in report_objects:
             objects.append(report_object)

external-import/flashpoint/tests/config.test.yml

@@ -20,3 +20,4 @@ flashpoint:
   indicators_in_reports: true
   import_communities: true
   communities_queries: "cybersecurity,cyberattack"
+  guess_relationships_from_reports: false

external-import/flashpoint/tests/test_config_loader.py

@@ -53,6 +53,7 @@ def fake_config_dict() -> dict[str, dict[str, Any]]:
             "import_indicators": True,
             "import_communities": True,
             "communities_queries": "cybersecurity,cyberattack",
+            "guess_relationships_from_reports": False,
         },
     }
 
@@ -64,7 +65,7 @@ def fake_environ(config_dict: dict[str, dict[str, Any]]):
     environ = {}
     for key, value in config_dict.items():
         for sub_key, sub_value in value.items():
-            if sub_value:
+            if sub_value is not None:
                 environ[f"{key.upper()}_{sub_key.upper()}"] = str(sub_value)
     return environ