Use case

We want to enrich the STIX graph imported by the ImportDocumentAI connector with semantically meaningful relationships (“uses” and “targets”) predicted by an external ML model. Currently, the connector only creates generic “related-to” links or container updates, which limits our ability to analyze attack flows and actor techniques in OpenCTI.

Current Workaround

Right now, all extracted entities and observables are either:

• Bundled into a Report or container (e.g. grouping, incident) via object_refs, or
• Linked generically with StixCoreRelationship of type related-to.

There is no automated way to capture specific “uses” or “targets” relationships, so we manually inspect logs or write custom post-processing scripts to add those links.

Proposed Solution

1. Call our relation-prediction web service.
2. Parse the model’s response, which returns tuples { source_ref, target_ref, type } where type are the types of relationships we predict for now (targets, uses).
3. Emit STIX Relationship objects in the bundle for each predicted relation, alongside existing container links and generic “related-to” links.
4. Maintain backward compatibility: if the model returns no relations, the connector’s current behavior remains unchanged.

Additional Information

Code changes primarily in ReportImporter._process_import() (to call the model) and _process_parsed_objects() (to append predicted relations).