Description
When GTI_IMPORT_THREAT_ACTORS=True is enabled, the connector ingests GTI Threat Actors as Intrusion Sets. However, the contextual enrichment provided by GTI — such as targeted sectors, operating locations, and associated relationships — is not fully carried over into the Intrusion Set object in OpenCTI.
This is particularly noticeable when the same Intrusion Set already exists from another source (e.g., MITRE ATT&CK). The GTI-specific context (sector targeting, geographic focus) is lost rather than merged.
Expected Behavior
When ingesting GTI Threat Actors as Intrusion Sets, the connector should:
- Create
targets relationships to Sectors identified by GTI
- Create
located-at or targets relationships to Locations/Countries identified by GTI
- These relationships should be attributed to the GTI source so they coexist with relationships from other sources
Current Behavior
Intrusion Sets are created but lack the contextual relationships that GTI provides. The enrichment data from GTI is effectively dropped.
Component
external-import/google-threat-intelligence
Description
When
GTI_IMPORT_THREAT_ACTORS=Trueis enabled, the connector ingests GTI Threat Actors as Intrusion Sets. However, the contextual enrichment provided by GTI — such as targeted sectors, operating locations, and associated relationships — is not fully carried over into the Intrusion Set object in OpenCTI.This is particularly noticeable when the same Intrusion Set already exists from another source (e.g., MITRE ATT&CK). The GTI-specific context (sector targeting, geographic focus) is lost rather than merged.
Expected Behavior
When ingesting GTI Threat Actors as Intrusion Sets, the connector should:
targetsrelationships to Sectors identified by GTIlocated-atortargetsrelationships to Locations/Countries identified by GTICurrent Behavior
Intrusion Sets are created but lack the contextual relationships that GTI provides. The enrichment data from GTI is effectively dropped.
Component
external-import/google-threat-intelligence