[Google TI] Analyst comments from GTI API not mapped to OpenCTI objects

[CTIBurn0ut]

Description

The Google Threat Intelligence API exposes structured analyst_comment fields on various collection objects (Threat Actors, Malware, Campaigns, Vulnerabilities, etc.). These are human-written analyst comments (not AI-generated summaries) that provide valuable contextual analysis.

The GTI connector does not currently map these comments into OpenCTI. They should be created as Note objects linked to the parent entity, similar to how vulnerability executive_summary and analysis fields were recently mapped in PR #6215.

Expected Behavior

• When a GTI object contains an analyst_comment field, the connector should create a Note STIX object with the comment content
• The Note should be linked to the parent entity via object_refs
• The Note should include appropriate metadata (author, creation date) from the API response

Current Behavior

• analyst_comment fields are silently dropped during ingestion
• No Note objects are created for analyst commentary

API Reference

The analyst_comment field is available on GTI collection endpoints for:

• Threat Actors (/threat_actors/{id})
• Malware (/files/{id})
• Campaigns (/campaigns/{id})
• Vulnerabilities (/vulnerabilities/{id})

Related

• PR [Google TI] Models the 'executive_summary' and 'analysis' fields of a vulnerabili… #6215 / Issue [Google TI] Import Vulnerability summary and analysis fields into description #6103 — Similar pattern implemented for vulnerability executive_summary and analysis fields

[romain-filigran]

Based on my analysis, the "analyst_comment" field does not exist for these entities/collections. To be verified with Google.