Skip to content

[Doppel] Converting Doppel Alerts to STIX 2.1 Observables #5322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
siddharths1-metron wants to merge 22 commits into
base: master
Choose a base branch
from
Open

[Doppel] Converting Doppel Alerts to STIX 2.1 Observables #5322

siddharths1-metron wants to merge 22 commits into from

Conversation

@siddharths1-metron
Copy link

@siddharths1-metron siddharths1-metron commented Dec 3, 2025

Proposed changes

  • This new version of Doppel OpenCTI connector converts doppel alerts to STIX 2.1 Observables.
  • Converts the Observables into Indicators if the alert is actioned/taken_down.
  • Revokes the Indicator if alert is mark as unresolved from actioned/taken_down state.

Related issues

  • 4385

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

@Ninoxe
Copy link
Contributor

Ninoxe commented Dec 10, 2025

Hi @siddharths1-metron

Thank you for your PR.

There are a lot of files that have nothing to do with Doppel. Can you modify it so that only Doppel files are included in the PR?

@Ninoxe Ninoxe changed the title Doppel-OpenCTI v1.1.0 Converting Doppel Alerts to STIX 2.1 Observables [Doppel] Converting Doppel Alerts to STIX 2.1 Observables Dec 10, 2025
@romain-filigran romain-filigran added partner used to identify PR from patner filigran verify Use to identify PR of connector Verified labels Dec 12, 2025
tanvik-metron and others added 20 commits December 14, 2025 19:12
@tanvik-metron @siddharths1-metron
Add authentication update with user key support
fcf4eae
@tanvik-metron @siddharths1-metron
Incorporate review suggestions
007420e
@siddharths1-metron
[Doppel] Organization code support and mapping alerts to STIX 2.1 Obs…
ddb7ba4 
…ervables
@siddharths1-metron
reviewed logic for based-on relationship and takedown workflow
7f5e0c7
@siddharths1-metron
Refactor takedown and reversion state handling in ConverterToStix; en…
4dd6db4 
…hance note creation with indicator and observable references, and adjust score calculation logic.
@siddharths1-metron
Modified how labels are displayed
9dee076
@siddharths1-metron
Code cleanup and add relationships, missing fields to observables, in…
96b59fc 
…dicators, and cases
@siddharths1-metron
Added condition for revoke and unrevoke indicators
eed9bce
@siddharths1-metron
[Doppel] Formatted and linted the code as per OpenCTI guidelines and …
a7173d2 
…revamped convert_to_stix function into multiple sub functions based on functionality.
@siddharths1-metron
[Doppel] Fixed typo in Readme.md
3ac74f5
@siddharths1-metron
[Doppel] Add Organization Code in Readme.md
f8b5ed8
@siddharths1-metron
[Doppel] Fixed generic exception handling and added constant to STIX …
2f51f09 
…Version
@siddharths1-metron
[Doppel] Add return type in method signatures in convert_to_stix file…
2dbe8b2 
… and remove unused comments
@siddharths1-metron
[Doppel] Removed unused Exception block
63500a3
@siddharths1-metron
[Doppel] Moved STIX Builder functions into a new file
94eaed7
@siddharths1-metron
[Doppel] Add retry logic for 429 errors and add handle state transiti…
68639d5 
…on function
@siddharths1-metron
[Doppel] Removed stacked retry logic and made is_retryable_exception …
1713768 
…as static method
@siddharths1-metron
[Doppel] Moved constants to constants.py
f812cdf
@siddharths1-metron
[Doppel] Fixed lint and formatting issues
1acc1e5
@siddharths1-metron
[Doppel] Fixed linter isues
47d6d29
@siddharths1-metron
Copy link
Author

siddharths1-metron commented Dec 14, 2025
edited
Loading

Hi @siddharths1-metron

Thank you for your PR.

There are a lot of files that have nothing to do with Doppel. Can you modify it so that only Doppel files are included in the PR?

Hello @Ninoxe I have modified the PR, please take a look thanks!
Also I did run isort --profile black . inside external-import/doppel do you have any idea why the check is still failing?

@siddharths1-metron
Copy link
Author

siddharths1-metron commented Dec 18, 2025
edited
Loading

Hello @Ninoxe, any update on this? Thanks.

@Ninoxe
Copy link
Contributor

Ninoxe commented Dec 18, 2025

Hi @siddharths1-metron
Thank you for your PR.
There are a lot of files that have nothing to do with Doppel. Can you modify it so that only Doppel files are included in the PR?

Hello @Ninoxe I have modified the PR, please take a look thanks! Also I did run isort --profile black . inside external-import/doppel do you have any idea why the check is still failing?

Hi @siddharths1-metron !

Did you try to run the command just inside external-import and not inside the connector like isort --profile black doppel?

@siddharths1-metron
Copy link
Author

siddharths1-metron commented Jan 8, 2026

Hello @Ninoxe any update on this? I did run the cmd as suggested. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

filigran verify Use to identify PR of connector Verified partner used to identify PR from patner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@siddharths1-metron @Ninoxe @romain-filigran @tanvik-metron