[recordedfuture-enrichment] add threat actor to intrusion set config #5454
+33
−11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mariot
added
filigran team
mariot
force-pushed
the
feature/4753-threat-actor-to-intrusion-set
branch
from
77c3473 to
acca410
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds a configuration option to convert Recorded Future Threat Actor entities to Intrusion Set entities instead of Threat Actor Group entities during observable enrichment. This addresses issue #4753 by providing flexibility in how threat actor data is represented in OpenCTI.
Key Changes
- Added
threat_actor_to_intrusion_setboolean configuration parameter with a default value ofFalse - Updated observable enrichment logic to conditionally create
IntrusionSetobjects when the flag is enabled - Extended relationship matching to include
IntrusionSetentities alongside existing threat-related entities
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
conftest.py |
Added test fixture configuration for the new threat_actor_to_intrusion_set parameter |
enrich_observable.py |
Implemented conditional logic to create IntrusionSet instead of ThreatActorGroup based on configuration |
rf_connector.py |
Passed the new configuration parameter to ObservableEnricher and improved TLP level type safety |
config_loader.py |
Defined the new threat_actor_to_intrusion_set configuration field with validation |
config.yml.sample |
Added commented-out example of the new configuration option |
docker-compose.yml |
Added commented-out environment variable example |
README.md |
Documented the new configuration parameter with usage warnings |
.env.sample |
Added commented-out environment variable example |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Max TLP | info_max_tlp | `RECORDED_FUTURE_INFO_MAX_TLP` | `TLP:AMBER` | no | Max TLP marking of the entity to enrich (inclusive). One of `TLP:CLEAR`, `TLP:WHITE`, `TLP:GREEN`, `TLP:AMBER`, `TLP:AMBER+STRICT`, `TLP:RED`. | | ||
| | Indicator creation threshold | create_indicator_threshold | `RECORDED_FUTURE_CREATE_INDICATOR_THRESHOLD` | `0` | no | The risk score threshold at which an indicator will be created for enriched observables. If set to zero, all enriched observables will automatically create an indicator. If set to 100, no enriched observables will create an indicator. Reccomended thresholds are: `0`, `25`, `65`, `100` | | ||
| | Vulnerability enrichment optional fields | vulnerability_enrichment_optional_fields | `RECORDED_FUTURE_VULNERABILITY_ENRICHMENT_OPTIONAL_FIELDS` | `''` | no | A comma-separated list of optional fields to enrich vulnerabilities with. Currently, available fields are `aiInsights`, `cpe`and `risk`. See [RecordedFuture enrichment fields doc](https://docs.recordedfuture.com/reference/enrichment-field-attributes) for more details. | | ||
| | Theat Actor to Intrusion Set | threat_actor_to_intrusion_set | `RECORDED_FUTURE_THREAT_ACTOR_TO_INTRUSION_SET` | `False` | no | Converts all Recorded Future Threat Actors to STIX Object "Intrusion Set" instead of "Threat Actor". DO NOT USE unless you **really** know what you're doing. | |
There was a problem hiding this comment.
Corrected spelling of 'Theat' to 'Threat'.
Suggested change
| | Theat Actor to Intrusion Set | threat_actor_to_intrusion_set | `RECORDED_FUTURE_THREAT_ACTOR_TO_INTRUSION_SET` | `False` | no | Converts all Recorded Future Threat Actors to STIX Object "Intrusion Set" instead of "Threat Actor". DO NOT USE unless you **really** know what you're doing. | | |
| | Threat Actor to Intrusion Set | threat_actor_to_intrusion_set | `RECORDED_FUTURE_THREAT_ACTOR_TO_INTRUSION_SET` | `False` | no | Converts all Recorded Future Threat Actors to STIX Object "Intrusion Set" instead of "Threat Actor". DO NOT USE unless you **really** know what you're doing. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
Related issues
Checklist
Further comments