Hello, when using the VirusTotal connector, we would like to use the auto-enrichment feature against specific observable entities using labels.
Since our system is pulling in entities from a litany of connectors, an API limit on VT is immediately wiped out. We find this not useful, since a lot of the information being pulled in is already verified via other means (ThreatFox, CIRCL, etc), while the observables my team are pulling in are not. I would like to focus the VT connector on those specific observables that utilize a label that is created when our data is ingested.
I propose the ability to add a label to the connector configuration that the auto-enrichment would target. For instance, we ingest data from our queue system and label it as "queue-data" and would like the auto-enrichment to target that.
Additional Information
N/A
Would you be willing to submit a PR?
I am not a developer by trade, so I would be unable.
Use case
Hello, when using the VirusTotal connector, we would like to use the auto-enrichment feature against specific observable entities using labels. Since our system is pulling in entities from a litany of connectors, an API limit on VT is immediately wiped out. We find this not useful, since a lot of the information being pulled in is already verified via other means (ThreatFox, CIRCL, etc), while the observables my team are pulling in are not. I would like to focus the VT connector on those specific observables that utilize a label that is created when our data is ingested.
Current Workaround
There is no work around, we cannot mass enrich via the observable menu, and there is another feature request issue in place on the platform git. https://github.com/OpenCTI-Platform/opencti/issues/5582
Proposed Solution
I propose the ability to add a label to the connector configuration that the auto-enrichment would target. For instance, we ingest data from our queue system and label it as "queue-data" and would like the auto-enrichment to target that.
Additional Information
N/A
Would you be willing to submit a PR?
I am not a developer by trade, so I would be unable.