"MalwareBazaar Recent Additions" Data Import Connector not working

[japierremarie]

Description

"MalwareBazaar Recent Additions" data import connector has been set following https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/malwarebazaar-recent-additions/docker-compose.yml All settings are properly added in the Portainer OpenCTI stack, like for the 10+ other data import connectors we are using. When checking connector status of the connector, it is "Active" with "State: null", no work in progress, no work completed. No error is visible. Below is our configuration of the connector:

connector-malwarebazaar-recent-additions: image: opencti/connector-malwarebazaar-recent-additions:5.12.33 environment:

• OPENCTI_URL=${OPENCTI_URL}
• OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
• CONNECTOR_ID=${CONNECTOR_MALWAREBAZAAR_ID}
• CONNECTOR_TYPE=EXTERNAL_IMPORT #<-- this is not in the GitHub documentation. Adding it did not change the issue
• "CONNECTOR_NAME=MalwareBazaar Recent Additions"
• CONNECTOR_CONFIDENCE_LEVEL=50 # From 0 (Unknown) to 100 (Fully trusted)
• CONNECTOR_LOG_LEVEL=error
• MALWAREBAZAAR_RECENT_ADDITIONS_API_URL=https://mb-api.abuse.ch/api/v1/
• MALWAREBAZAAR_RECENT_ADDITIONS_COOLDOWN_SECONDS=300 # Time to wait in seconds between subsequent requests
• MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_TAGS=exe,dll,docm,docx,doc,xls,xlsx,xlsm,js # (Optional) Only download files if any tag matches. (Comma separated)
• MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_REPORTERS= # (Optional) Only download files uploaded by these reporters. (Comma separated)
• MALWAREBAZAAR_RECENT_ADDITIONS_LABELS=malware-bazaar # (Optional) Labels to apply to uploaded Artifacts. (Comma separated)
• MALWAREBAZAAR_RECENT_ADDITIONS_LABELS_COLOR=#54483b # Color to use for labels restart: always depends_on:
• opencti

Environment

1. OS (where OpenCTI server runs): Ubuntu 22.04.4 LTS
2. OpenCTI version: OpenCTI 5.12.33
3. OpenCTI client: frontend
4. Other environment details: N/A

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. add connector to Portainer OpenCTI stack
2. restart OpenCTI stack
3. check connector status in OpenCTI UI

[nino-filigran]

@YungBinary , @scottpas , @rlynch-ironnet , @jtagcat @daemitus I see that all of you at some point, have contributed to this connector, do you have any idea?

[japierremarie]

Hi All, One possibility is that data from MalwareBazaar are ingested but the Author field is not populated in OpenCTI as I can see lot of Indicators, Artifacts, etc. without Author but with label "malware-bazaar". Hope it can help...