search

OpenCTI-Platform / connectors

OpenCTI Connectors
https://www.opencti.io
Apache License 2.0
341 stars 369 forks source link

[Flashpoint] Improve and refactor connector to use new Ignite API #1988

Open Lhorus6 opened 3 months ago

Lhorus6 commented 3 months ago

Description

Flashpoint provides now a new API, Ignite. We need to change the connector to use this new one. At the same time we will fetch more data and improve the overall quality.

  1. Use Ignite API to paginate data instead of fetching everything
  2. Prevent connector to add the "Flashpoint" organization to the reports it creates (it shouldn't),
  3. The connector labels all information (sector, countries, etc.). We need to create relationships as usual, and clean up the labels. At this moment, no relations are created. The report arrives as if it were an RSS feed...
  4. The files attached to the report (in the data tab) are html without layout (why not pdfs?) and are all called "report.html" rather than the actual name of the report -> see if like Mandiant and CrowdStrike we can get a clean Flashpoint pdf.
  5. There is no report_type, not very important but if Flashpoint provides it, it would be nice to get it.

API to take a look

Get Reports https://docs.flashpoint.io/flashpoint/reference/fireapireportssearch Creation of relations and entities based on tags is needed Pagination using since + limit and skip ?

Get IOCS https://docs.flashpoint.io/flashpoint/reference/indicators_apiappattributes First do a search using updated_since + limit and skip ? Maybe using scrolling?

Flashpoint contained in the report and nothing else

Screenshot 2024-03-29 092153

Bad labels

In the labels, we can see regions, countries, sectors, TTPs, ... things that are entities in their own and to be linked to the report, not to put on the label.

Screenshot 2024-03-29 092326

Other example that tnformation are not capitalized (not linked to the report)

You can still see in the description that the report talks about a threat actor yet I have no relationship. I only have one organization in my report -> Flashpoint

Screenshot 2024-03-29 092520

nino-filigran commented 3 months ago

@Megafredo or @helene-nguyen could you have a look at this when you have time please?

helene-nguyen commented 3 months ago

@nino-filigran, we will check it and give you an update as soon as possible!

helene-nguyen commented 2 months ago

@Lhorus6, @nino-filigran, after some investigations, for some points, the connector needs to be reworked to:

To fix all bugs, it must be included as a complete feature.

nino-filigran commented 2 months ago

Thanks @helene-nguyen, good to know, we will keep it mind to prioritze this cc @Jipegien

Jipegien commented 2 months ago

connector improvement scheduled for 6.3. Real bugs encompass into this issue can be solved before that (please create a dedicated github bug issue)

nino-filigran commented 2 months ago

I've created the bug, see above. I've also listed, among @Lhorus6 's requests and your answers @helene-nguyen what can be tackled as a bug. So that we can use this ticket to track the feature. @Jipegien for awarness. Let me know if any of you disagree or have question or anything.