[Shadowserver] Import Shadowserver Connector

[cmandich]

Shadowserver Connector

The integration uses Shadowservers reports API to query the available Shadowserver reports and transform them into Stix objects making them available within OpenCTI. All available reports are downloaded and an Artifact object is created with the original file. Stix Note objects are added to both the Report and the CustomObjectCaseIncident with a mark-down rendition of each finding from the report.

API and report references from The Shadowserver Foundation

• https://github.com/The-Shadowserver-Foundation/api_utils/wiki/API:-Reports-Query

• https://interchange.shadowserver.org/schema/reports.json

  The integration creates the following types of Stix objects and relationships between them.

• Artifact
• AutonomousSystem
• CustomObjectCaseIncident (optional)
• DomainName
• Identity
• IPv4Address
• IPv6Address
• MACAddress
• MarkingDefinition
• NetworkTraffic
• Note
• ObservedData
• Report
• Vulnerability
• X509Certificate

On the initial run, the integration defaults to the last 30-days of reports. Every run after that, it provides an update for the last 3-days.

Related issues

• https://github.com/OpenCTI-Platform/connectors/issues/777

Checklist

• [x] I consider the submitted work as finished
• [x] I tested the code for its functionality using different use cases
• [x] I added/update the relevant documentation (either on github or on notion)
• [x] Where necessary I refactored code to improve the overall quality