[RiskIQ - PassiveTotal] Create the enrichment connector

[Megafredo]

Proposed changes

• Enrichment Scope : IPv4-addr& Domain-Name
• The RISKIQ_IMPORT_LAST_SEEN_TIME_WINDOW environment variable specifies the time range used to filter imported data based on when it was last observed. This variable typically uses an ISO 8601 duration format (e.g., "P30D" for a 30-day window), allowing the connector to retrieve only records that have been observed within the specified period. This helps limit data to recent observations, optimizing performance and focusing on relevant, current information.

Here's how each record type is handled by enrichment:

• A Record: Resolves to an IPv4 address and generates an IPv4-Addr observable with the STIX relationship resolves-to (Entity -> resolves-to -> IPv4).

• AAAA Record: Resolves to an IPv6 address and generates an IPv6-Addr observable with the STIX relationship resolves-to (Entity -> resolves-to -> IPv6).

• SOA Record: Resolves to an email address, generating an Email-Addr observable with the STIX relationship related-to (Entity -> related-to -> Email).

• SOA, MX, CNAME, NS Records: Resolve to domain names, generating a Domain-Name observable with the STIX relationship resolves-to (Entity -> resolves-to -> Domain-Name).

• A Record (for domains): In specific cases as defined by RiskIQ, this resolves to a domain, creating a Domain-Name observable with a reversed STIX relationship resolves-to (Domain-Name -> resolves-to -> Entity).

RiskIQ PassiveTotal API Endpoints used:

• /v2/account/quota: This endpoint provides information about the user's current quota for the searchApi resource. It includes details about the user's current usage and the quota limits. This helps monitor whether the API usage is approaching or exceeding the allowed limits and includes information about the next reset time.

• /v2/dns/passive: This endpoint allows querying the Passive DNS data for a specific entity, such as an IPv4 address or domain name. The response includes DNS records (such as A, AAAA, MX, SOA, etc.) associated with the provided entity, which can be used for enrichment in security and threat intelligence operations.

  Related issues

• 2692

Checklist

• [x] I consider the submitted work as finished
• [x] I tested the code for its functionality using different use cases
• [x] I added/update the relevant documentation (either on github or on notion)
• [x] Where necessary I refactored code to improve the overall quality

Further comments

• An error may occur during enrichment with the message Observable is not correctly formatted. This issue will be reported as a bug in OpenCTI. Upon investigation, it appears that domains in the format "example-adm.tcp.clients.google.com," occasionally provided by RiskIQ, trigger an error during ingestion into OpenCTI because the underscore character "" is not accepted in the creation of observables of the domain name type. However, according to RFC 2181, section 11 ("Name syntax"), underscores are permitted in domain names. In contrast, for hostnames, RFC 1123, section 2.1 ("Host Names and Numbers") enforces stricter rules, allowing only letters, digits, and hyphens in hostnames. (Special thanks to @flavienSindou for her references)

[helene-nguyen]

Tested locally, everything seems good to me.

Tests have been made with 3 observables locally. Tests with playbook automation too, bundle is properly ingested :) Docker deployment of the connector works properly ✅

[helene-nguyen]

This PR will be merged today, another issue is opened to complete the connector with tests: https://github.com/OpenCTI-Platform/connectors/issues/2973