From 106a1e47f2af348ade7cd836de548227350e3db8 Mon Sep 17 00:00:00 2001
From: Duc Nguyen <nguyen@emersion.fr>
Date: Fri, 13 Dec 2024 16:04:15 +0100
Subject: [PATCH] [urlscan-enrichment] Make indicator creation optional

---
 .../urlscan-enrichment/docker-compose.yml     |  1 +
 .../urlscan-enrichment/src/main.py            | 34 +++++++++++--------
 .../config_variables.py                       |  7 ++++
 3 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/internal-enrichment/urlscan-enrichment/docker-compose.yml b/internal-enrichment/urlscan-enrichment/docker-compose.yml
index 82f51c6755..3f02d585c9 100644
--- a/internal-enrichment/urlscan-enrichment/docker-compose.yml
+++ b/internal-enrichment/urlscan-enrichment/docker-compose.yml
@@ -19,4 +19,5 @@ services:
       - URLSCAN_ENRICHMENT_VISIBILITY=public # Available values : public, unlisted, private
       - URLSCAN_ENRICHMENT_SEARCH_FILTERED_BY_DATE=>now-1y # Available : ">now-1h", ">now-1d", ">now-1y", "[2022 TO 2023]", "[2022/01/01 TO 2023/12/01]"
       - URLSCAN_ENRICHMENT_MAX_TLP=TLP:AMBER # Required, Available values: TLP:CLEAR, TLP:WHITE, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED
+      - URLSCAN_ENRICHMENT_CREATE_INDICATOR=true
     restart: always
diff --git a/internal-enrichment/urlscan-enrichment/src/main.py b/internal-enrichment/urlscan-enrichment/src/main.py
index 957bcb571f..713d693369 100644
--- a/internal-enrichment/urlscan-enrichment/src/main.py
+++ b/internal-enrichment/urlscan-enrichment/src/main.py
@@ -197,26 +197,32 @@ def _generate_stix_bundle(
 
                     if data_stat["domains"][0] in stix_entity["value"]:
 
-                        stix_indicator = (
-                            self.converter.upsert_stix_indicator_with_relationship(
-                                data,
-                                stix_entity,
-                                external_reference,
-                                labels,
-                                prepared_file_png,
+                        if self.config.create_indicator:
+                            stix_indicator = (
+                                self.converter.upsert_stix_indicator_with_relationship(
+                                    data,
+                                    stix_entity,
+                                    external_reference,
+                                    labels,
+                                    prepared_file_png,
+                                )
                             )
-                        )
-                        self.stix_objects.extend(stix_indicator)
+                            self.stix_objects.extend(stix_indicator)
 
                         for index, ip in enumerate(data_stat["ips"]):
                             if ip is None:
                                 continue
 
-                            # Generate Relationship : Indicator -> "based-on" -> obs_ip
-                            indicator_to_ip = self.converter.generate_stix_relationship(
-                                stix_indicator[0].id, "based-on", stix_obs_ip[index].id
-                            )
-                            self.stix_objects.append(indicator_to_ip)
+                            if self.config.create_indicator:
+                                # Generate Relationship : Indicator -> "based-on" -> obs_ip
+                                indicator_to_ip = (
+                                    self.converter.generate_stix_relationship(
+                                        stix_indicator[0].id,
+                                        "based-on",
+                                        stix_obs_ip[index].id,
+                                    )
+                                )
+                                self.stix_objects.append(indicator_to_ip)
 
                             # Generate Relationship : Observable -> "related-to" -> obs_ip
                             observable_to_ip = (
diff --git a/internal-enrichment/urlscan-enrichment/src/urlscan_enrichment_services/config_variables.py b/internal-enrichment/urlscan-enrichment/src/urlscan_enrichment_services/config_variables.py
index 4681c0a03a..c48aca9cf3 100644
--- a/internal-enrichment/urlscan-enrichment/src/urlscan_enrichment_services/config_variables.py
+++ b/internal-enrichment/urlscan-enrichment/src/urlscan_enrichment_services/config_variables.py
@@ -79,3 +79,10 @@ def _initialize_configurations(self) -> None:
         self.max_tlp = get_config_variable(
             "URLSCAN_ENRICHMENT_MAX_TLP", ["urlscan_enrichment", "max_tlp"], self.load
         )
+
+        self.create_indicator = get_config_variable(
+            "URLSCAN_ENRICHMENT_CREATE_INDICATOR",
+            ["urlscan_enrichment", "create_indicator"],
+            self.load,
+            default="true",
+        )