Skip to content

Commit

Permalink
Improve ransomware.live connector (#2746)
Browse files Browse the repository at this point in the history 
Co-authored-by: Sean Whalen <[email protected]>
Co-authored-by: PaulineEustachy <[email protected]>
  • Loading branch information
@seanthegeek @Powlinett
3 people authored Jan 10, 2025
1 parent aac640a commit 714b94d
Show file tree
Hide file tree
Showing 2 changed files with 132 additions and 86 deletions.
48 changes: 26 additions & 22 deletions external-import/ransomwarelive/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,49 +20,53 @@ General description of the connector
Configuration parameters are provided using environment variables as described below.
Some of them are placed directly in the `docker-compose.yml` since they are not expected to be modified by final users once that they have been defined by the developer of the connector.

Note that the values that follow can be grabbed within Python code using `self.helper.{PARAMETER}`, i. e., `self.helper.connector_nane`.
Note that the values that follow can be grabbed within Python code using `self.helper.{PARAMETER}` i.e., `self.helper.connector_nane`.

Expected environment variables to be set in the `docker-compose.yml` that describe the connector itself.
Most of the times, these values are NOT expected to be changed.
Most of the time, these values are NOT expected to be changed.

| Parameter | Docker envvar | Mandatory | Description |
| ------------------------------------ | ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| `connector_name` | `CONNECTOR_NAME` | Yes | A connector name to be shown in OpenCTI. |
| `connector_scope` | `CONNECTOR_SCOPE` | Yes | Supported scope. E. g., `text/html`. |
| Parameter | Docker envvar | Mandatory | Description |
|-------------------|-------------------|-----------|------------------------------------------|
| `connector_name` | `CONNECTOR_NAME` | Yes | A connector name to be shown in OpenCTI. | |
| `connector_scope` | `CONNECTOR_SCOPE` | Yes | Supported scope. E. g., `text/html`. |
|

However, there are other values which are expected to be configured by end users.
The following values are expected to be defined in the `.env` file.
This file is included in the `.gitignore` to avoid leaking sensitive date).
This file is included in the `.gitignore` to avoid leaking sensitive date.
Note tha the `.env.sample` file can be used as a reference.

The ones that follow are connector's generic execution parameters expected to be added for export connectors.

| Parameter | Docker envvar | Mandatory | Description |
| ------------------------------------ | ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `opencti_url` | `OPENCTI_URL` | Yes | The URL of the OpenCTI platform. Note that final `/` should be avoided. Example value: `http://opencti:8080` |
| `opencti_token` | `OPENCTI_TOKEN` | Yes | The default admin token configured in the OpenCTI platform parameters file. |
| `connector_id` | `CONNECTOR_ID` | Yes | A valid arbitrary `UUIDv4` that must be unique for this connector. |
| `connector_confidence_level` | `CONNECTOR_CONFIDENCE_LEVEL` | Yes | The default confidence level for created sightings (a number between 1 and 4). |
| `connector_log_level` | `CONNECTOR_LOG_LEVEL` | Yes | The log level for this connector, could be `debug`, `info`, `warn` or `error` (less verbose). |
| `interval` | `CONNECTOR_RUN_EVERY` | Yes | The time unit is represented by a single character at the end of the string: d for days, h for hours, m for minutes, and s for seconds. e.g., 30s is 30 seconds. 1d is 1 day. |
| `update_existing_data` | `CONNECTOR_UPDATE_EXISTING_DATA` | Yes | Whether to update known existing data. |
| Parameter | Docker envvar | Mandatory | Description |
|------------------------------|----------------------------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `opencti_url` | `OPENCTI_URL` | Yes | The URL of the OpenCTI platform. Note that final `/` should be avoided. Example value: `http://opencti:8080` |
| `opencti_token` | `OPENCTI_TOKEN` | Yes | The default admin token configured in the OpenCTI platform parameters file. |
| `connector_id` | `CONNECTOR_ID` | Yes | A valid arbitrary `UUIDv4` that must be unique for this connector. |
| `connector_confidence_level` | `CONNECTOR_CONFIDENCE_LEVEL` | Yes | The default confidence level for created sightings (a number between 1 and 100). |
| `connector_log_level` | `CONNECTOR_LOG_LEVEL` | Yes | The log level for this connector, could be `debug`, `info`, `warn` or `error` (less verbose). |
| `interval` | `CONNECTOR_RUN_EVERY` | Yes | The time unit is represented by a single character at the end of the string: d for days, h for hours, m for minutes, and s for seconds. e.g., 30s is 30 seconds. 1d is 1 day. |
| `update_existing_data` | `CONNECTOR_UPDATE_EXISTING_DATA` | No | Whether to update known existing data (Default: false) | |


Finally, the ones that follow are connector's specific execution parameters expected to be used by this connector.

| Parameter | Docker envvar | Mandatory | Description |
| ------------------------------------ | ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `extra_parameter` | `EXTRA_PARAMETER` | Yes | Any extra parameter. |
| Parameter | Docker envvar | Mandatory | Description |
|-----------------------|---------------------------------|-----------|----------------------------------------------------------|
| `create_threat_actor` | `CONNECTOR_CREATE_THREAT_ACTOR` | No | Whether to create a Threat Actor object (Default: false) |
| `pull_history` | `CONNECTOR_PULL_HISTORY` | No | Whether to pull historic data (Default: false) |
| `data_start_year` | `CONNECTOR_HISTORY_START_YEAR` | No | The year to start from (Default: 2020) |

### Debugging ###
### Debugging

The connector can be debugged by setting the appropiate log level.
Note that logging messages can be added using `self.helper.log_{LOG_LEVEL}("Sample message")`, i. e., `self.helper.log_error("An error message")`.
The connector can be debugged by setting the appropriate log level.
Note that logging messages can be added using `self.helper.log_{LOG_LEVEL}("Sample message")`, i.e., `self.helper.log_error("An error message")`.

<!-- Any additional information to help future users debug and report detailed issues concerning this connector -->

### Additional information


<!--
Any additional information about this connector
* What information is ingested/updated/changed
Expand Down
Loading

0 comments on commit 714b94d

Please sign in to comment.