Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Hunt IO] Connector for importing C2 feed into OpenCTI #3033

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Hunt IO] Connector for importing C2 feed into OpenCTI #3033

wants to merge 1 commit into from

Conversation

m4r35
Copy link

@m4r35 m4r35 commented Nov 26, 2024
edited
Loading

Proposed changes

This PR introduces a new connector to integrate Hunt.io’s C2 (Command and Control) feed with OpenCTI. The connector retrieves, processes, and maps threat intelligence data into STIX-compliant objects and relationships to enhance threat visibility in OpenCTI.

Features

  • API Integration: The connector fetches C2 feeds from the Hunt.io API in zip format.
  • Response Handling: The compressed payload is unzipped, and its contents are processed into actionable threat intelligence.
  • STIX Object Creation: Each entity in the feed is mapped to corresponding STIX objects/observables.
  • Concurrency: To efficiently handle the large datasets, the connector spawns up to 4 worker threads, processing entities concurrently to mitigate buffer overflow risks.

Field Mapping

C2 Feed Fields STIX2.1
ip - The IP address associated with the C2 scan IPv4Address observable
port - The port number used in the C2 connection NetworkTraffic object that maps IP to a specific port
hostname - The hostname or domain associated with the C2 scan DomainName observable
timestamp - The timestamp of the scan Used as a timestamp for different objects and observables
scan_uri - The URI of the scan target Indicator with url:value pattern
confidence - The confidence score of the scan result Used as confidence score for different objects and observables
malware_name - The name of the malware detected during the scan Malware object
malware_subsystem - The subsystem of malware detected Used for Malware object to represent a malware type

Relationships

Source Relationship Target
Infrastructure (malware_name) controls Malware (malware_name)
Infrastructure (malware_name) consist-of IPv4Address (ip)
Infrastructure (malware_name) consist-of DomainName (hostname)
Indicator (scan_uri) indicates Malware (malware_name)

Note

Related issues

Checklist

  • I consider the submitted work as finished
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

@m4r35 m4r35 force-pushed the hunt-io-connector branch from 1957104 to 85ea3aa Compare November 26, 2024 16:25
@m4r35 m4r35 marked this pull request as ready for review November 26, 2024 17:09
@Jipegien Jipegien added the community use to identify PR from community label Dec 3, 2024
@Jipegien
Copy link
Member

Jipegien commented Dec 3, 2024

@helene-nguyen for your team to review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
community use to identify PR from community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@m4r35 @Jipegien