Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Spycloud] Create external import connector #3347

Open
wants to merge 46 commits into
base: master
Choose a base branch
from
Open

[Spycloud] Create external import connector #3347

wants to merge 46 commits into from

Conversation

Powlinett
Copy link
Member

Proposed changes

⚠️ This PR overrides previous Spycloud PR #3319

  • Use/adapt external import template
  • Validate config/env variables
  • Create Spycloud API client handling authentication, filters, retry strategy...
  • Create Spycloud classes (BreachCatalog and BreachRecord)
  • Create OpenCTI classes (Author, Incident, observables...)
  • Add unit tests
  • Add pyproject.toml
  • Update Docker build

Related issues

Checklist

  • I consider the submitted work as finished
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

@Powlinett Powlinett added filigran team use to identify PR from the Filigran team do not merge Do not merge this PR until this tag will be removed new use to identify new integration labels Jan 29, 2025
@Powlinett Powlinett self-assigned this Jan 29, 2025
@Powlinett Powlinett linked an issue Jan 29, 2025 that may be closed by this pull request
[SpyCloud] Create the connector #2563
Open
@Powlinett Powlinett force-pushed the feature/2563-spycloud-observables branch from 2c7d44e to abf331c Compare January 29, 2025 16:57
flavienSindou
flavienSindou reviewed Jan 31, 2025
View reviewed changes
Copy link
Contributor

@flavienSindou flavienSindou left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice and clear documented code.
Some small remarks but a really good implementation.

You should add a test-requirements.txt file for the CI to launch your tests

I test the connector locally and I'll approve it.

external-import/spycloud/README.md
Comment on lines +147 to +155
```mermaid
flowchart LR
A[Spycloud] -->|get data periodically| B(Connector)
B --> C{Process breach records}
C -->|convert to| D1[STIX bundle]
C -->|convert to| D2[STIX bundle]
C -->|convert to| D3[STIX bundle]
D1 & D2 & D3 -->|send to| E(OpenCTI)
```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is considered as general documentation of the connector scheduler. I would replace it with a link to the dedicated page https://filigran.io/auto-backpressue-control-octi-connectors/#h-purpose-of-the-scheduler

external-import/spycloud/tests/test_models/test_opencti_domain.py
from spycloud_connector.models.opencti import Author, Incident, TLPMarking


def mock_valid_author():
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpicking ;)

Suggested change
def mock_valid_author():
def fake_valid_author():

external-import/spycloud/tests/test_models/test_opencti_domain.py
return Author(name="Valid Author", identity_class="organization")


def mock_valid_markings():
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpicking ;)

Suggested change
def mock_valid_markings():
def fake_valid_markings():

external-import/spycloud/tests/test_models/test_opencti_observables.py
)


def mock_valid_author():
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def mock_valid_author():
def fake_valid_author():

external-import/spycloud/tests/test_models/test_opencti_observables.py
return Author(name="Valid Author", identity_class="organization")


def mock_valid_markings():
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def mock_valid_markings():
def fake_valid_markings():

external-import/spycloud/tests/test_models/test_opencti_observables.py
# When: we try to create a DomainName instance
# Then: a ValidationError should be raised
with pytest.raises(ValidationError) as err:
DomainName(**input_data_dict)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpicking

Suggested change
DomainName(**input_data_dict)
DomainName.model_validate(**input_data_dict)

Usually a model called with constructor should fill all kwargs explicitly, when using de-serialization or structures you would rather use a dedicated factory.

external-import/spycloud/tests/test_services/test_spycloud_client.py
data = mock_spycloud_client._request(method="GET", url=mock_request["url"])

# Then None should be returned
assert data is None
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

URL does not seem to be parametrized here and could be remove

flavienSindou
flavienSindou requested changes Jan 31, 2025
View reviewed changes
external-import/spycloud/tests/test_services/test_spycloud_client.py
{
"url": f"{TEST_API_BASE_URL}/breach/catalog/:breach_catalog_id",
"status_code": 200,
"response_body": get_data_sample("breach_catalog_api_response.json"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ This fake data file is not available.

@Powlinett
[connector] copy/paste/adapt template
0f5adc1
@Powlinett
[connector] data samples
a49cc5a 
MUST be deleted before merge into master
@Powlinett
[connector] sort files and directories
d2cb032
@Powlinett
[connector] handle env vars
a86ce0d
@Powlinett
[connector] add pydantic dependency
bf3066b
@Powlinett
[connector] add pydantic models
c379bd7
@Powlinett
[connector] fix pydantic models
ff6268d
@Powlinett
[connector] update converter_to_stix
9f3ae89
@Powlinett
[connector] add unit tests
abd722f
@Powlinett
[connector] black + isort
e8d3a27
@Powlinett
[connector] first implementation of spycloud api client
653ba18
@Powlinett
[connector] add API client unit tests
13e9685
@Powlinett
[connector] add retry strategy
b34ecee
@Powlinett
[connector] fix 403 Forbidden responses
f0e211e
@Powlinett
[connector] fix 504 Gateway Timeout responses
28784d9
@Powlinett
[connector] add cache
95d200d
@Powlinett
[connector] improve typing
ede7a60
@Powlinett
[connector] clean up / refacto entry file
153b69c
@Powlinett
[connector] add markdown table as incident's description
d8d38cb
@Powlinett
[connector] docstrings
b979b28
@Powlinett
[connector] black + isort
63f3fc1
@Powlinett
[connector] delete unused files
62155ee
@Powlinett
[connector] update README and config examples
c2515ad
@Powlinett
[connector] fix type hints
9455b4c
@Powlinett
[connector] remove data_samples
c8962cd
@Powlinett
[connector] add octi observables
2a233ef 
+ re-organize models directory
@Powlinett
[connector] create octi observables
36ba718
@Powlinett
[connector] add pyproject.toml and use absolute imports
a49773f
@Powlinett
[connector] delete requirements files
f99785e
@Powlinett
[connector] add validators to observables
739b00a
@Powlinett
[connector] fix/add unit tests
69c395f
@Powlinett
[connector] add TLP markings to observables
72063f0
@Powlinett
[connector] delete orphan file
8a0b295
@Powlinett
[connector] add "related-to" relationships
6241d02
@Powlinett
[connector] formatting
f1b4a8a
@Powlinett
[connector] fix typing
28286db
@Powlinett
[connector] fix tests
332de65
@Powlinett
[connector] move decorators
877580c
@Powlinett
[connector] describe BreachRecord optional fields
7f3fac5
@Powlinett
[connector] typing / imports
1f8d11d
@Powlinett
[connector] update README
3f34bea
@Powlinett
[connector] fix docker build
b4ee1e2
@Powlinett
[connector] black / isort
dcbd067
@Powlinett
[connector] remove unused import
484f99c
@Powlinett Powlinett force-pushed the feature/2563-spycloud-observables branch from 0ae8871 to 484f99c Compare January 31, 2025 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flavienSindou flavienSindou flavienSindou requested changes

@Megafredo Megafredo Awaiting requested review from Megafredo

@helene-nguyen helene-nguyen Awaiting requested review from helene-nguyen

Requested changes must be addressed to merge this pull request.

Assignees

@Powlinett Powlinett

Labels
do not merge Do not merge this PR until this tag will be removed filigran team use to identify PR from the Filigran team new use to identify new integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[SpyCloud] Create the connector
2 participants
@Powlinett @flavienSindou