[disarm-framework] Update connector to be "manager_supported" (#5211)

Co-authored-by: Thibaut Rouxel <98959405+throuxel@users.noreply.github.com>

Author: Powlinett

external-import/disarm-framework/README.md

@@ -1,7 +1,7 @@
 # OpenCTI DISARM Framework Connector
 
-| Status | Date | Comment |
-|--------|------|---------|
+| Status            | Date | Comment |
+| ----------------- | ---- | ------- |
 | Filigran Verified | -    | -       |
 
 The DISARM Framework connector imports the DISARM (Disinformation Analysis and Risk Management) framework into OpenCTI, providing a structured approach for describing and countering disinformation campaigns.
@@ -40,31 +40,10 @@ The framework provides a common language for describing disinformation tactics a
 
 ## Configuration variables
 
-There are a number of configuration options, which are set either in `docker-compose.yml` (for Docker) or in `config.yml` (for manual deployment).
+Find all the configuration variables available here: [Connector Configurations](./__metadata__/CONNECTOR_CONFIG_DOC.md)
 
-### OpenCTI environment variables
-
-| Parameter     | config.yml | Docker environment variable | Mandatory | Description                                          |
-|---------------|------------|-----------------------------|-----------|------------------------------------------------------|
-| OpenCTI URL   | url        | `OPENCTI_URL`               | Yes       | The URL of the OpenCTI platform.                     |
-| OpenCTI Token | token      | `OPENCTI_TOKEN`             | Yes       | The default admin token set in the OpenCTI platform. |
-
-### Base connector environment variables
-
-| Parameter            | config.yml           | Docker environment variable      | Default          | Mandatory | Description                                                              |
-|----------------------|----------------------|----------------------------------|------------------|-----------|--------------------------------------------------------------------------|
-| Connector ID         | id                   | `CONNECTOR_ID`                   |                  | Yes       | A unique `UUIDv4` identifier for this connector instance.                |
-| Connector Name       | name                 | `CONNECTOR_NAME`                 | DISARM Framework | No        | Name of the connector.                                                   |
-| Connector Scope      | scope                | `CONNECTOR_SCOPE`                | attack-pattern   | No        | The scope or type of data the connector is importing.                    |
-| Log Level            | log_level            | `CONNECTOR_LOG_LEVEL`            | info             | No        | Determines the verbosity of logs: `debug`, `info`, `warn`, or `error`.   |
-| Update Existing Data | update_existing_data | `CONNECTOR_UPDATE_EXISTING_DATA` | true             | No        | Whether to update existing data in OpenCTI.                              |
-
-### Connector extra parameters environment variables
-
-| Parameter     | config.yml               | Docker environment variable   | Default                                                                                                    | Mandatory | Description                                                    |
-|---------------|--------------------------|-------------------------------|------------------------------------------------------------------------------------------------------------|-----------|----------------------------------------------------------------|
-| Framework URL | disarm_framework.url     | `DISARM_FRAMEWORK_URL`        | https://raw.githubusercontent.com/DISARMFoundation/DISARMframeworks/main/generated_files/DISARM_STIX/DISARM.json | Yes       | URL of the DISARM STIX bundle.                                 |
-| Interval      | disarm_framework.interval| `DISARM_FRAMEWORK_INTERVAL`   | 7                                                                                                          | Yes       | Polling interval in days.                                      |
+_The `opencti` and `connector` options in the `docker-compose.yml` and `config.yml` are the same as for any other connector.
+For more information regarding variables, please refer to [OpenCTI's documentation on connectors](https://docs.opencti.io/latest/deployment/connectors/)._
 
 ## Deployment
 
@@ -79,19 +58,19 @@ docker build -t opencti/connector-disarm-framework:latest .
 Configure the connector in `docker-compose.yml`:
 
 ```yaml
-  connector-disarm-framework:
-    image: opencti/connector-disarm-framework:latest
-    environment:
-      - OPENCTI_URL=http://localhost
-      - OPENCTI_TOKEN=ChangeMe
-      - CONNECTOR_ID=ChangeMe
-      - CONNECTOR_NAME=DISARM Framework
-      - CONNECTOR_SCOPE=attack-pattern
-      - CONNECTOR_LOG_LEVEL=info
-      - CONNECTOR_UPDATE_EXISTING_DATA=true
-      - DISARM_FRAMEWORK_URL=https://raw.githubusercontent.com/DISARMFoundation/DISARMframeworks/main/generated_files/DISARM_STIX/DISARM.json
-      - DISARM_FRAMEWORK_INTERVAL=7
-    restart: always
+connector-disarm-framework:
+  image: opencti/connector-disarm-framework:latest
+  environment:
+    - OPENCTI_URL=http://localhost
+    - OPENCTI_TOKEN=ChangeMe
+    - CONNECTOR_ID=ChangeMe
+    - CONNECTOR_NAME=DISARM Framework
+    - CONNECTOR_SCOPE=attack-pattern
+    - CONNECTOR_LOG_LEVEL=info
+    - CONNECTOR_UPDATE_EXISTING_DATA=true
+    - DISARM_FRAMEWORK_URL=https://raw.githubusercontent.com/DISARMFoundation/DISARMframeworks/main/generated_files/DISARM_STIX/DISARM.json
+    - DISARM_FRAMEWORK_INTERVAL=7
+  restart: always
 ```
 
 Start the connector:
@@ -151,22 +130,22 @@ graph LR
 
 ### Entity Mapping
 
-| DISARM Data        | OpenCTI Entity      | Description                                          |
-|--------------------|---------------------|------------------------------------------------------|
-| Technique          | Attack Pattern      | Disinformation techniques mapped as STIX Attack Patterns |
-| Tactic             | Kill Chain Phase    | Tactics mapped as kill chain phases with `kill_chain_name: disarm` |
-| Framework Metadata | Identity            | DISARM Foundation as author                          |
+| DISARM Data        | OpenCTI Entity   | Description                                                        |
+| ------------------ | ---------------- | ------------------------------------------------------------------ |
+| Technique          | Attack Pattern   | Disinformation techniques mapped as STIX Attack Patterns           |
+| Tactic             | Kill Chain Phase | Tactics mapped as kill chain phases with `kill_chain_name: disarm` |
+| Framework Metadata | Identity         | DISARM Foundation as author                                        |
 
 ### DISARM Framework Structure
 
 The DISARM framework is organized into phases (similar to MITRE ATT&CK tactics):
 
-| Phase   | Description                             |
-|---------|-----------------------------------------|
-| Plan    | Planning operations and objectives      |
-| Prepare | Preparing resources and capabilities    |
-| Execute | Executing the disinformation campaign   |
-| Assess  | Assessing impact and effectiveness      |
+| Phase   | Description                           |
+| ------- | ------------------------------------- |
+| Plan    | Planning operations and objectives    |
+| Prepare | Preparing resources and capabilities  |
+| Execute | Executing the disinformation campaign |
+| Assess  | Assessing impact and effectiveness    |
 
 ### Processing Details
 
@@ -192,6 +171,7 @@ CONNECTOR_LOG_LEVEL=debug
 ```
 
 Common issues:
+
 - **Network errors**: Verify access to GitHub/DISARM URL
 - **Bundle format**: Ensure the STIX bundle is valid JSON
 - **Kill chain conflicts**: Check for naming conflicts with other frameworks
@@ -206,17 +186,17 @@ Common issues:
 
 ### Use Cases
 
-| Use Case               | Description                                       |
-|------------------------|---------------------------------------------------|
-| Disinformation Analysis| Map observed disinformation to known techniques   |
-| Campaign Attribution   | Link campaigns to specific tactics/techniques     |
-| Defense Planning       | Develop countermeasures based on framework        |
-| Reporting              | Standardized language for threat reports          |
+| Use Case                | Description                                     |
+| ----------------------- | ----------------------------------------------- |
+| Disinformation Analysis | Map observed disinformation to known techniques |
+| Campaign Attribution    | Link campaigns to specific tactics/techniques   |
+| Defense Planning        | Develop countermeasures based on framework      |
+| Reporting               | Standardized language for threat reports        |
 
 ### Related Frameworks
 
-| Framework          | Focus                                |
-|--------------------|--------------------------------------|
-| MITRE ATT&CK       | Cyber attack techniques              |
-| MITRE ATT&CK ICS   | Industrial control systems           |
-| DISARM             | Disinformation and influence operations |
+| Framework        | Focus                                   |
+| ---------------- | --------------------------------------- |
+| MITRE ATT&CK     | Cyber attack techniques                 |
+| MITRE ATT&CK ICS | Industrial control systems              |
+| DISARM           | Disinformation and influence operations |

external-import/disarm-framework/__metadata__/CONNECTOR_CONFIG_DOC.md

@@ -0,0 +1,16 @@
+# Connector Configurations
+
+Below is an exhaustive enumeration of all configurable parameters available, each accompanied by detailed explanations of their purposes, default behaviors, and usage guidelines to help you understand and utilize them effectively.
+
+### Type: `object`
+
+| Property | Type | Required | Possible values | Default | Description |
+| -------- | ---- | -------- | --------------- | ------- | ----------- |
+| OPENCTI_URL | `string` | ✅ | Format: [`uri`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | The base URL of the OpenCTI instance. |
+| OPENCTI_TOKEN | `string` | ✅ | string |  | The API token to connect to OpenCTI. |
+| CONNECTOR_NAME | `string` |  | string | `"DisarmFramework"` | The name of the connector. |
+| CONNECTOR_SCOPE | `array` |  | string | `[]` | The scope of the connector. |
+| CONNECTOR_LOG_LEVEL | `string` |  | `debug` `info` `warn` `warning` `error` | `"error"` | The minimum level of logs to display. |
+| CONNECTOR_TYPE | `const` |  | `EXTERNAL_IMPORT` | `"EXTERNAL_IMPORT"` |  |
+| CONNECTOR_DURATION_PERIOD | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"P7D"` | The period of time to await between two runs of the connector. |
+| DISARM_FRAMEWORK_URL | `string` |  | Format: [`uri`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"https://raw.githubusercontent.com/DISARMFoundation/DISARMframeworks/main/generated_files/DISARM_STIX/DISARM.json"` | URL of the DISARM STIX bundle. |

external-import/disarm-framework/__metadata__/connector_config_schema.json

@@ -0,0 +1,67 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://www.filigran.io/connectors/disarm-framework_config.schema.json",
+  "type": "object",
+  "properties": {
+    "OPENCTI_URL": {
+      "description": "The base URL of the OpenCTI instance.",
+      "format": "uri",
+      "maxLength": 2083,
+      "minLength": 1,
+      "type": "string"
+    },
+    "OPENCTI_TOKEN": {
+      "description": "The API token to connect to OpenCTI.",
+      "type": "string"
+    },
+    "CONNECTOR_NAME": {
+      "default": "DisarmFramework",
+      "description": "The name of the connector.",
+      "type": "string"
+    },
+    "CONNECTOR_SCOPE": {
+      "default": [],
+      "description": "The scope of the connector.",
+      "items": {
+        "type": "string"
+      },
+      "type": "array"
+    },
+    "CONNECTOR_LOG_LEVEL": {
+      "default": "error",
+      "description": "The minimum level of logs to display.",
+      "enum": [
+        "debug",
+        "info",
+        "warn",
+        "warning",
+        "error"
+      ],
+      "type": "string"
+    },
+    "CONNECTOR_TYPE": {
+      "const": "EXTERNAL_IMPORT",
+      "default": "EXTERNAL_IMPORT",
+      "type": "string"
+    },
+    "CONNECTOR_DURATION_PERIOD": {
+      "default": "P7D",
+      "description": "The period of time to await between two runs of the connector.",
+      "format": "duration",
+      "type": "string"
+    },
+    "DISARM_FRAMEWORK_URL": {
+      "default": "https://raw.githubusercontent.com/DISARMFoundation/DISARMframeworks/main/generated_files/DISARM_STIX/DISARM.json",
+      "description": "URL of the DISARM STIX bundle.",
+      "format": "uri",
+      "maxLength": 2083,
+      "minLength": 1,
+      "type": "string"
+    }
+  },
+  "required": [
+    "OPENCTI_URL",
+    "OPENCTI_TOKEN"
+  ],
+  "additionalProperties": true
+}

external-import/disarm-framework/__metadata__/connector_manifest.json

@@ -15,7 +15,7 @@
   "support_version": ">= 6.5.1",
   "subscription_link": "https://github.com/DISARMFoundation/DISARMframeworks",
   "source_code": "https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/disarm-framework",
-  "manager_supported": false,
+  "manager_supported": true,
   "container_version": "rolling",
   "container_image": "opencti/connector-disarm-framework",
   "container_type": "EXTERNAL_IMPORT"

external-import/disarm-framework/docker-compose.yml

@@ -11,5 +11,4 @@ services:
       - CONNECTOR_RUN_AND_TERMINATE=false
       - CONNECTOR_LOG_LEVEL=error
       - DISARM_FRAMEWORK_URL=https://raw.githubusercontent.com/DISARMFoundation/DISARMframeworks/main/generated_files/DISARM_STIX/DISARM.json
-      - DISARM_FRAMEWORK_INTERVAL=7 # In days, must be strictly greater than 1
     restart: always

external-import/disarm-framework/entrypoint.sh

@@ -4,4 +4,4 @@
 cd /opt/opencti-connector-disarm-framework
 
 # Start the connector
-python3 disarm_framework.py
+python3 main.py

external-import/disarm-framework/src/config.yml.sample

@@ -3,7 +3,6 @@ opencti:
   token: 'ChangeMe'
 
 connector:
-  type: 'EXTERNAL_IMPORT'
   id: 'ChangeMe'
   name: 'DISARM Framework'
   scope: 'marking-definition,identity,attack-pattern,course-of-action,intrusion-set,campaign,malware,tool,report,narrative,event,channel'
@@ -12,4 +11,3 @@ connector:
 
 disarm_framework:
   url: 'https://raw.githubusercontent.com/DISARMFoundation/DISARMframeworks/main/generated_files/DISARM_STIX/DISARM.json'
-  interval: 7 # In days, must be strictly greater than 1

external-import/disarm-framework/src/connector/__init__.py

@@ -0,0 +1,7 @@
+from connector.connector import DisarmFramework
+from connector.settings import ConnectorSettings
+
+__all__ = [
+    "DisarmFramework",
+    "ConnectorSettings",
+]