Echo CTI connector (#5478)

Author: firatesatoglu

external-import/echocti/Dockerfile

@@ -0,0 +1,19 @@
+FROM python:3.12-alpine
+ENV CONNECTOR_TYPE=EXTERNAL_IMPORT
+
+COPY requirements.txt /opt/opencti-connector-echocti/
+
+RUN apk update && apk upgrade && \
+    apk --no-cache add git build-base libmagic libffi-dev && \
+    cd /opt/opencti-connector-echocti && \
+    pip install --no-cache-dir -r requirements.txt && \
+    apk del git build-base && \
+    rm -rf /var/cache/apk/*
+
+# Copy the connector
+COPY src /opt/opencti-connector-echocti
+
+# Expose and entrypoint
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

external-import/echocti/README.md

@@ -0,0 +1,96 @@
+# Echo CTI External Import Connector
+
+The OpenCTI Echo CTI connector can be used to import threat intelligence data (IOCs) from the Echo CTI platform.
+The connector fetches indicators such as IPs, URLs, hashes, and IP ranges from the Echo CTI API and imports them into OpenCTI.
+
+## Installation
+
+The OpenCTI Echo CTI connector is a standalone Python process that must have access
+to the OpenCTI platform and RabbitMQ. RabbitMQ credentials and connection parameters
+are provided by the API directly, as configured in the platform settings.
+
+Enabling this connector can be done by launching the Python process directly after
+providing the correct configuration in the `config.yml` file or within a Docker with
+the image `opencti/connector-echocti:latest`. We provide an example of
+[`docker-compose.yml`](docker-compose.yml) file that can be used independently or
+integrated into the global `docker-compose.yml` file of OpenCTI.
+
+If you are using it independently, remember that the connector will try to connect to
+the RabbitMQ on the port configured in the OpenCTI platform.
+
+### Configuration variables
+
+Below are the parameters you'll need to set for OpenCTI:
+
+| Parameter `OpenCTI` | config.yml | Docker environment variable | Mandatory | Description                                          |
+|---------------------|------------|-----------------------------|-----------|------------------------------------------------------|
+| URL                 | url        | `OPENCTI_URL`               | Yes       | The URL of the OpenCTI platform.                     |
+| Token               | token      | `OPENCTI_TOKEN`             | Yes       | The default admin token set in the OpenCTI platform. |
+
+Below are the parameters you'll need to set for running the connector properly:
+
+| Parameter `Connector` | config.yml          | Docker environment variable   | Default     | Mandatory | Description                                                                                      |
+|-----------------------|---------------------|-------------------------------|-------------|-----------|--------------------------------------------------------------------------------------------------|
+| ID                    | `id`                | `CONNECTOR_ID`                | /           | Yes       | A unique `UUIDv4` identifier for this connector instance.                                        |
+| Name                  | `name`              | `CONNECTOR_NAME`              | `Echo CTI`  | Yes       | Full name of the connector: `Echo CTI`.                                                          |
+| Scope                 | `scope`             | `CONNECTOR_SCOPE`             | `echocti`   | Yes       | Must be `echocti`, not used in this connector.                                                   |
+| Run and Terminate     | `run_and_terminate` | `CONNECTOR_RUN_AND_TERMINATE` | `False`     | No        | Launch the connector once if set to True. Takes 2 available values: `True` or `False`.           |
+| Duration Period       | `duration_period`   | `CONNECTOR_DURATION_PERIOD`   | /           | Yes       | Determines the time interval between each launch of the connector in ISO 8601, ex: `PT1H`.       |
+| Queue Threshold       | `queue_threshold`   | `CONNECTOR_QUEUE_THRESHOLD`   | `500`       | No        | Used to determine the limit (RabbitMQ) in MB at which the connector must go into buffering mode. |
+| Log Level             | `log_level`         | `CONNECTOR_LOG_LEVEL`         | /           | Yes       | Determines the verbosity of the logs. Options are `debug`, `info`, `warn`, or `error`.           |
+
+Below are the parameters you'll need to set for Echo CTI connector:
+
+| Parameter `Echo CTI`       | config.yml           | Docker environment variable    | Default                                  | Mandatory | Description                                                                                |
+|----------------------------|----------------------|--------------------------------|------------------------------------------|-----------|--------------------------------------------------------------------------------------------|
+| API URL                    | `api_url`            | `ECHOCTI_API_URL`              | `https://api.echocti.com/ioc2/feeds`     | No        | The Echo CTI API endpoint URL.                                                             |
+| Client ID                  | `client_id`          | `ECHOCTI_CLIENT_ID`            | `ChangeMe`                               | Yes       | Your Echo CTI client ID.                                                                   |
+| Client Secret              | `client_secret`      | `ECHOCTI_CLIENT_SECRET`        | `ChangeMe`                               | Yes       | Your Echo CTI client secret.                                                               |
+| Verify SSL                 | `verify_ssl`         | `ECHOCTI_VERIFY_SSL`           | `true`                                   | No        | Whether to verify SSL certificates.                                                        |
+| Type                       | `type`               | `ECHOCTI_TYPE`                 | `all`                                    | No        | IOC type filter: `ip`, `url`, `hash`, `ip-range`, `all` (comma-separated for multiple).   |
+| State                      | `state`              | `ECHOCTI_STATE`                | `active`                                 | No        | IOC state filter: `active`, `removed`, `false-positive`, `white-listed`, `all`.           |
+| Time Since Created         | `time_since_created` | `ECHOCTI_TIME_SINCE_CREATED`   | /                                        | No        | Time filter for creation: `1h`, `1d`, `7d`, `30d`, `1y`.                                  |
+| Time Since Updated         | `time_since_updated` | `ECHOCTI_TIME_SINCE_UPDATED`   | /                                        | No        | Time filter for last update: `1h`, `1d`, `7d`, `30d`, `1y`.                               |
+| Max Count                  | `max_count`          | `ECHOCTI_MAX_COUNT`            | `0`                                      | No        | Maximum number of IOCs to fetch (0 = all).                                                 |
+| Vendor                     | `vendor`             | `ECHOCTI_VENDOR`               | /                                        | No        | Optional vendor filter.                                                                    |
+| Tag                        | `tag`                | `ECHOCTI_TAG`                  | /                                        | No        | Optional tag filter.                                                                       |
+| Default Confidence         | `default_confidence` | `ECHOCTI_DEFAULT_CONFIDENCE`   | `50`                                     | No        | Default confidence score for indicators (0-100).                                           |
+
+## Deployment
+
+### Docker Deployment
+
+Build and run the connector using Docker:
+
+```bash
+docker build -t opencti/connector-echocti:latest .
+docker compose up -d
+```
+
+### Manual Deployment
+
+1. Install dependencies:
+```bash
+pip install -r requirements.txt
+```
+
+2. Copy and configure the sample configuration:
+```bash
+cp src/config.yml.sample src/config.yml
+# Edit src/config.yml with your settings
+```
+
+3. Run the connector:
+```bash
+cd src
+python -m echocti
+```
+
+## Behavior
+
+The connector will:
+1. Connect to the Echo CTI API using the provided credentials
+2. Fetch IOCs based on the configured filters (type, state, time range, etc.)
+3. Convert the IOCs to STIX 2.1 format
+4. Send the STIX bundle to OpenCTI
+5. Wait for the configured duration period before the next run

external-import/echocti/__metadata__/connector_manifest.json

@@ -0,0 +1,22 @@
+{
+    "title": "Echo CTI",
+    "slug": "echocti",
+    "description": "The Echo CTI connector imports threat intelligence data (IOCs) from the Echo CTI platform into OpenCTI. It fetches indicators such as IP addresses, URLs, file hashes, and IP ranges from the Echo CTI API and converts them to STIX 2.1 format for seamless integration with OpenCTI.",
+    "short_description": "Import IOCs (IP, URL, Hash, IP-Range) from Echo CTI threat intelligence platform into OpenCTI.",
+    "logo": "external-import/echocti/__metadata__/logo.png",
+    "use_cases": [
+        "Threat Intelligence",
+        "IOC Enrichment"
+    ],
+    "verified": false,
+    "last_verified_date": null,
+    "playbook_supported": false,
+    "max_confidence_level": 50,
+    "support_version": ">=6.0.0",
+    "subscription_link": null,
+    "source_code": "https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/echocti",
+    "manager_supported": false,
+    "container_version": "rolling",
+    "container_image": "opencti/connector-echocti",
+    "container_type": "EXTERNAL_IMPORT"
+}

external-import/echocti/__metadata__/logo.png

@@ -0,0 +1 @@
+Subproject commit 3db20082703762c4733f172170b0e09174a29297

external-import/echocti/connectors

@@ -0,0 +1,25 @@
+version: '3'
+services:
+  connector-echocti:
+    image: opencti/connector-echocti:latest
+    environment:
+      - OPENCTI_URL=http://opencti:8080
+      - OPENCTI_TOKEN=ChangeMe
+      - CONNECTOR_ID=ChangeMe
+      - CONNECTOR_NAME=Echo CTI
+      - CONNECTOR_SCOPE=echocti
+      - CONNECTOR_LOG_LEVEL=error
+      - CONNECTOR_DURATION_PERIOD=PT1H # In ISO8601 Format starting with "P" for Period ex: "PT1H" = Period time of 1 hour
+      - ECHOCTI_API_URL=https://api.echocti.com/ioc2/feeds
+      - ECHOCTI_CLIENT_ID=ChangeMe
+      - ECHOCTI_CLIENT_SECRET=ChangeMe
+      - ECHOCTI_VERIFY_SSL=true
+      - ECHOCTI_TYPE=all                    # IOC type: ip, url, hash, ip-range, all
+      - ECHOCTI_STATE=active                # IOC state: active, removed, false-positive, white-listed, all
+      - ECHOCTI_TIME_SINCE_CREATED=         # Time filter: 1h, 1d, 7d, 30d, 1y
+      - ECHOCTI_TIME_SINCE_UPDATED=         # Time filter: 1h, 1d, 7d, 30d, 1y
+      - ECHOCTI_MAX_COUNT=0                 # Maximum IOC count (0 = all)
+      - ECHOCTI_VENDOR=                     # Vendor filter (optional)
+      - ECHOCTI_TAG=                        # Tag filter (optional)
+      - ECHOCTI_DEFAULT_CONFIDENCE=50       # Default confidence score (0-100)
+    restart: always

external-import/echocti/docker-compose.yml

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Correct working directory
+cd /opt/opencti-connector-echocti
+
+# Start the connector
+python -m echocti

external-import/echocti/entrypoint.sh

@@ -0,0 +1,6 @@
+pycti==6.9.4
+pydantic>=2.8.2,<3.0.0
+requests>=2.31.0
+pyyaml>=6.0
+stix2>=3.0.1
+python-dateutil>=2.8.2

external-import/echocti/requirements.txt

@@ -0,0 +1,25 @@
+opencti:
+  url: 'http://localhost:8080'
+  token: 'ChangeMe'
+
+connector:
+  id: 'ChangeMe'
+  type: 'EXTERNAL_IMPORT'
+  name: 'Echo CTI'
+  scope: 'echocti'
+  log_level: 'info'
+  duration_period: 'PT1H' # ISO8601 Format starting with "P" for Period ex: "PT1H" // Period time of 1 hour
+
+echocti:
+  api_url: 'https://api.echocti.com/ioc2/feeds'
+  client_id: 'ChangeMe'
+  client_secret: 'ChangeMe'
+  verify_ssl: true
+  type: 'all'                    # IOC type: ip, url, hash, ip-range, all (comma-separated for multiple)
+  state: 'active'                # IOC state: active, removed, false-positive, white-listed, all
+  time_since_created: null       # Time filter: 1h, 1d, 7d, 30d, 1y
+  time_since_updated: null       # Time filter: 1h, 1d, 7d, 30d, 1y
+  max_count: 0                   # Maximum IOC count (0 = all)
+  vendor: null                   # Vendor filter (optional)
+  tag: null                      # Tag filter (optional)
+  default_confidence: 50         # Default confidence score (0-100)

external-import/echocti/src/config.yml.sample

@@ -0,0 +1,5 @@
+"""OpenCTI EchoCTI connector module."""
+
+from echocti.core import EchoCTI
+
+__all__ = ["EchoCTI"]