Skip to content

[threat-actor-enrichment] Add connector to fix stale last_seen on threat actor groups#6044

Open
MrStarkEG wants to merge 5 commits intoOpenCTI-Platform:masterfrom
MrStarkEG:feature/threat-actor-enrichment
Open

[threat-actor-enrichment] Add connector to fix stale last_seen on threat actor groups#6044
MrStarkEG wants to merge 5 commits intoOpenCTI-Platform:masterfrom
MrStarkEG:feature/threat-actor-enrichment

Conversation

@MrStarkEG
Copy link
Contributor

@MrStarkEG MrStarkEG commented Mar 23, 2026
edited
Loading

Proposed changes

  • Add new external-import connector that periodically computes the real last_seen date for threat actor groups from related indicators and reports
  • Reads Elasticsearch via aggregations for performance, writes back through the OpenCTI GraphQL API (fieldPatch) for proper cache/stream/audit handling
  • Traverses threat actor → malware (rel_uses) → indicators (rel_indicates) and reports (rel_object) to find the most recent activity date
  • Only updates forward (never moves last_seen backward), skips entities that are already current

Related issues

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

OpenCTI treats last_seen on threat actors as a static STIX property that only updates when the entity itself is re-imported with a newer value. New indicators and reports linked to a threat actor's malware don't propagate their dates back to the actor, so active groups can show last_seen months or years behind their actual activity.

This connector runs on a configurable interval (default 24h), scans all threat-actor-group entities, and updates any stale last_seen values. It uses Elasticsearch direct queries for fast bulk reads (aggregations across indicators/reports) and the OpenCTI GraphQL API for writes, following the established pattern where external components use the API layer for mutations.

Tested against OpenCTI 7.260318.0 with Elasticsearch 8.19.9. The connector:

  • Correctly registers as EXTERNAL_IMPORT with OpenCTIConnectorHelper
  • Updates stale last_seen from indicators (valid_from) and reports (published)
  • Is idempotent (second run skips all already-current entities)
  • Supports run_and_terminate mode
  • Manages state via helper.get_state()/set_state()

@MrStarkEG
[threat-actor-enrichment] Add connector to fix stale last_seen on thr…
f846454 
…eat actor groups

Adds a new external-import connector that periodically computes the real
last_seen date for threat actor groups from related indicators and reports.

Reads Elasticsearch via aggregations for performance, writes back through
the OpenCTI GraphQL API (fieldPatch) for proper cache/stream/audit handling.

Traverses threat actor -> malware (rel_uses) -> indicators (rel_indicates)
and reports (rel_object) to find the most recent activity date. Only updates
forward (never moves last_seen backward), skips entities already current.

Addresses: OpenCTI-Platform/opencti#9385
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@MrStarkEG MrStarkEG

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Automatically update last seen

2 participants

@MrStarkEG @ncarenton