feat(logrhythm-incidents): add external-import connector for LogRhythm cases (#6728)

external-import/logrhythm-incidents/.dockerignore

@@ -0,0 +1,10 @@
+__metadata__
+**/__pycache__
+**/__docs__
+**/.venv
+**/venv
+**/logs
+**/config.yml
+**/*.egg-info
+**/*.gql
+tests

external-import/logrhythm-incidents/Dockerfile

@@ -0,0 +1,19 @@
+FROM python:3.12-alpine
+ENV CONNECTOR_TYPE=EXTERNAL_IMPORT
+
+# Copy the connector
+COPY src /opt/opencti-connector-logrhythm-incidents
+
+# Install Python modules
+# hadolint ignore=DL3003
+RUN apk update && apk upgrade && \
+    apk --no-cache add git build-base libmagic libffi-dev libxml2-dev libxslt-dev
+
+RUN cd /opt/opencti-connector-logrhythm-incidents && \
+    pip3 install --no-cache-dir -r requirements.txt && \
+    apk del git build-base
+
+# Expose and entrypoint
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

external-import/logrhythm-incidents/README.md

@@ -0,0 +1,113 @@
+# OpenCTI LogRhythm Incidents Connector
+
+The LogRhythm Incidents connector is an **external-import** connector that pulls
+cases and their alarm evidence from LogRhythm SIEM into OpenCTI. It is the import
+side of a bidirectional integration: pair it with the existing `stream/logrhythm`
+connector (which feeds LogRhythm lists from OpenCTI) to send IOCs out and bring
+cases in.
+
+LogRhythm exposes two distinct concepts that map to two STIX entities:
+
+- **Alarms** (detections/alerts) attached to a case are modeled as STIX
+  **Incidents**.
+- The **case** itself (a case-management artifact) is modeled as a STIX
+  **Case-Incident** that references the alarm Incidents it groups through its
+  `object_refs`.
+
+Table of Contents
+
+- [OpenCTI LogRhythm Incidents Connector](#opencti-logrhythm-incidents-connector)
+  - [Introduction](#introduction)
+  - [Requirements](#requirements)
+  - [Configuration variables](#configuration-variables)
+    - [OpenCTI environment variables](#opencti-environment-variables)
+    - [Base connector environment variables](#base-connector-environment-variables)
+    - [Connector extra parameters environment variables](#connector-extra-parameters-environment-variables)
+  - [Deployment](#deployment)
+    - [Docker Deployment](#docker-deployment)
+    - [Manual Deployment](#manual-deployment)
+  - [Behavior](#behavior)
+
+## Introduction
+
+LogRhythm is a SIEM platform. This connector periodically queries the LogRhythm
+Case API for cases and their alarm evidence, then imports them into OpenCTI as STIX
+2.1 Case-Incidents (the cases) and Incidents (the alarms), attributed to a LogRhythm
+author identity and marked with a configurable TLP. The LogRhythm case priority
+(1-5) is mapped to the Case-Incident severity, and the alarm risk score (0-100) to
+the Incident severity.
+
+## Requirements
+
+- OpenCTI Platform >= 7.260609.0
+- A reachable LogRhythm API gateway (Case API enabled)
+- A LogRhythm API token (Bearer)
+
+## Configuration variables
+
+Configuration parameters can be provided in either `config.yml` (see
+`config.yml.sample`), `docker-compose.yml` (environment variables) or directly as
+environment variables.
+
+### OpenCTI environment variables
+
+| Parameter     | config.yml | Docker environment variable | Mandatory | Description                                          |
+| ------------- | ---------- | --------------------------- | --------- | ---------------------------------------------------- |
+| OpenCTI URL   | `url`      | `OPENCTI_URL`               | Yes       | The URL of the OpenCTI platform.                     |
+| OpenCTI Token | `token`    | `OPENCTI_TOKEN`             | Yes       | The default admin token set in the OpenCTI platform. |
+
+### Base connector environment variables
+
+| Parameter       | config.yml        | Docker environment variable  | Default               | Mandatory | Description                                          |
+| --------------- | ----------------- | ---------------------------- | --------------------- | --------- | --------------------------------------------------- |
+| Connector ID    | `id`              | `CONNECTOR_ID`               | /                     | Yes       | A unique `UUIDv4` identifier for this connector.     |
+| Connector Name  | `name`            | `CONNECTOR_NAME`             | `LogRhythm Incidents` | No        | Name of the connector.                              |
+| Connector Scope | `scope`           | `CONNECTOR_SCOPE`            | /                     | Yes       | The scope of the connector.                         |
+| Log Level       | `log_level`       | `CONNECTOR_LOG_LEVEL`        | `error`               | No        | Logs verbosity (`debug`, `info`, `warn`, `error`).  |
+| Duration Period | `duration_period` | `CONNECTOR_DURATION_PERIOD`  | `PT15M`               | No        | ISO-8601 period between two runs.                   |
+
+### Connector extra parameters environment variables
+
+| Parameter    | config.yml     | Docker environment variable          | Default | Mandatory | Description                                       |
+| ------------ | -------------- | ------------------------------------ | ------- | --------- | ------------------------------------------------- |
+| API base URL | `api_base_url` | `LOGRHYTHM_INCIDENTS_API_BASE_URL`   | /       | Yes       | Base URL of the LogRhythm API gateway.           |
+| API token    | `api_token`    | `LOGRHYTHM_INCIDENTS_API_TOKEN`      | /       | Yes       | LogRhythm API token (Bearer).                    |
+| Max cases    | `max_cases`    | `LOGRHYTHM_INCIDENTS_MAX_CASES`      | `200`   | No        | Maximum number of cases to fetch per run.        |
+| TLP level    | `tlp_level`    | `LOGRHYTHM_INCIDENTS_TLP_LEVEL`      | `amber` | No        | TLP marking applied to imported incidents.       |
+| SSL verify   | `ssl_verify`   | `LOGRHYTHM_INCIDENTS_SSL_VERIFY`     | `true`  | No        | Whether to verify the SSL certificate.           |
+
+## Deployment
+
+### Docker Deployment
+
+Build a Docker image using the provided `Dockerfile`:
+
+```shell
+docker build . -t opencti/connector-logrhythm-incidents:rolling
+```
+
+Make sure to replace the environment variables in `docker-compose.yml` with the
+appropriate configurations, then start the connector:
+
+```shell
+docker compose up -d
+```
+
+### Manual Deployment
+
+Create a `config.yml` file from `config.yml.sample` and fill in the values, then:
+
+```shell
+cd src
+pip install -r requirements.txt
+python main.py
+```
+
+## Behavior
+
+On each run the connector fetches cases from the LogRhythm Case API (capped at
+`max_cases`). For every case it also fetches the attached alarm evidence, converts
+each alarm to a STIX Incident, and converts the case to a STIX Case-Incident that
+references those Incidents through its `object_refs`. The resulting bundle is sent
+to OpenCTI, which deduplicates both entity types by their deterministic id across
+runs.

external-import/logrhythm-incidents/__metadata__/CONNECTOR_CONFIG_DOC.md

@@ -0,0 +1,20 @@
+# Connector Configurations
+
+Below is an exhaustive enumeration of all configurable parameters available, each accompanied by detailed explanations of their purposes, default behaviors, and usage guidelines to help you understand and utilize them effectively.
+
+### Type: `object`
+
+| Property | Type | Required | Possible values | Default | Description |
+| -------- | ---- | -------- | --------------- | ------- | ----------- |
+| OPENCTI_URL | `string` | ✅ | Format: [`uri`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | The base URL of the OpenCTI instance. |
+| OPENCTI_TOKEN | `string` | ✅ | string |  | The API token to connect to OpenCTI. |
+| CONNECTOR_SCOPE | `array` | ✅ | string |  | The scope of the connector, e.g. 'flashpoint'. |
+| LOGRHYTHM_INCIDENTS_API_BASE_URL | `string` | ✅ | Format: [`uri`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | Base URL of the LogRhythm API gateway (e.g. https://logrhythm.example.com:8501). |
+| LOGRHYTHM_INCIDENTS_API_TOKEN | `string` | ✅ | Format: [`password`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | LogRhythm API token (Bearer) used for authentication. |
+| CONNECTOR_NAME | `string` |  | string | `"LogRhythm Incidents"` | The name of the connector. |
+| CONNECTOR_LOG_LEVEL | `string` |  | `debug` `info` `warn` `warning` `error` | `"error"` | The minimum level of logs to display. |
+| CONNECTOR_TYPE | `const` |  | `EXTERNAL_IMPORT` | `"EXTERNAL_IMPORT"` |  |
+| CONNECTOR_DURATION_PERIOD | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"PT15M"` | The period of time to await between two runs of the connector. |
+| LOGRHYTHM_INCIDENTS_MAX_CASES | `integer` |  | `1 <= x ` | `200` | Maximum number of LogRhythm cases to fetch per run. |
+| LOGRHYTHM_INCIDENTS_TLP_LEVEL | `string` |  | `clear` `white` `green` `amber` `amber+strict` `red` | `"amber"` | TLP marking applied to the imported incidents. |
+| LOGRHYTHM_INCIDENTS_SSL_VERIFY | `boolean` |  | boolean | `true` | Whether to verify the SSL certificate of the LogRhythm API gateway. |

external-import/logrhythm-incidents/__metadata__/connector_config_schema.json

@@ -0,0 +1,98 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://www.filigran.io/connectors/logrhythm-incidents_config.schema.json",
+  "type": "object",
+  "properties": {
+    "OPENCTI_URL": {
+      "description": "The base URL of the OpenCTI instance.",
+      "format": "uri",
+      "maxLength": 2083,
+      "minLength": 1,
+      "type": "string"
+    },
+    "OPENCTI_TOKEN": {
+      "description": "The API token to connect to OpenCTI.",
+      "type": "string"
+    },
+    "CONNECTOR_NAME": {
+      "default": "LogRhythm Incidents",
+      "description": "The name of the connector.",
+      "type": "string"
+    },
+    "CONNECTOR_SCOPE": {
+      "description": "The scope of the connector, e.g. 'flashpoint'.",
+      "items": {
+        "type": "string"
+      },
+      "type": "array"
+    },
+    "CONNECTOR_LOG_LEVEL": {
+      "default": "error",
+      "description": "The minimum level of logs to display.",
+      "enum": [
+        "debug",
+        "info",
+        "warn",
+        "warning",
+        "error"
+      ],
+      "type": "string"
+    },
+    "CONNECTOR_TYPE": {
+      "const": "EXTERNAL_IMPORT",
+      "default": "EXTERNAL_IMPORT",
+      "type": "string"
+    },
+    "CONNECTOR_DURATION_PERIOD": {
+      "default": "PT15M",
+      "description": "The period of time to await between two runs of the connector.",
+      "format": "duration",
+      "type": "string"
+    },
+    "LOGRHYTHM_INCIDENTS_API_BASE_URL": {
+      "description": "Base URL of the LogRhythm API gateway (e.g. https://logrhythm.example.com:8501).",
+      "format": "uri",
+      "maxLength": 2083,
+      "minLength": 1,
+      "type": "string"
+    },
+    "LOGRHYTHM_INCIDENTS_API_TOKEN": {
+      "description": "LogRhythm API token (Bearer) used for authentication.",
+      "format": "password",
+      "type": "string",
+      "writeOnly": true
+    },
+    "LOGRHYTHM_INCIDENTS_MAX_CASES": {
+      "default": 200,
+      "description": "Maximum number of LogRhythm cases to fetch per run.",
+      "minimum": 1,
+      "type": "integer"
+    },
+    "LOGRHYTHM_INCIDENTS_TLP_LEVEL": {
+      "default": "amber",
+      "description": "TLP marking applied to the imported incidents.",
+      "enum": [
+        "clear",
+        "white",
+        "green",
+        "amber",
+        "amber+strict",
+        "red"
+      ],
+      "type": "string"
+    },
+    "LOGRHYTHM_INCIDENTS_SSL_VERIFY": {
+      "default": true,
+      "description": "Whether to verify the SSL certificate of the LogRhythm API gateway.",
+      "type": "boolean"
+    }
+  },
+  "required": [
+    "OPENCTI_URL",
+    "OPENCTI_TOKEN",
+    "CONNECTOR_SCOPE",
+    "LOGRHYTHM_INCIDENTS_API_BASE_URL",
+    "LOGRHYTHM_INCIDENTS_API_TOKEN"
+  ],
+  "additionalProperties": true
+}

external-import/logrhythm-incidents/__metadata__/connector_manifest.json

@@ -0,0 +1,21 @@
+{
+  "title": "LogRhythm Incidents",
+  "slug": "logrhythm-incidents",
+  "description": "The OpenCTI LogRhythm Incidents connector imports cases and their alarm evidence from LogRhythm SIEM into OpenCTI. It periodically pulls cases through the LogRhythm Case API, converts each attached alarm (a detection) to a STIX 2.1 Incident, and converts the case (a case-management artifact) to a STIX 2.1 Case-Incident that references those Incidents through its object_refs. Paired with the existing LogRhythm stream connector (which feeds LogRhythm lists from OpenCTI), it provides the import side of a bidirectional integration.",
+  "short_description": "Import LogRhythm cases (Case-Incidents) and their alarms (Incidents) into OpenCTI (bidirectional import side).",
+  "logo": null,
+  "use_cases": [
+    "SIEM & Analytics"
+  ],
+  "verified": false,
+  "last_verified_date": null,
+  "playbook_supported": false,
+  "max_confidence_level": 50,
+  "support_version": ">=7.260609.0",
+  "subscription_link": "https://logrhythm.com",
+  "source_code": "https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/logrhythm-incidents",
+  "manager_supported": true,
+  "container_version": "rolling",
+  "container_image": "opencti/connector-logrhythm-incidents",
+  "container_type": "EXTERNAL_IMPORT"
+}

external-import/logrhythm-incidents/docker-compose.yml

@@ -0,0 +1,21 @@
+version: '3'
+services:
+  connector-logrhythm-incidents:
+    image: opencti/connector-logrhythm-incidents:rolling
+    environment:
+      # Generic parameters (connection with OpenCTI)
+      - OPENCTI_URL=http://localhost
+      - OPENCTI_TOKEN=ChangeMe
+      # Common parameters for connectors of type EXTERNAL_IMPORT
+      - CONNECTOR_ID=ChangeMe
+      - CONNECTOR_NAME=LogRhythm Incidents # optional (default: 'LogRhythm Incidents')
+      - CONNECTOR_SCOPE=logrhythm # required
+      - CONNECTOR_LOG_LEVEL=error # optional (default: 'error')
+      - CONNECTOR_DURATION_PERIOD=PT15M # optional (default: 'PT15M')
+      # LogRhythm parameters
+      - LOGRHYTHM_INCIDENTS_API_BASE_URL=ChangeMe # e.g. https://logrhythm.example.com:8501
+      - LOGRHYTHM_INCIDENTS_API_TOKEN=ChangeMe
+      - LOGRHYTHM_INCIDENTS_MAX_CASES=200 # optional (default: 200)
+      - LOGRHYTHM_INCIDENTS_TLP_LEVEL=amber # optional (default: 'amber')
+      - LOGRHYTHM_INCIDENTS_SSL_VERIFY=true # optional (default: true)
+    restart: always

external-import/logrhythm-incidents/entrypoint.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Go to the right directory
+cd /opt/opencti-connector-logrhythm-incidents
+
+# Launch the worker
+python3 main.py

external-import/logrhythm-incidents/src/config.yml.sample

@@ -0,0 +1,18 @@
+opencti:
+  url: 'http://localhost'
+  token: 'ChangeMe'
+
+connector:
+  id: 'ChangeMe'
+  type: 'EXTERNAL_IMPORT'
+  name: 'LogRhythm Incidents' # optional (default: 'LogRhythm Incidents')
+  scope: 'logrhythm' # required
+  log_level: 'error' # optional (default: 'error')
+  duration_period: 'PT15M' # optional (default: 'PT15M')
+
+logrhythm_incidents:
+  api_base_url: 'ChangeMe' # Base URL of the LogRhythm API gateway, e.g. https://logrhythm.example.com:8501
+  api_token: 'ChangeMe' # LogRhythm API token (Bearer)
+  max_cases: 200 # optional (default: 200)
+  tlp_level: 'amber' # optional, one of clear/white/green/amber/amber+strict/red (default: 'amber')
+  ssl_verify: true # optional (default: true)

external-import/logrhythm-incidents/src/connector/__init__.py

@@ -0,0 +1,7 @@
+from connector.connector import LogRhythmIncidentsConnector
+from connector.settings import ConnectorSettings
+
+__all__ = [
+    "LogRhythmIncidentsConnector",
+    "ConnectorSettings",
+]