feat(trellix-tie): create stream connector to push file reputations via OpenDXL (#6741)#6742
Open
SamuelHassine wants to merge 3 commits into
Open
feat(trellix-tie): create stream connector to push file reputations via OpenDXL (#6741)#6742SamuelHassine wants to merge 3 commits into
SamuelHassine wants to merge 3 commits into
Conversation
…ia OpenDXL (#6741) Add a stream connector that pushes OpenCTI file-hash indicators to Trellix TIE as enterprise file reputations over the OpenDXL fabric - the standard McAfee/ Trellix integration mechanism (Trellix EDR has no outbound IOC REST API). On each indicator create/update with a STIX file-hash pattern, it sets the TIE reputation (configurable trust level) for the MD5/SHA-1/SHA-256 hashes via dxltieclient.TieClient.set_file_reputation. Authentication uses an ePO-provisioned dxlclient.config file; the DXL connection is established lazily. Includes client + connector unit tests (OpenDXL mocked), generated config schema/doc, README, manifest, config sample and docker-compose.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #6742 +/- ##
===========================================
- Coverage 32.30% 0.32% -31.98%
===========================================
Files 1985 1899 -86
Lines 122106 119622 -2484
===========================================
- Hits 39441 389 -39052
- Misses 82665 119233 +36568
📢 Thoughts on this report? Let us know! 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new stream connector (stream/trellix-tie) that listens to the OpenCTI live stream and, on indicator create/update events containing STIX file-hash patterns, pushes enterprise file reputations to Trellix TIE over OpenDXL.
Changes:
- Introduces a small OpenDXL/TIE client (
TrellixTieClient) plus STIX pattern hash extraction. - Implements the stream connector logic and Pydantic-based settings via
connectors-sdk. - Adds unit tests and ships deployment/metadata assets (Dockerfile, compose, config sample, generated schema/docs, manifest, README).
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| stream/trellix-tie/src/trellix_tie_client/api_client.py | OpenDXL/TIE client wrapper + STIX hash extraction + error wrapping. |
| stream/trellix-tie/src/trellix_tie_client/init.py | Exposes client/error/extractor as package API. |
| stream/trellix-tie/src/connector/settings.py | Connector settings models (stream config + Trellix-specific config). |
| stream/trellix-tie/src/connector/connector.py | Stream message handling and publishing reputations to TIE. |
| stream/trellix-tie/src/connector/init.py | Connector package exports. |
| stream/trellix-tie/src/main.py | Entrypoint wiring settings → helper → connector. |
| stream/trellix-tie/src/requirements.txt | Connector runtime dependencies (pycti, connectors-sdk, OpenDXL libs). |
| stream/trellix-tie/tests/conftest.py | Pytest fixtures/mocking for OpenCTI helper instantiation. |
| stream/trellix-tie/tests/test_main.py | Smoke tests for settings/helper/connector instantiation. |
| stream/trellix-tie/tests/test-requirements.txt | Test dependencies (incl. main requirements + pytest). |
| stream/trellix-tie/tests/tests_trellix_tie_client/test_api_client.py | Unit tests for hash extraction and OpenDXL client behavior (mocked). |
| stream/trellix-tie/tests/tests_connector/test_connector.py | Unit tests for connector message processing behavior. |
| stream/trellix-tie/tests/tests_connector/test_settings.py | Unit tests for settings validation. |
| stream/trellix-tie/Dockerfile | Container build for the connector. |
| stream/trellix-tie/entrypoint.sh | Container entrypoint launching main.py. |
| stream/trellix-tie/docker-compose.yml | Example deployment configuration via environment variables. |
| stream/trellix-tie/config.yml.sample | Example YAML config for manual deployment. |
| stream/trellix-tie/README.md | Connector documentation (purpose, config, deployment, behavior). |
| stream/trellix-tie/metadata/connector_manifest.json | Connector catalog manifest entry. |
| stream/trellix-tie/metadata/connector_config_schema.json | Generated config JSON schema. |
| stream/trellix-tie/metadata/CONNECTOR_CONFIG_DOC.md | Generated config documentation from schema. |
Address the Copilot review on the new Trellix TIE stream connector and keep it installable against current master: - connector.py: validate the live stream id at the start of run() so a placeholder/blank id fails fast at startup instead of only when the first event arrives; check_stream_id now rejects the placeholder case-insensitively and rejects empty/whitespace-only values. - connector.py: process_message catches only the expected parse errors (json.JSONDecodeError / KeyError / TypeError) and chains via raise ... from err (no longer swallowing the root cause behind a generic ValueError); the per-event logs pass structured context via the meta= keyword. - README.md: fixed the TOC anchor, aligned the minimum OpenCTI version with the manifest (6.8.12), corrected the CONNECTOR_TYPE default (STREAM), rewrote the Usage section for a stream connector, and fixed the logger example typo. - config.yml.sample / docker-compose.yml: mark CONNECTOR_SCOPE as required (the connectors-sdk base config has no default for scope). - src/requirements.txt: bump the pinned pycti to 7.260615.0 to match the current connectors-sdk (support_version stays >=6.8.12).
Member
Author
Review-and-fix pass summaryIndependent senior re-review of the full Code/test fixes (commit 061a9a5):
One reviewer suggestion not applied verbatim: a thread asked to add CI fix (de-stale):
Verification:
Remaining (non-CI) blocker: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
New stream connector that pushes OpenCTI file-hash indicators to Trellix Threat Intelligence Exchange (TIE) as enterprise file reputations, over the OpenDXL fabric.
On each indicator
create/updatecarrying a STIX file-hash pattern, the connector:KNOWN_MALICIOUS) via the OpenDXL TIE client (dxltieclient.TieClient.set_file_reputation), attaching the indicator name and a configurable comment.This is the standard way threat intelligence platforms integrate with the McAfee/Trellix ecosystem: Trellix EDR exposes no outbound IOC REST API, so reputations are published to TIE over OpenDXL. Authentication uses an ePO-provisioned
dxlclient.config(broker list + client certificate) referenced by path; the DXL connection is established lazily and reused.Related issues
Closes #6741
Types of changes
Checklist
black,isort) and linting (flake8, STIX id pylint) pass__metadata__config schema and documentationREADME.md,config.yml.sample,docker-compose.ymlandconnector_manifest.jsonFurther comments
File/cert hashes only (MD5/SHA-1/SHA-256) - TIE reputations do not cover domains/URLs/IPs. Requires a DXL broker and an ePO-provisioned client certificate (standard OpenDXL provisioning). Delete events are ignored (reputations are not removed); resetting to
NOT_SETis out of scope for the first version.Maintainer review and fix pass
An independent senior review hardened the connector and addressed the automated review threads:
connector.py: the live stream id is now validated at the start ofrun()so a placeholder/blankCONNECTOR_LIVE_STREAM_IDfails fast at startup instead of only when the first event arrives;check_stream_idrejects the placeholder case-insensitively (catching the compose defaultCHANGEME) and rejects empty/whitespace-only values.connector.py:process_messageno longer swallows the root cause behind a broadexcept Exception- it catches only the expected parse errors (json.JSONDecodeError/KeyError/TypeError) and chains viaraise ... from err; the per-event logs pass structured context via themeta=keyword.README.md: fixed the TOC anchor, aligned the minimum OpenCTI version with the manifest (6.8.12), corrected theCONNECTOR_TYPEdefault (STREAM), rewrote the Usage section for a stream connector, and fixed the logger example typo.config.yml.sample/docker-compose.yml: markedCONNECTOR_SCOPEas required (the connectors-sdk base config has no default forscope).check_stream_id/run()(parametrized placeholder/blank cases plus a fail-fast-at-startup assertion).pyctito7.260615.0to match the currentconnectors-sdk, and merged currentmasterto de-stale so the localconnectors-sdkused byrun_test.shpins the samepyctiand the test environment resolves consistently.Status
All GitHub Actions checks are green (tests on both event runs, lint/format, STIX ID linter, signed-commits) and there are 0 unresolved review threads;
codecov/patch/codecov/projectwere green on the prior commit and reconcile asynchronously (the change keeps coverage intact and adds tests).mergeStateStatusis BLOCKED only becausereviewDecisionisREVIEW_REQUIRED- the PR needs one approving review from a maintainer other than me (as the author I cannot self-approve). The branch carries a de-stale merge commit, so it should be squash-merged.