fix(taxii-post): skip identity object when delete_created_by_ref is enabled (#6762)

[MohammadYusif]

Proposed changes

• When delete_created_by_ref is enabled, the taxii-post stream connector stripped created_by_ref from every object but still posted the author identity object (which arrives as its own stream event), so the attribution the user asked to remove still reached the TAXII server.
• Extracted the per-object transformation in stream/taxii-post/src/taxii_post_connector/connector.py into a new _prepare_object method. It returns None for identity objects while delete_created_by_ref is enabled, so _process_message skips posting them. All other objects keep the exact same transformation (marking refs / created_by_ref stripping, STIX version downgrade) and behaviour.

Related issues

• Close fix(taxii-post): Posts Identity Object even when TAXII_DELETE_CREATED_BY_REF enabled #6762

Checklist

• I consider the submitted work as finished
• I have signed my commits using GPG key.
• I tested the code for its functionality using different use cases
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

The identity object referenced by created_by_ref is exactly the author attribution that delete_created_by_ref is meant to remove, so dropping identity objects under that flag is consistent with the configuration's intent. The skip is gated on delete_created_by_ref being enabled, so default behaviour for users who keep attribution is unchanged.

Added three unit tests in tests/test_connector.py covering _prepare_object: identity skipped when the flag is on, identity kept when the flag is off, and non-identity objects still posted with created_by_ref stripped. The full suite (26 tests) passes; black, isort --profile black, and flake8 --ignore=E,W are clean.

[filigran-cla-bot]

Contributor License Agreement

Hey @MohammadYusif!

Thank you for your contribution to Filigran! Before we can merge this pull request, we need you to sign our Contributor License Agreement (CLA).

Why do we need a CLA?

The CLA helps protect both you and Filigran. It ensures that:

• You have the right to make this contribution
• Filigran can use and distribute your contribution
• Your contribution remains open source

How to sign

You can sign the CLA using either of these methods:

1. 🔗 Sign directly — Click here to review and sign the CLA
2. 📧 Via email — Check your inbox (and spam folder) for a signing invitation from Concord

Once signed, this comment will be automatically updated.

---

❌ CLA not signed yet

_{This is an automated message from the Filigran CLA Bot. If you have questions, please contact the maintainers.}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR refactors STIX object transformation logic into a dedicated helper and adds unit tests to validate identity handling when delete_created_by_ref is enabled.

Changes:

• Extracted object transformation logic from _process_message into a new _prepare_object method.
• Added behavior to skip posting identity objects when delete_created_by_ref is enabled.
• Added unit tests and a small factory helper to build a connector with real config + mocked helper.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
stream/taxii-post/src/taxii_post_connector/connector.py	Introduces _prepare_object and switches _process_message to use it, including identity-skipping behavior.
stream/taxii-post/tests/test_connector.py	Adds tests for _prepare_object behavior and a helper to construct the connector with configuration overrides.

[maximus-debski]

@MohammadYusif

Whilst your proposed solution would work for the specific case of skipping the identity objects attached to created_by_refs, I'm weary that skipping ALL identity objects might be an issue, especially since this parameter is enabled by default.

[MohammadYusif]

You're right, thanks for catching this. identity in OpenCTI isn't only the author org — it also covers victims, targeted sectors, individuals, etc., which are legitimate parts of the knowledge graph a user would want forwarded. And since delete_created_by_ref defaults to true, the current patch would silently stop every default deployment from sending any identity, not just the author. That's a regression I didn't account for.

The underlying difficulty is that there's no reliable per-event way to distinguish an author identity from an intel identity: the connector sees one STIX object at a time, stream order isn't guaranteed, and there's no STIX flag (nor a usable identity_class distinction, since victims are organizations too) that marks an identity as somebody's created_by_ref.

Given that, I'd suggest decoupling the skip from delete_created_by_ref and putting it behind its own option that defaults to false — e.g. delete_authors. The broad behaviour then only happens when a user explicitly opts in, and the default path keeps forwarding all identities exactly as today. It doesn't try to guess author-vs-intel (which I don't think can be done safely per-event), it just makes the trade-off explicit.

Does that direction work, or would you rather drop the identity-skipping entirely and handle author suppression another way? Happy to rework the PR either way.