[sublime] update to be manager supported

Author: throuxel

external-import/sublime/README.md

@@ -28,38 +28,13 @@ Example details added to an event incident:
 
 ## Installation
 
-### Configuration
-
-Use the provided Docker Compose example to configure the connector inside your existing OpenCTI deployment.
-Add the environment variables below to your OpenCTI `docker-compose.yml` under the connector service.
-
-Required environment variables in `docker-compose.yml`:
-
-```yaml
-    environment:
-      - OPENCTI_URL=http://opencti:8080
-      - OPENCTI_TOKEN=ChangeMe
-
-      - CONNECTOR_ID=ChangeMe
-      - CONNECTOR_NAME=Sublime Security Incidents
-      - CONNECTOR_SCOPE=sublime
-      - CONNECTOR_LOG_LEVEL=info
-      - CONNECTOR_DURATION_PERIOD=PT3M  # ISO 8601 duration (PT10M = 10 minutes)
-
-      - SUBLIME_URL=https://platform.sublime.security
-      - SUBLIME_TOKEN=ChangeMe
-      - SUBLIME_INCIDENT_TYPE=phishing  # STIX incident type
-      - SUBLIME_INCIDENT_PREFIX=Sublime Incident - 
-      - SUBLIME_CASE_PREFIX=Sublime - 
-      - SUBLIME_AUTO_CREATE_CASES=false  # Automatically create cases for incidents
-      - SUBLIME_VERDICTS=malicious  # Multiple verdicts can be comma-separated: malicious,suspicious
-      - SUBLIME_SET_PRIORITY=true  # Enable priority mapping from attack score verdict
-      - SUBLIME_SET_SEVERITY=false  # Enable severity mapping from attack score verdict
-      - SUBLIME_CONFIDENCE_LEVEL=80 # 0-100 confidence score
-      - SUBLIME_FIRST_RUN_DURATION=PT8H  # Duration for initial data fetch in ISO 8601 format (P14D = 14 days, PT1H = 1 hour)
-      - SUBLIME_FORCE_HISTORICAL=false  # Force historical fetch by overriding existing state
-      - SUBLIME_BATCH_SIZE=100   # Number of message groups to process per batch (default: 100)
-```
+## Configuration
+
+Find all the configuration variables available here: [Connector Configurations](./__metadata__/CONNECTOR_CONFIG_DOC.md)
+
+_The `opencti` and `connector` options in the `docker-compose.yml` and `config.yml` are the same as for any other connector.
+For more information regarding variables, please refer to [OpenCTI's documentation on connectors](https://docs.opencti.io/latest/deployment/connectors/)._
+
 
 ### Deployment
 
@@ -80,36 +55,6 @@ Monitor connector logs:
 docker compose logs -f connector-sublime
 ```
 
-## Configuration Reference
-
-### Required Variables
-
-| Variable | Description |
-|----------|-------------|
-| `OPENCTI_URL` | OpenCTI platform URL |
-| `OPENCTI_TOKEN` | OpenCTI API authentication token |
-| `CONNECTOR_ID` | Unique identifier for this connector instance |
-| `CONNECTOR_NAME` | Display name for the connector (`Sublime Security Incidents`) |
-| `CONNECTOR_SCOPE` | Connector scope identifier |
-| `SUBLIME_URL` | Sublime platform URL for API connections |
-| `SUBLIME_TOKEN` | Sublime Security API authentication token |
-
-### Optional Variables
-
-| Variable | Default | Description |
-|----------|---------|-------------|
-| `CONNECTOR_DURATION_PERIOD` | `PT3M` | Polling interval (ISO 8601 duration format) |
-| `SUBLIME_INCIDENT_TYPE` | `phishing` | Label to apply to incident type |
-| `SUBLIME_INCIDENT_PREFIX` | `Sublime Incident - ` | Prefix for incident object names |
-| `SUBLIME_CASE_PREFIX` | `Case - ` | Prefix for case object names |
-| `SUBLIME_AUTO_CREATE_CASES` | `false` | Automatically create investigation cases |
-| `SUBLIME_VERDICTS` | `malicious` | Comma-separated attack score verdicts to process |
-| `SUBLIME_FIRST_RUN_DURATION` | `PT8H` | ISO 8601 duration for initial data fetch on first run |
-| `SUBLIME_FORCE_HISTORICAL` | `false` | Force historical fetch ignoring existing state for correcting improper states |
-| `SUBLIME_SET_PRIORITY` | `true` | Enable priority mapping from attack score |
-| `SUBLIME_SET_SEVERITY` | `true` | Enable severity mapping from attack score |
-| `SUBLIME_BATCH_SIZE` | `100` | Number of messages per processing batch |
-
 ## API Token Configuration
 
 ### Sublime Security API Token

external-import/sublime/__metadata__/CONNECTOR_CONFIG_DOC.md

@@ -0,0 +1,28 @@
+# Connector Configurations
+
+Below is an exhaustive enumeration of all configurable parameters available, each accompanied by detailed explanations of their purposes, default behaviors, and usage guidelines to help you understand and utilize them effectively.
+
+### Type: `object`
+
+| Property | Type | Required | Possible values | Default | Description |
+| -------- | ---- | -------- | --------------- | ------- | ----------- |
+| OPENCTI_URL | `string` | ✅ | Format: [`uri`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | The base URL of the OpenCTI instance. |
+| OPENCTI_TOKEN | `string` | ✅ | string |  | The API token to connect to OpenCTI. |
+| SUBLIME_TOKEN | `string` | ✅ | Format: [`password`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | Sublime Security API authentication token. |
+| CONNECTOR_NAME | `string` |  | string | `"Sublime Security"` | The name of the connector. |
+| CONNECTOR_SCOPE | `array` |  | string | `["sublime"]` | The scope or type of data the connector is importing, either a MIME type or Stix Object (for information only). |
+| CONNECTOR_LOG_LEVEL | `string` |  | `debug` `info` `warn` `warning` `error` | `"error"` | The minimum level of logs to display. |
+| CONNECTOR_TYPE | `const` |  | `EXTERNAL_IMPORT` | `"EXTERNAL_IMPORT"` |  |
+| CONNECTOR_DURATION_PERIOD | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"PT3M"` | The period of time to await between two runs of the connector. |
+| SUBLIME_URL | `string` |  | Format: [`uri`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"https://platform.sublime.security"` | Sublime platform URL for API connections. |
+| SUBLIME_INCIDENT_TYPE | `string` |  | string | `"phishing"` | Label to apply to incident type. |
+| SUBLIME_INCIDENT_PREFIX | `string` |  | string | `"Sublime Incident - "` | Prefix for incident object names. |
+| SUBLIME_CASE_PREFIX | `string` |  | string | `"Case - "` | Prefix for case object names. |
+| SUBLIME_AUTO_CREATE_CASES | `boolean` |  | boolean | `false` | Automatically create investigation cases. |
+| SUBLIME_VERDICTS | `array` |  | string | `["malicious"]` | Comma-separated attack score verdicts to process. |
+| SUBLIME_SET_PRIORITY | `boolean` |  | boolean | `true` | Enable priority mapping from attack score. |
+| SUBLIME_SET_SEVERITY | `boolean` |  | boolean | `true` | Enable severity mapping from attack score. |
+| SUBLIME_FIRST_RUN_DURATION | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) | `"PT8H"` | ISO 8601 duration for initial data fetch on first run. |
+| SUBLIME_FORCE_HISTORICAL | `boolean` |  | boolean | `false` | Force historical fetch ignoring existing state for correcting improper states. |
+| SUBLIME_BATCH_SIZE | `integer` |  | integer | `100` | Number of messages per processing batch. |
+| SUBLIME_TLP_LEVEL | `string` |  | `clear` `white` `green` `amber` `amber+strict` `red` | `"amber"` | TLP marking level applied to created STIX entities. |

external-import/sublime/__metadata__/connector_config_schema.json

@@ -0,0 +1,145 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://www.filigran.io/connectors/sublime_config.schema.json",
+  "type": "object",
+  "properties": {
+    "OPENCTI_URL": {
+      "description": "The base URL of the OpenCTI instance.",
+      "format": "uri",
+      "maxLength": 2083,
+      "minLength": 1,
+      "type": "string"
+    },
+    "OPENCTI_TOKEN": {
+      "description": "The API token to connect to OpenCTI.",
+      "type": "string"
+    },
+    "CONNECTOR_NAME": {
+      "default": "Sublime Security",
+      "description": "The name of the connector.",
+      "type": "string"
+    },
+    "CONNECTOR_SCOPE": {
+      "default": [
+        "sublime"
+      ],
+      "description": "The scope or type of data the connector is importing, either a MIME type or Stix Object (for information only).",
+      "items": {
+        "type": "string"
+      },
+      "type": "array"
+    },
+    "CONNECTOR_LOG_LEVEL": {
+      "default": "error",
+      "description": "The minimum level of logs to display.",
+      "enum": [
+        "debug",
+        "info",
+        "warn",
+        "warning",
+        "error"
+      ],
+      "type": "string"
+    },
+    "CONNECTOR_TYPE": {
+      "const": "EXTERNAL_IMPORT",
+      "default": "EXTERNAL_IMPORT",
+      "type": "string"
+    },
+    "CONNECTOR_DURATION_PERIOD": {
+      "default": "PT3M",
+      "description": "The period of time to await between two runs of the connector.",
+      "format": "duration",
+      "type": "string"
+    },
+    "SUBLIME_URL": {
+      "default": "https://platform.sublime.security",
+      "description": "Sublime platform URL for API connections.",
+      "format": "uri",
+      "maxLength": 2083,
+      "minLength": 1,
+      "type": "string"
+    },
+    "SUBLIME_TOKEN": {
+      "description": "Sublime Security API authentication token.",
+      "format": "password",
+      "type": "string",
+      "writeOnly": true
+    },
+    "SUBLIME_INCIDENT_TYPE": {
+      "default": "phishing",
+      "description": "Label to apply to incident type.",
+      "type": "string"
+    },
+    "SUBLIME_INCIDENT_PREFIX": {
+      "default": "Sublime Incident - ",
+      "description": "Prefix for incident object names.",
+      "type": "string"
+    },
+    "SUBLIME_CASE_PREFIX": {
+      "default": "Case - ",
+      "description": "Prefix for case object names.",
+      "type": "string"
+    },
+    "SUBLIME_AUTO_CREATE_CASES": {
+      "default": false,
+      "description": "Automatically create investigation cases.",
+      "type": "boolean"
+    },
+    "SUBLIME_VERDICTS": {
+      "default": [
+        "malicious"
+      ],
+      "description": "Comma-separated attack score verdicts to process.",
+      "items": {
+        "type": "string"
+      },
+      "type": "array"
+    },
+    "SUBLIME_SET_PRIORITY": {
+      "default": true,
+      "description": "Enable priority mapping from attack score.",
+      "type": "boolean"
+    },
+    "SUBLIME_SET_SEVERITY": {
+      "default": true,
+      "description": "Enable severity mapping from attack score.",
+      "type": "boolean"
+    },
+    "SUBLIME_FIRST_RUN_DURATION": {
+      "default": "PT8H",
+      "description": "ISO 8601 duration for initial data fetch on first run.",
+      "format": "duration",
+      "type": "string"
+    },
+    "SUBLIME_FORCE_HISTORICAL": {
+      "default": false,
+      "description": "Force historical fetch ignoring existing state for correcting improper states.",
+      "type": "boolean"
+    },
+    "SUBLIME_BATCH_SIZE": {
+      "default": 100,
+      "description": "Number of messages per processing batch.",
+      "type": "integer"
+    },
+    "SUBLIME_TLP_LEVEL": {
+      "description": "TLP marking level applied to created STIX entities.",
+      "enum": [
+        "clear",
+        "white",
+        "green",
+        "amber",
+        "amber+strict",
+        "red"
+      ],
+      "type": "string",
+      "default": "amber"
+    }
+  },
+  "required": [
+    "OPENCTI_URL",
+    "OPENCTI_TOKEN",
+    "SUBLIME_TOKEN"
+  ],
+  "additionalProperties": true
+}

external-import/sublime/__metadata__/connector_manifest.json

@@ -15,7 +15,7 @@
   "support_version": ">=6.8.12",
   "subscription_link": "https://sublime.security/",
   "source_code": "https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/sublime",
-  "manager_supported": false,
+  "manager_supported": true,
   "container_version": "rolling",
   "container_image": "opencti/connector-sublime",
   "container_type": "EXTERNAL_IMPORT"

…nal-import/sublime/src/config.yml.sample external-import/sublime/config.yml.sampleexternal-import/sublime/src/config.yml.sample renamed to external-import/sublime/config.yml.sample external-import/sublime/src/config.yml.sample renamed to external-import/sublime/config.yml.sample

@@ -9,9 +9,7 @@ opencti:
 
 # Connector Configuration
 connector:
-  # type: 'EXTERNAL_IMPORT'
-  # Must match CONNECTOR_ID in docker-compose.yml if you use both
-  id: "ChangeMe"                  # Required
+  # id: "d5003f91-27b0-4b4e-995d-a4b9a8a970a4"
   # name: "Sublime Security Incidents"
   # scope: "sublime"
   # log_level: "error"
@@ -35,4 +33,5 @@ sublime:
 
   # first_run_duration: "PT8H"    # Duration for initial data fetch in ISO 8601 format
   # force_historical: false       # Force historical fetch by overriding existing state
-  # batch_size: 100               # Number of message groups to process per batch (default: 100)
+  # batch_size: 100               # Number of message groups to process per batch (default: 100)
+  # tlp_level: "amber"

external-import/sublime/docker-compose.yml

@@ -5,7 +5,7 @@ services:
     environment:
       - OPENCTI_URL=http://localhost
       - OPENCTI_TOKEN=ChangeMe
-      - CONNECTOR_ID=ChangeMe
+      # - CONNECTOR_ID=d5003f91-27b0-4b4e-995d-a4b9a8a970a4
       # - CONNECTOR_NAME=Sublime Security
       # - CONNECTOR_SCOPE=sublime
       # - CONNECTOR_LOG_LEVEL=error
@@ -22,4 +22,5 @@ services:
       # - SUBLIME_FIRST_RUN_DURATION=PT8H
       # - SUBLIME_FORCE_HISTORICAL=false
       # - SUBLIME_BATCH_SIZE=100
+      # - SUBLIME_TLP_LEVEL=amber
     restart: always

external-import/sublime/src/connector/sublime_connector.py

@@ -1151,6 +1151,7 @@ def _process_message_batch(self, messages, work_id):
                         stix_objects_bundle,
                         work_id=work_id,
                         update=True,
+                        cleanup_inconsistent_bundle=True,
                     )
                     self.helper.connector_logger.debug(
                         "[Sublime Connector] Bundle sent successfully for incident",