Use case
The GTI connector currently performs a large number of GTI API calls when resolving relationships for modified entities (e.g., threat_actor, malware, campaign). This creates quota pressure.
Current behavior
For each modified entity:
- Fetch entity details
- Fetch relationship IDs using:
/collections/{entity_id}/relationships/{entity_type}
- For each returned object_id, perform an additional API call to fetch the full object definition
This multiplies the requests and consumes a huge number of queries.
Proposed Solution
Update the relationship resolution flow to use an endpoint returning full related object payloads (not only IDs), e.g.: /collections/{entity_id}/{entity_type}
This should allow building entities and relationships without making one extra call per related object.
Expected outcome
- Significant reduction of GTI API calls per processed entity
- Lower quota consumption
- Same functional output in OpenCTI (same entities and relationships modeled)
Use case
The GTI connector currently performs a large number of GTI API calls when resolving relationships for modified entities (e.g., threat_actor, malware, campaign). This creates quota pressure.
Current behavior
For each modified entity:
/collections/{entity_id}/relationships/{entity_type}This multiplies the requests and consumes a huge number of queries.
Proposed Solution
Update the relationship resolution flow to use an endpoint returning full related object payloads (not only IDs), e.g.:
/collections/{entity_id}/{entity_type}This should allow building entities and relationships without making one extra call per related object.
Expected outcome