Skip to content

[ransomwarelive] feat(connector): enrich groups with aliases, leak si…#6300

Open
Lyra-Fox wants to merge 3 commits intoOpenCTI-Platform:masterfrom
Lyra-Fox:feat/ransomwarelive-group-enrichment
Open

[ransomwarelive] feat(connector): enrich groups with aliases, leak si…#6300
Lyra-Fox wants to merge 3 commits intoOpenCTI-Platform:masterfrom
Lyra-Fox:feat/ransomwarelive-group-enrichment

Conversation

@Lyra-Fox
Copy link
Copy Markdown

@Lyra-Fox Lyra-Fox commented Apr 26, 2026
edited
Loading

Proposed changes

  • Add group altname as aliases on IntrusionSet and ThreatActor
  • Add the ransomware.live group profile URL as an external reference on IntrusionSet and ThreatActor
  • Add the ransomware.live report URL as an external reference on victim Reports
  • Ingest leak site FQDNs as DomainName observables linked to the IntrusionSet via related-to
  • Create uses relationships from IntrusionSet to ATT&CK AttackPattern objects for each group TTP
  • Add CONNECTOR_CREATE_LEAK_SITE_DOMAINS to toggle ingestion of leak site domains and related URLs from group location entries in the ransomware.live profile
  • Add CONNECTOR_CREATE_LEAK_POST_REFS to toggle inclusion of the direct link to the leak post on victim Reports
  • Deduplicate external references within a group entry, and skip re-enriching a group already processed in the same run
  • Add a 30s timeout on the API client to prevent indefinite hangs

Related issues

Closes: #6299

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

The two new toggles (CONNECTOR_CREATE_LEAK_SITE_DOMAINS, and CONNECTOR_CREATE_LEAK_POST_REFS)

both default to true. however these toggles where included since ingesting this directly might be undesirable in some environments/locales.

On reconsideration I have flipped the default for the new toggles to false in order to preserve backwards compatibility and to make it easier to comply with differing local regulations around handling links to leaked data.

TTP correlation resolves against AttackPattern objects already present in OpenCTI (e.g. via the MITRE connector) and silently skips any TTP that has no match.

The bulk of added lines ~620 are due to unit tests, which where previously missing from this connector but mandated by the contributing guidelines.

@filigran-cla-bot filigran-cla-bot Bot added the cla:pending CLA signature required label Apr 26, 2026
@filigran-cla-bot
Copy link
Copy Markdown

filigran-cla-bot Bot commented Apr 26, 2026
edited
Loading

Contributor License Agreement

CLA signed 💚

Thank you @Lyra-Fox for signing the Contributor License Agreement! Your pull request can now be reviewed and merged.

We appreciate your contribution to Filigran's open source projects! ❤️

This is an automated message from the Filigran CLA Bot.

@filigran-cla-bot filigran-cla-bot Bot removed the cla:pending CLA signature required label Apr 26, 2026
@Lyra-Fox
[ransomwarelive] fix(connector): default CONNECTOR_CREATE_LEAK_SITE_D…
ef0a436 
…OMAINS and CONNECTOR_CREATE_LEAK_POST_REFS to false
@romain-filigran romain-filigran added the community use to identify PR from community label May 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Lyra-Fox Lyra-Fox

Labels

community use to identify PR from community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ransomwarelive] Add group and report enrichment: aliases, leak sites, external references, and TTPs

3 participants

@Lyra-Fox @ncarenton @romain-filigran