From efc03512ab4c23fe3fcdc15e65805c0123b394a6 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 8 Mar 2026 21:14:38 +0000 Subject: [PATCH 1/3] docs: add Docker Hub overview markdown Adds DOCKERHUB.md with a ready-to-paste repository overview for the Docker Hub image page, covering features, quick start, full configuration reference, Docker Compose snippet, and links. https://claude.ai/code/session_01Tj5BbnrFWSnFZBxUvXUAUt --- DOCKERHUB.md | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 DOCKERHUB.md diff --git a/DOCKERHUB.md b/DOCKERHUB.md new file mode 100644 index 0000000..b67559d --- /dev/null +++ b/DOCKERHUB.md @@ -0,0 +1,93 @@ +# DigIntLab DEP — OpenCTI Connector + +An [OpenCTI](https://github.com/OpenCTI-Platform/OpenCTI) external-import connector that ingests ransomware and data-leak announcements from the [Double Extortion Platform (DEP)](https://doubleextortion.com/) and converts them into STIX 2.1 entities. + +> **Requires OpenCTI ≥ 6.8.13** — A valid DEP subscription (username, password, and API key) is needed. + +--- + +## What it does + +- Authenticates against the DEP AWS Cognito identity provider +- Polls the DEP REST API on a configurable interval and maps each announcement to an OpenCTI **Incident** +- Creates **Organization** identities for victim companies +- Optionally creates **Sector** identities and links victims via a `part-of` relationship +- Optionally generates **Indicators** for victim domains and leak hash identifiers +- Attaches announcement-type labels (e.g. `dep:announcement-type:pii`) to incidents +- Uses deterministic incident IDs (derived from DEP `hashid`) so repeated runs update existing records instead of creating duplicates +- Maintains connector state with a configurable overlap window to capture late DEP updates + +--- + +## Quick start + + docker run --rm \ + -e OPENCTI_URL=https://your-opencti \ + -e OPENCTI_TOKEN=your-token \ + -e DEP_USERNAME=your-username \ + -e DEP_PASSWORD=your-password \ + -e DEP_API_KEY=your-api-key \ + -e DEP_CLIENT_ID=your-cognito-client-id \ + opencti/connector-digintlab-dep:latest + +--- + +## Configuration + +All values can be set via environment variables (which take precedence) or via a mounted `config.yml`. + +### Required + +| Environment variable | Description | +|---|---| +| `OPENCTI_URL` | URL of your OpenCTI platform | +| `OPENCTI_TOKEN` | OpenCTI API token | +| `DEP_USERNAME` | DEP portal username | +| `DEP_PASSWORD` | DEP portal password | +| `DEP_API_KEY` | API key issued by DEP | +| `DEP_CLIENT_ID` | AWS Cognito App Client ID | + +### Optional + +| Environment variable | Default | Description | +|---|---|---| +| `CONNECTOR_RUN_INTERVAL` | `3600` | Polling interval in seconds | +| `DEP_CONFIDENCE` | `70` | Confidence score on generated STIX objects | +| `DEP_LOOKBACK_DAYS` | `7` | Days to look back on first run | +| `DEP_OVERLAP_HOURS` | `72` | Overlap hours from previous run to catch late updates | +| `DEP_DSET` | `ext` | Dataset to query (e.g. `ext`, `sanctions`) | +| `DEP_EXTENDED_RESULTS` | `true` | Request extended leak information | +| `DEP_ENABLE_SITE_INDICATOR` | `true` | Create a domain indicator per victim | +| `DEP_ENABLE_HASH_INDICATOR` | `true` | Create a hash indicator when a hash is provided | +| `DEP_SKIP_EMPTY_VICTIM` | `true` | Skip items where victim name is empty or n/a | +| `DEP_CREATE_SECTOR_IDENTITIES` | `true` | Create sector identities and link victims | +| `DEP_LOGIN_ENDPOINT` | `https://cognito-idp.eu-west-1.amazonaws.com/` | Cognito login endpoint | +| `DEP_API_ENDPOINT` | `https://api.eu-ep1.doubleextortion.com/v1/dbtr/privlist` | DEP REST endpoint | + +--- + +## Docker Compose + +A full `docker-compose.yml` (including a local OpenCTI stack) is available in the [source repository](https://github.com/DigintLab/opencti-connector). + + dep-connector: + image: opencti/connector-digintlab-dep:latest + environment: + - OPENCTI_URL=http://opencti:8080 + - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} + - DEP_USERNAME=${DEP_USERNAME} + - DEP_PASSWORD=${DEP_PASSWORD} + - DEP_API_KEY=${DEP_API_KEY} + - DEP_CLIENT_ID=${DEP_CLIENT_ID} + depends_on: + - opencti + restart: always + +--- + +## Links + +- [Source code](https://github.com/DigintLab/opencti-connector) +- [Double Extortion Platform](https://doubleextortion.com/) +- [OpenCTI documentation](https://docs.opencti.io/) +- [MIT License](https://github.com/DigintLab/opencti-connector/blob/main/LICENSE) From 7a35e956e41b20601d1e3a9da70a0da51b06f274 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Wed, 11 Mar 2026 11:40:51 +0100 Subject: [PATCH 2/3] Update DOCKERHUB.md --- DOCKERHUB.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/DOCKERHUB.md b/DOCKERHUB.md index b67559d..2d1940b 100644 --- a/DOCKERHUB.md +++ b/DOCKERHUB.md @@ -79,8 +79,6 @@ A full `docker-compose.yml` (including a local OpenCTI stack) is available in th - DEP_PASSWORD=${DEP_PASSWORD} - DEP_API_KEY=${DEP_API_KEY} - DEP_CLIENT_ID=${DEP_CLIENT_ID} - depends_on: - - opencti restart: always --- From 5125f93f4e6ee48c2dd0d57a4c2e4f20814e842a Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Wed, 11 Mar 2026 11:41:01 +0100 Subject: [PATCH 3/3] Update DOCKERHUB.md --- DOCKERHUB.md | 1 - 1 file changed, 1 deletion(-) diff --git a/DOCKERHUB.md b/DOCKERHUB.md index 2d1940b..cae9316 100644 --- a/DOCKERHUB.md +++ b/DOCKERHUB.md @@ -14,7 +14,6 @@ An [OpenCTI](https://github.com/OpenCTI-Platform/OpenCTI) external-import connec - Optionally creates **Sector** identities and links victims via a `part-of` relationship - Optionally generates **Indicators** for victim domains and leak hash identifiers - Attaches announcement-type labels (e.g. `dep:announcement-type:pii`) to incidents -- Uses deterministic incident IDs (derived from DEP `hashid`) so repeated runs update existing records instead of creating duplicates - Maintains connector state with a configurable overlap window to capture late DEP updates ---