Add configurable output mode: Report (default) or Incident#26
Merged
Conversation
Introduces a new `DEP_OUTPUT_MODE` configuration variable (env: `DEP_OUTPUT_MODE`, YAML: `dep.output_mode`, default: `report`). In `report` mode (new default) each DEP announcement is wrapped in a STIX 2.1 `Report` container whose `object_refs` includes all correlated entities and relationships (victim, indicators, intrusion set, country, sector). This matches how other connectors/feeds work and produces a pre-correlated Knowledge Graph view directly in OpenCTI. In `incident` mode (previous behaviour) a standalone STIX `Incident` is created with explicit `targets`, `attributed-to`, and `indicates` relationship edges, preserving full backward compatibility. Key implementation details: - `_create_report()` produces a deterministic `report--uuid5` ID from the DEP `hashid` namespace, identical logic to the former incident. - `_build_optional_entities()` now takes an optional `incident_id` parameter; the `attributed-to` edge is only emitted when it is set (incident mode only). - Cross-entity relationships extracted to `_build_cross_entity_relationships()` to keep cyclomatic complexity within the ruff C901 limit. - `_process_item` dispatches to `_process_item_as_report()` or `_process_item_as_incident()` based on `output_mode`. - Connector scope updated to `report,incident,identity,indicator`. - `config.yml.sample`, `README.md`, and `AGENTS.md` updated accordingly. https://claude.ai/code/session_01RM1YrEYNTjThrpgLftgW2D
|
KICS version: v2.1.20
Queries Results
|
…eanup_inconsistent_bundle - Apply TLP:AMBER object_marking_refs to all emitted STIX objects (Identity, IntrusionSet, Location, Incident, Report, Indicator, Relationship) for conformance with standard connector practice - Track work lifecycle via helper.api.work.initiate_work / to_processed in _run_cycle so runs appear in the OpenCTI Works panel; use try/finally to guarantee to_processed is always called even on fetch failure - Replace manual while/time.sleep loop in run() with helper.schedule_iso() using ISO 8601 duration derived from CONNECTOR_RUN_INTERVAL seconds - Add cleanup_inconsistent_bundle=True and work_id to send_stix2_bundle calls for more robust bundle delivery https://claude.ai/code/session_01RM1YrEYNTjThrpgLftgW2D
notdodo
approved these changes
Mar 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a configurable output mode for the DEP connector, allowing announcements to be modeled as either STIX Reports (new default) or Incidents (legacy mode). The Report mode wraps all correlated entities and relationships in a single STIX Report container, while Incident mode creates standalone Incident objects with explicit relationship edges.
Key Changes
New configuration option:
DEP_OUTPUT_MODE(default:report)report: Each announcement becomes a STIX Report with all entities and relationships inobject_refsincident: Each announcement becomes a STIX Incident with explicittargets,attributed-to, andindicatesrelationshipsReport creation: New
_create_report()method generates STIX 2.1 Report objects with:hashid(uuid5)DEP announcement - <victim>(with fallbacks)Refactored processing logic:
_process_item()now dispatches to_process_item_as_incident()or_process_item_as_report()based on output mode_build_optional_entities()now accepts optionalincident_idparameter instead of full incident object, enabling reuse for both modes_build_cross_entity_relationships()method extracts cross-entity relationship logic (intrusion set → sector/country, sector → country)Label generation: Renamed
_build_incident_labels()to_build_labels()for mode-agnostic useType annotations: Added explicit type hints for external reference dictionaries
Documentation updates:
AGENTS.mdwith output mode behavior, Report data model mappings, and relationship differences between modesREADME.mdto reflect Report as default and clarify mode-specific behaviorconfig.yml.samplewith newoutput_modeconfigurationreportNotable Implementation Details
update=Trueobject_refswithout separateindicatesedges; in Incident mode, explicitindicatesrelationships are createdattributed-torelationship (intrusion set → incident) is only created in Incident mode; Report mode includes the intrusion set inobject_refsinsteadobject_refsin Report mode)https://claude.ai/code/session_01RM1YrEYNTjThrpgLftgW2D