From f28c1e0d739a3300203f9fb324945362c7b40593 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Fri, 20 Mar 2026 14:27:43 +0100 Subject: [PATCH 1/2] fix: dockerhub auto update description --- .github/workflows/release.yml | 18 +++++ DOCKERHUB.md | 128 ++++++++++++++++++++-------------- 2 files changed, 95 insertions(+), 51 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 971814b..547f147 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,6 +47,24 @@ jobs: registry-username: ${{ secrets.DOCKERHUB_USERNAME }} registry-password: ${{ secrets.DOCKERHUB_TOKEN }} + update-docker-readme: + needs: [build-docker-image] + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Docker Hub Description + uses: peter-evans/dockerhub-description@v5 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + repository: digintlab/opencti-connector + readme-filepath: ./DOCKERHUB.md + sign-image: needs: [build-docker-image] runs-on: ubuntu-latest diff --git a/DOCKERHUB.md b/DOCKERHUB.md index 1994697..c768109 100644 --- a/DOCKERHUB.md +++ b/DOCKERHUB.md @@ -2,85 +2,111 @@ An [OpenCTI](https://github.com/OpenCTI-Platform/OpenCTI) external-import connector that ingests ransomware and data-leak announcements from the [Double Extortion Platform (DEP)](https://doubleextortion.com/) and converts them into STIX 2.1 entities. -> **Requires OpenCTI ≥ 6.8.13** — A valid DEP subscription (username, password, and API key) is needed. +> **Requires OpenCTI >= 6.8.13** and valid DEP credentials: username, password, API key, and Cognito client ID. --- ## What it does - Authenticates against the DEP AWS Cognito identity provider -- Polls the DEP REST API on a configurable interval and maps each announcement to an OpenCTI **Report** by default, or an **Incident** when `DEP_PRIMARY_OBJECT=incident` -- Creates **Organization** identities for victim companies -- Optionally creates **Sector** identities and links victims via a `part-of` relationship +- Polls the DEP REST API on a configurable interval +- Models each DEP announcement as an OpenCTI **Report** by default, or an **Incident** when `DEP_PRIMARY_OBJECT=incident` +- Creates **Organization** identities for victims +- Optionally creates **Sector** identities, **Intrusion Sets**, and **Country** locations - Optionally generates **Indicators** for victim domains and leak hash identifiers -- Links generated indicators to the victim with `related-to` -- Attaches announcement-type labels (e.g. `dep:announcement-type:pii`) to the primary object -- Maintains connector state with a configurable overlap window to capture late DEP updates +- Adds announcement-type labels such as `dep:announcement-type:pii` +- Maintains connector state with an overlap window to catch late DEP updates --- ## Quick start - docker run --rm \ - -e OPENCTI_URL=https://your-opencti \ - -e OPENCTI_TOKEN=your-token \ - -e DEP_USERNAME=your-username \ - -e DEP_PASSWORD=your-password \ - -e DEP_API_KEY=your-api-key \ - -e DEP_CLIENT_ID=your-cognito-client-id \ - opencti/connector-digintlab-dep:latest +The simplest way to run the connector is to mount a `config.yml` file at `/app/config.yml`: + +```bash +docker run --rm \ + -v "$(pwd)/config.yml:/app/config.yml:ro" \ + opencti/connector-digintlab-dep:rolling +``` + +Environment variables override values from `config.yml`. A minimal env-only example is: + +```bash +docker run --rm \ + -e OPENCTI_URL=https://your-opencti \ + -e OPENCTI_TOKEN=your-token \ + -e CONNECTOR_ID=change-me \ + -e CONNECTOR_TYPE=EXTERNAL_IMPORT \ + -e CONNECTOR_NAME="DEP Connector" \ + -e CONNECTOR_SCOPE=report,incident,identity,indicator \ + -e DEP_USERNAME=your-username \ + -e DEP_PASSWORD=your-password \ + -e DEP_API_KEY=your-api-key \ + -e DEP_CLIENT_ID=your-cognito-client-id \ + opencti/connector-digintlab-dep:rolling +``` --- ## Configuration -All values can be set via environment variables (which take precedence) or via a mounted `config.yml`. +The connector loads configuration from `OPENCTI_CONFIG_FILE` when set, otherwise from `/app/config.yml`. Environment variables take precedence over YAML values. ### Required -| Environment variable | Description | -| -------------------- | ---------------------------- | -| `OPENCTI_URL` | URL of your OpenCTI platform | -| `OPENCTI_TOKEN` | OpenCTI API token | -| `DEP_USERNAME` | DEP portal username | -| `DEP_PASSWORD` | DEP portal password | -| `DEP_API_KEY` | API key issued by DEP | -| `DEP_CLIENT_ID` | AWS Cognito App Client ID | +| Environment variable | Description | +| -------------------- | ----------- | +| `OPENCTI_URL` | URL of your OpenCTI platform | +| `OPENCTI_TOKEN` | OpenCTI API token | +| `CONNECTOR_ID` | Unique connector identifier | +| `CONNECTOR_TYPE` | Connector type, typically `EXTERNAL_IMPORT` | +| `CONNECTOR_NAME` | Connector display name | +| `CONNECTOR_SCOPE` | Connector scope, typically `report,incident,identity,indicator` | +| `DEP_USERNAME` | DEP portal username | +| `DEP_PASSWORD` | DEP portal password | +| `DEP_API_KEY` | API key issued by DEP | +| `DEP_CLIENT_ID` | AWS Cognito App Client ID | ### Optional -| Environment variable | Default | Description | -| ------------------------------ | --------------------------------------------------------- | ----------------------------------------------------- | -| `CONNECTOR_RUN_INTERVAL` | `3600` | Polling interval in seconds | -| `DEP_CONFIDENCE` | `70` | Confidence score on generated STIX objects | -| `DEP_LOOKBACK_DAYS` | `7` | Days to look back on first run | -| `DEP_OVERLAP_HOURS` | `72` | Overlap hours from previous run to catch late updates | -| `DEP_DSET` | `ext` | Dataset to query (e.g. `ext`, `sanctions`) | -| `DEP_PRIMARY_OBJECT` | `report` | Primary STIX object to emit: `report` or `incident` | -| `DEP_EXTENDED_RESULTS` | `true` | Request extended leak information | -| `DEP_ENABLE_SITE_INDICATOR` | `true` | Create a domain indicator per victim | -| `DEP_ENABLE_HASH_INDICATOR` | `true` | Create a hash indicator when a hash is provided | -| `DEP_SKIP_EMPTY_VICTIM` | `true` | Skip items where victim name is empty or n/a | -| `DEP_CREATE_SECTOR_IDENTITIES` | `true` | Create sector identities and link victims | -| `DEP_LOGIN_ENDPOINT` | `https://cognito-idp.eu-west-1.amazonaws.com/` | Cognito login endpoint | -| `DEP_API_ENDPOINT` | `https://api.eu-ep1.doubleextortion.com/v1/dbtr/privlist` | DEP REST endpoint | +| Environment variable | Default | Description | +| -------------------- | ------- | ----------- | +| `CONNECTOR_RUN_INTERVAL` | `3600` | Polling interval in seconds | +| `DEP_CONFIDENCE` | `70` | Confidence score on generated STIX objects | +| `DEP_LOOKBACK_DAYS` | `7` | Days to look back on first run | +| `DEP_OVERLAP_HOURS` | `72` | Overlap hours from previous run to catch late updates | +| `DEP_DSET` | `ext` | DEP dataset to query | +| `DEP_PRIMARY_OBJECT` | `report` | Primary STIX object to emit: `report` or `incident` | +| `DEP_EXTENDED_RESULTS` | `true` | Request extended DEP results | +| `DEP_ENABLE_SITE_INDICATOR` | `true` | Create a domain indicator per victim | +| `DEP_ENABLE_HASH_INDICATOR` | `true` | Create a hash indicator when a hash is provided | +| `DEP_SKIP_EMPTY_VICTIM` | `true` | Skip items where victim name is empty, `n/a`, or `none` | +| `DEP_CREATE_SECTOR_IDENTITIES` | `true` | Create sector identities and link victims with `part-of` | +| `DEP_CREATE_INTRUSION_SETS` | `true` | Create intrusion sets from DEP actor values | +| `DEP_CREATE_COUNTRY_LOCATIONS` | `true` | Create country locations and link victims with `located-at` | +| `DEP_LOGIN_ENDPOINT` | `https://cognito-idp.eu-west-1.amazonaws.com/` | Cognito login endpoint | +| `DEP_API_ENDPOINT` | `https://api.eu-ep1.doubleextortion.com/v1/dbtr/privlist` | DEP REST endpoint | --- ## Docker Compose -A full `docker-compose.yml` (including a local OpenCTI stack) is available in the [source repository](https://github.com/DigintLab/opencti-connector). - - dep-connector: - image: opencti/connector-digintlab-dep:latest - environment: - - OPENCTI_URL=http://opencti:8080 - - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} - - DEP_USERNAME=${DEP_USERNAME} - - DEP_PASSWORD=${DEP_PASSWORD} - - DEP_API_KEY=${DEP_API_KEY} - - DEP_CLIENT_ID=${DEP_CLIENT_ID} - restart: always +A full `docker-compose.yml` with a local OpenCTI stack is available in the [source repository](https://github.com/DigintLab/opencti-connector). + +```yaml +dep-connector: + image: opencti/connector-digintlab-dep:rolling + restart: always + volumes: + - ./config.yml:/app/config.yml:ro + environment: + - OPENCTI_URL=http://opencti:8080 + - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} + - DEP_USERNAME=${DEP_USERNAME} + - DEP_PASSWORD=${DEP_PASSWORD} + - DEP_API_KEY=${DEP_API_KEY} + - DEP_CLIENT_ID=${DEP_CLIENT_ID} +``` --- From 91b18b787242264d5e75b3ff2cf09a80afcff986 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Fri, 20 Mar 2026 14:29:18 +0100 Subject: [PATCH 2/2] fix pinning --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 547f147..d144686 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,7 +58,7 @@ jobs: with: persist-credentials: false - name: Docker Hub Description - uses: peter-evans/dockerhub-description@v5 + uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }}