[InfoBlox Threat Defense] Create the Connector

[The-Stuke]

Proposed changes

• Create the stream connector to integrate OpenCTI with InfoBlox Threat Defense.
• This will stream OpenCTI indicators to Infoblox Threat Defense (BloxOne) and remove indicators that are revoked in the OpenCTI platform.

Related issues

• [InfoBlox Threat Defense] Create the Connector #3596

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality using different use cases
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

[romain-filigran]

@The-Stuke : Thank you for your contribution. In order to review and merge your contribution, can you resolve the formatting issues detected? You can solve it by running the following command on your code: “isort --profile black”.

[The-Stuke]

Hi @romain-filigran I ran isort . --profile black in the directory of the new connector and now the error is "/home/circleci/repo/external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py Imports are incorrectly sorted and/or formatted." Do you want me to update that file as well as it is out of the connector I am made?

[helene-nguyen]

@The-Stuke Thank you for you contribution!
There is some updates on isort and black recently, could you rebase master and check if you have the last isort and black version and run it again ?

Also,, please ensure that your commits are verified and sign it with GPG :)

[The-Stuke]

Hi @helene-nguyen, not sure why the test keeps failing. I was able to update both black and isort to the latest version, which did reformat my code, so I have pushed that now, but still fails the circleci check on the main.py file.

Locally it tells me no files would be changing.

[helene-nguyen]

@The-Stuke You should be on the connector root folder, as I can see on the screenshot, you are in your connector folder.

Could you do it again?

[The-Stuke]

I might be confused running this. In my connector folder I don't get any errors for formatting.

Going up another folder though I get a lot of other connectors that would be changed

[helene-nguyen]

There are some root rules reason, sorry if it's confusing.
You should be on your connector root folder and run

black .
isort --profile black .

And then it should be good

[The-Stuke]

I'm sorry. I honestly don't know what is not working about the formatting at this point. I've been trying to research it to see if there is something I need to configure on my end, but I am not very familiar with this.

[helene-nguyen]

@The-Stuke in your last screenshot, you run the command in connectors/stream/infoblox-threat-defense and you should be in connectors/ and run black . and isort --profile black .

[The-Stuke]

When I run both commands at in the root directory I get the reformat of a bunch of files and a lot of errors thrown. Looking through it I do not see my infoblox connector even being referenced. I assume there is probably something wrong on my end, but I am not sure where to troubleshoot this.

username@SYSTEMNAME:/mnt/c/Users/username/Documents/GitHub/connectors$ black .
reformatted external-import/bambenek/src/bambenek_connector/config_variables.py
reformatted external-import/crowdstrike/src/crowdstrike_feeds_services/client/actors.py
reformatted external-import/crowdstrike/src/crowdstrike_feeds_services/client/rules.py
reformatted external-import/crowdstrike/src/crowdstrike_feeds_services/client/indicators.py
reformatted external-import/crowdstrike/src/crowdstrike_feeds_services/client/reports.py
reformatted external-import/cofense/src/main.py
reformatted external-import/alienvault/src/alienvault/utils/__init__.py
reformatted external-import/crowdstrike/src/crowdstrike_feeds_connector/report/importer.py
error: cannot format external-import/flashpoint/src/flashpoint_connector/connector.py: Cannot parse: 72:91:                 message = f"An error occurred while converting report.id: {str(report.get("id", ""))}, error: {err}"
reformatted external-import/cybersixgill/src/cybersixgill/utils/__init__.py
reformatted external-import/feedly/src/feedly/opencti_connector/connector.py
reformatted external-import/flashpoint/src/flashpoint_connector/client_api.py
error: cannot format external-import/flashpoint/src/flashpoint_connector/converter_to_stix.py: Cannot parse: 390:75:             f"A potential data exposure has been detected in **{alert.get("channel_type")}**. "
reformatted external-import/eset/src/eset.py
error: cannot format external-import/harfanglab-incidents/src/harfanglab_incidents_connector/connector.py: Cannot parse: 147:18:             match alert.type.lower():
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/group-ib/src/main.py
reformatted external-import/group-ib/src/config.py
reformatted external-import/crowdstrike/src/crowdstrike_feeds_services/utils/__init__.py
reformatted external-import/ibm-xti/src/external_import_connector/formatter.py
error: cannot format external-import/harfanglab-incidents/src/harfanglab_incidents_connector/converter_to_stix.py: Cannot parse: 340:18:             match alert_intelligence.type:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/group-ib/src/data_to_stix2.py
reformatted external-import/malpedia/src/malpedia_services/models.py
reformatted external-import/ironnet/src/ironnet/connector.py
reformatted external-import/malpedia/src/malpedia_tests/test_malpedia.py
reformatted external-import/group-ib/src/adapter.py
reformatted external-import/kaspersky/src/kaspersky/connector.py
error: cannot format external-import/microsoft-defender-incidents/src/microsoft_defender_incidents_connector/connector.py: Cannot parse: 137:22:                 match evidence_type:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/kaspersky/src/kaspersky/utils/stix2.py
error: cannot format external-import/microsoft-sentinel-incidents/src/microsoft_sentinel_incidents_connector/connector.py: Cannot parse: 173:22:                 match evidence_type:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/proofpoint-et-reputation/src/connector/services/utils.py
reformatted external-import/proofpoint-tap/proofpoint_tap/client_api/common.py
reformatted external-import/proofpoint-tap/proofpoint_tap/client_api/v2/campaign.py
reformatted external-import/proofpoint-et-reputation/src/connector/connector.py
reformatted external-import/mandiant/src/connector/base.py
reformatted external-import/proofpoint-tap/proofpoint_tap/adapters/config.py
reformatted external-import/proofpoint-tap/proofpoint_tap/ports/config.py
reformatted external-import/proofpoint-tap/proofpoint_tap/client_api/v2/siem.py
reformatted external-import/riskiq/src/riskiq/riskiq.py
error: cannot format external-import/sentinel-incidents/src/sentinel_incidents_connector/connector.py: Cannot parse: 137:22:                 match evidence_type:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/recorded-future/src/rflib/rf_alerts.py
reformatted external-import/flashpoint/src/flashpoint_connector/misp_converter_to_stix.py
reformatted external-import/sekoia/src/sekoia.py
reformatted external-import/recorded-future/src/rflib/rf_playbook_alerts.py
reformatted external-import/taxii2/src/connector/connector.py
reformatted external-import/tenable-security-center/tenable_security_center/adapters/config/env.py
reformatted external-import/tenable-security-center/tenable_security_center/adapters/config/config_yaml.py
reformatted external-import/taxii2/src/connector/process_objects.py
reformatted external-import/tenable-security-center/tenable_security_center/ports/config.py
error: cannot format external-import/tenable-vuln-management/src/tenable_vuln_management/converter_to_stix.py: Cannot parse: 88:10:     match score:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/shadowserver/src/shadowserver/stix_transform.py
reformatted external-import/valhalla/src/valhalla/knowledge.py
reformatted external-import/tenable-vuln-management/src/tenable_vuln_management/models/opencti.py
reformatted external-import/virustotal-livehunt-notifications/src/livehunt/livehunt.py
reformatted external-import/zerofox/src/collectors/mappers/phishingToInfrastructure.py
reformatted external-import/wiz/src/external_import_connector/connector.py
reformatted internal-enrichment/crowdsec/src/crowdsec/client.py
reformatted external-import/tenable-security-center/tenable_security_center/adapters/tsc_api/v5_13_from_asset.py
error: cannot format external-import/tenable-security-center/tenable_security_center/domain/entities.py: Cannot parse: 628:14:         match _score:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/misp-feed/src/misp-feed.py
reformatted internal-enrichment/proofpoint-et-intelligence/src/connector/services/utils.py
reformatted internal-enrichment/proofpoint-et-intelligence/src/connector/services/converter_to_stix.py
error: cannot format internal-enrichment/ipqs/src/ipqs/ipqs.py: Cannot parse: 227:14:         match observable["entity_type"]:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted external-import/misp/src/misp.py
reformatted internal-enrichment/urlscan-enrichment/src/urlscan_enrichment_services/utils.py
reformatted internal-enrichment/proofpoint-et-intelligence/src/connector/connector.py
reformatted internal-enrichment/rst-ioc-lookup/src/main.py
reformatted internal-import-file/import-file-yara/src/import-file-yara.py
error: cannot format stream/chronicle/src/chronicle.py: Cannot parse: 180:18:             match msg.event:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted stream/google-secops-siem/src/secops_siem_connector/connector.py
reformatted stream/google-secops-siem/src/secops_siem_services/cti_converter.py
error: cannot format internal-enrichment/virustotal/src/virustotal/virustotal.py: Cannot parse: 424:14:         match opencti_entity["entity_type"]:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted internal-enrichment/reversinglabs-spectra-intel-submission/src/main.py
error: cannot format stream/harfanglab-intel/src/harfanglab_intel_connector/connector.py: Cannot parse: 238:14:         match msg.event:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted stream/elastic/src/elastic/import_manager.py
error: cannot format stream/logrhythm/src/logrhythm.py: Cannot parse: 289:18:             match msg.event:
Consider using --target-version py310 to parse Python 3.10 code.
error: cannot format stream/sentinel/src/sentinel.py: Cannot parse: 161:14:         match data["type"]:
Consider using --target-version py310 to parse Python 3.10 code.
error: cannot format stream/pan-cortex-xsoar-intel/src/pan-cortex-xsoar-intel.py: Cannot parse: 334:22:                 match msg.event:
Consider using --target-version py310 to parse Python 3.10 code.
error: cannot format stream/stream-exporter/src/connector/connector.py: Cannot parse: 217:14:         match length := len(patch):
Consider using --target-version py310 to parse Python 3.10 code.
error: cannot format stream/splunk/src/splunk.py: Cannot parse: 281:18:             match msg.event:
Consider using --target-version py310 to parse Python 3.10 code.
error: cannot format internal-enrichment/reversinglabs-malware-presence/src/main.py: Cannot parse: 369:18:             match network_result["rl_network_type"]:
Consider using --target-version py310 to parse Python 3.10 code.
reformatted internal-enrichment/reversinglabs-spectra-analyze/src/main.py
reformatted stream/harfanglab/src/sightings.py
reformatted internal-import-file/import-file-misp/src/import-file-misp.py
Oh no! 💥 💔 💥
64 files reformatted, 807 files left unchanged, 19 files failed to reformat.
username@SYSTEMNAME:/mnt/c/Users/username/Documents/GitHub/connectors$ isort --profile black .
Fixing /mnt/c/Users/username/Documents/GitHub/connectors/external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py
Skipped 15 files
username@SYSTEMNAME:/mnt/c/Users/username/Documents/GitHub/connectors$ isort

[helene-nguyen]

@The-Stuke ok I see, I don't know why you have this output, maybe a local config interferes.
Let me check by my side with your branch 🙂

[helene-nguyen]

Linter and format have been made by @flavienSindou (thank you) from our team :) sorry if it was painful by your side

Everything looks good to me, we have added minor changes to do to realign with our best practices.

Could you make the changes and it should be good to be merged :) Thank you again for you contribution

[flavienSindou]

Hello @The-Stuke , could you please sign these commits
2932740
d2abfd8
d957772 ?

Here is a detailed procedure : https://medium.com/@aamir.shehzad3346875/how-to-sign-previous-commit-that-have-already-been-pushed-4683a7060e19

[helene-nguyen]

All good for me :)