[Import Document AI] Implement Import Document AI connector

[Cnstant]

Proposed changes

• implement a connector that can query an internal service extractor with AI to extract new entities from text

Related issues

• [import-document-ai] Create the connector #3457

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality using different use cases (integration tests were performed manually)
• I added/update the relevant documentation (in the README)
• Where necessary I refactored code to improve the overall quality

Further comments

[flavienSindou]

@Cnstant Thanks for your work!

Your contribution follows the current connector template, and the implementation and documentation are clear.

Could you havea look at the comments on example files, error handling, and file storage, please?

I also left a few (optional) suggestions to make the logging tools and message formatting more consistent.

It'd be nice if you could provide a fake web service respons json example, I’d then be able to quickly test it by simulating an API server.

[flavienSindou]

I suggest you add explicitly used package and do not only rely on pycti sub dependencies

requests
stix2
yaml

[Cnstant]

what about versions ? should I stick to the versions in the package, or no version at all to make it more flexible ?

[flavienSindou]

Thank you for your response

As the end user of the library, I think you must specify the exact (compatible) versions you need/tested with your use case. But as you pointed out, pycti currently does not provide loose version requirements for its dependencies. This is something we are correcting step by step. (see OpenCTI-Platform/client-python#859)

I think you can fix your versions to :

requests==2.32.3
stix2==3.0.1
PyYAML==6.0.2

[Cnstant]

Here are all the possible json responses at the moment. You have the return status in the file name, and the content is the actual response.json(). Let me know if it's enough
response_403_trial.json
response_400_missing.json
response_403_unauthorized.json
response_400_invalid.json
response_202.json

[flavienSindou]

Please find my last remarks. Thank you for the response examples you provide, I get back to you as soon as I have tested them.

[flavienSindou]

#3466 (comment)

Sorry i was not clear in my previous comment. I think you should replace connector-template with the future image name

Suggested change

	image: connector-template:6.3.3
	image: opencti/connector-import-document-ai:6.3.3

[flavienSindou]

I think this is not necessary and you could remove it as you are not saving the file in the filesystem anymore.

Suggested change

	# On Windows, the invalid characters are different, so the behavior is not the same as Linux
	# It only happens with free text on local setup running on windows. Never on prod.
	os_system = os.name
	# If windows detection, replacement of invalid characters
	if os_system == "nt":
	file_name = re.sub(r'[\\/:*?"<>|]', "_", file_name)

[flavienSindou]

Thank you for your response

As the end user of the library, I think you must specify the exact (compatible) versions you need/tested with your use case. But as you pointed out, pycti currently does not provide loose version requirements for its dependencies. This is something we are correcting step by step. (see OpenCTI-Platform/client-python#859)

I think you can fix your versions to :

requests==2.32.3
stix2==3.0.1
PyYAML==6.0.2

[flavienSindou]

Note: Seems unused for now as the AI WebService does not extract threat actors

[flavienSindou]

Note: Seems unused for now as the AI WebService does not extract campaign

[flavienSindou]

Would you say it is correct to represent connector behavior like this:
Case 1 : from Data/Import UI

graph LR
    subgraph FileStorage
        direction LR
        pdf["PDF file"]
        text["Text file"]
        html["HTML file"]
        md["MD file"]
    end

    subgraph AIWebService
    end

    subgraph OpenCTI
        direction LR
        subgraph CreatedReport
      
            subgraph AddedDomainObjects
                direction LR
                OpenCTICountry[Country]
                OpenCTIMalware[Malware]
                OpenCTIIntrusionSet[Intrusion Set]
                OpenCTIVulnerability[Vulnerability]
                OpenCTIAttackPattern[Attack Pattern]
            end

            subgraph AddedObservables
                direction LR
                OpenCTIAutonomousSystem[Autonomous System]
                OpenCTIDomainName[Domain Name]
                OpenCTIEmailAddress[Email Address]
                OpenCTIPv4Address[IP V4 Address]
                OpenCTIPv6Address[IP V6 Address]
                OpenCTIMACAddress[MAC Address]
                OpenCTIURL[URL]
                OpenCTIFile[File]
                OpenCTIWindowsRegistryKey[Windows Registry Key]
            end
        end
    end
FileStorage ==> AIWebService
AIWebService ==> AddedDomainObjects & AddedObservables

Loading

Case2 : From Container UI (Report/Task/Case-Incidents, etc)

graph LR
    subgraph FileStorage
    end

    subgraph AIWebService
    end

    subgraph OpenCTI
        direction LR
        subgraph TriggeringContainer[Triggering Container]
      
            subgraph AddedDomainObjects[Added Domain Objects]
            end

            subgraph AddedObservables[Added Observables]
            end
        end
    end
TriggeringContainer -->|Triggers| FileStorage
FileStorage ==> AIWebService
AIWebService ==> AddedDomainObjects & AddedObservables

Loading

Case 3 : from an OpenCTI Entity UI with Incident or Threat Actor special sub cases

graph LR
    subgraph FileStorage
    end

    subgraph AIWebService
    end

    subgraph OpenCTI
        direction LR
        subgraph TriggeringEntity[Triggering Entity]
        TriggeringIncident[Incident]
        TriggeringThreatActor[Threat Actor]
        TriggeringOthers["..."]
        end
      
        subgraph AddedDomainObjects[Added Domain Objects]
        OpenCTIIntrusionSet[Intrusion Set]
        OpenCTIVulnerability[Vulnerability]
        OpenCTIAttackPattern[Attack Pattern]
        OpenCTIOthers["..."]
        end

        subgraph AddedObservables[Added Observables]
        end
    end
TriggeringEntity -.->|Triggers| FileStorage
FileStorage ==> AIWebService
AIWebService ==> AddedDomainObjects & AddedObservables
AddedObservables -->|Related To| TriggeringEntity
TriggeringIncident-->|Attributed To| OpenCTIIntrusionSet
TriggeringIncident & TriggeringThreatActor -->|Targets| OpenCTIVulnerability
TriggeringIncident & TriggeringThreatActor -->|Uses| OpenCTIAttackPattern

Loading

[flavienSindou]

I tested the connector with this fake rest server and everything worked fine

dev.zip

I'll be happy to approve your PR as soon as you address the previous remarks.

[flavienSindou]

Suggested change

	licence_key_pem:|
	licence_key_pem: |