VMRay-Platform new integration (#5427)

Author: moin-loginsoft

external-import/vmray-platform/Dockerfile

@@ -0,0 +1,20 @@
+FROM python:3.12-alpine
+ENV CONNECTOR_TYPE=EXTERNAL_IMPORT
+
+# Copy the connector
+COPY src /opt/opencti-connector-vmray-platform
+
+# Install Python modules
+# hadolint ignore=DL3003
+RUN apk update && apk upgrade && \
+    apk --no-cache add git build-base libmagic libffi-dev libxml2-dev libxslt-dev
+
+RUN cd /opt/opencti-connector-vmray-platform && \
+    pip3 install --no-cache-dir -r requirements.txt && \
+    apk del git build-base && \
+    rm -rf /var/cache/apk/*
+
+# Expose and entrypoint
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

external-import/vmray-platform/README.md

@@ -0,0 +1,138 @@
+# OpenCTI VMRay Platform Connector
+
+Table of Contents
+
+- [OpenCTI VMRay Platform Connector](#opencti-vmray-platform-connector)
+  - [Introduction](#introduction)
+  - [Installation](#installation)
+    - [Requirements](#requirements)
+  - [Configuration variables](#configuration-variables)
+    - [OpenCTI environment variables](#opencti-environment-variables)
+    - [Base connector environment variables](#base-connector-environment-variables)
+    - [VMRay Platform environment variables](#vmray-platform-environment-variables)
+  - [Deployment](#deployment)
+    - [Docker Deployment](#docker-deployment)
+    - [Manual Deployment](#manual-deployment)
+  - [Usage](#usage)
+  - [Behavior](#behavior)
+  - [Debugging](#debugging)
+
+
+## Introduction
+VMRay is an advanced malware sandbox and threat analysis platform used by hundreds of leading security teams worldwide, including Fortune 100 enterprises, government agencies, financial institutions, and MSSPs. By combining dynamic, evasion-resistant sandboxing with rich, reusable output, VMRay enables security teams to investigate unknown, advanced, and targeted threats, reduce analysis time, and build reliable, independent threat intelligence on the attacks that actually target their environment.
+
+This connector continuously ingests high-quality IOCs and analysis context from VMRay Platform into OpenCTI, including classifications, threat names, and other enriched observables derived from in-depth malware and phishing analysis. By bringing VMRay’s definitive verdicts and noise-free data into OpenCTI, security, IR, and threat intel teams can better correlate suspicious activity, prioritize investigations, and strengthen their overall detection and response workflows.
+
+## Installation
+
+### Requirements
+
+- OpenCTI Platform >= 6.9.0
+
+## Configuration variables
+
+There are a number of configuration options, which are set either in `docker-compose.yml` (for Docker) or
+in `config.yml` (for manual deployment).
+
+### OpenCTI environment variables
+
+Below are the parameters you'll need to set for OpenCTI:
+
+| Parameter     | config.yml | Docker environment variable | Mandatory | Description                                          |
+|---------------|------------|-----------------------------|-----------|------------------------------------------------------|
+| OpenCTI URL   | url        | `OPENCTI_URL`               | Yes       | The URL of the OpenCTI platform.                     |
+| OpenCTI Token | token      | `OPENCTI_TOKEN`             | Yes       | The default admin token set in the OpenCTI platform. |
+
+### Base connector environment variables
+
+Below are the parameters you'll need to set for running the connector properly:
+
+| Parameter         | config.yml      | Docker environment variable | Default         | Mandatory | Description                                                                                 |
+|-------------------|-----------------|-----------------------------|-----------------|-----------|---------------------------------------------------------------------------------------------|
+| Connector ID      | id              | `CONNECTOR_ID`              | /               | Yes       | A unique `UUIDv4` identifier for this connector instance.                                   |                              |
+| Connector Name    | name            | `CONNECTOR_NAME`            |                 | Yes       | Name of the connector.                                                                      |
+| Connector Scope   | scope           | `CONNECTOR_SCOPE`           |                 | Yes       | The scope or type of data the connector is importing, either a MIME type or Stix Object.    |
+| Log Level         | log_level       | `CONNECTOR_LOG_LEVEL`       | info            | Yes       | Determines the verbosity of the logs. Options are `debug`, `info`, `warn`, or `error`.      |
+| Duration Period   | duration_period | `CONNECTOR_DURATION_PERIOD` | PT1D            | No        | Determines the time interval between each launch of the connector in ISO 8601, ex: `PT30M`. |
+
+### VMRay Platform environment variables
+
+Below are the parameters you'll need to set for the connector:
+
+| Parameter                  | config.yml                 | Docker environment variable                 | Default | Mandatory | Description                                                                                                   |
+|----------------------------|----------------------------|---------------------------------------------|---------|-----------|---------------------------------------------------------------------------------------------------------------|
+| VMRay Server    | server                   | `VMRAY_SERVER`                   | https://cloud.vmray.com       | Yes       | VMRay Server URL                                                                                      |                        
+| VMRay API Key        | api_key                   | `VMRAY_API_KEY`                  | /       | Yes       | VMRay API Key                                                                               |
+| Inititla Fetch Date                  | initial_fetch_date                  | `VMRAY_INITIAL_FETCH_DATE`           | YYYY-MM-DD   | Yes       | Fetch feeds from date (ex: 2025-09-09) |
+| VMRay Sample Verdict | sample_verdict | `VMRAY_SAMPLE_VERDICT` | malicious    | Yes       | Samples can be pulled based on verdict.   Supported values include malicious, suspicious
+| VMRay IOCs Verdict | iocs_verdict | `VMRAY_IOCS_VERDICT` | malicious    | Yes       | IOCs can be pulled based on their verdict.   Supported values include malicious, suspicious                    |
+| VMRay Default TLP | default_tlp | `VMRAY_DEFAULT_TLP` | TLP:AMBER    | Yes       | TLP markings can be assigned in OpenCTI platform. Supported values include TLP:AMBER, TLP:RED, TLP:WHITE, TLP:GREEN                   |
+| VMRay Threat Names color | threat_names_color | `VMRAY_THREAT_NAMES_COLOR` | #d60904    | Yes       | Configurable color for threat names labels
+| VMRay Classifications color | classifications_color | `VMRAY_CLASSIFICATIONS_COLOR` | #fa560a    | Yes       | Configurable color for family classifications labels
+| VMRay VTI color | vti_color | `VMRAY_VTI_COLOR` | #40f5ef    | Yes       | Configurable color for VMRay Threat Identifier labels
+| VMRay MITRE color | mitre_color | `VMRAY_MITRE_COLOR` | #a9f723    | Yes       | Configurable color for MITRE Technique ID labels
+
+## Deployment
+
+### Docker Deployment
+
+Before building the Docker container, you need to set the version of pycti in `requirements.txt` equal to whatever
+version of OpenCTI you're running. Example, `pycti==6.9.0`. If you don't, it will take the latest version, but
+sometimes the OpenCTI SDK fails to initialize.
+
+Build a Docker Image using the provided `Dockerfile`.
+
+Example:
+
+```shell
+# Replace the IMAGE NAME with the appropriate value
+docker build . -t [IMAGE NAME]:latest
+```
+
+Make sure to replace the environment variables in `docker-compose.yml` with the appropriate configurations for your
+environment. Then, start the docker container with the provided docker-compose.yml
+
+```shell
+docker compose up -d
+# -d for detached
+```
+
+### Manual Deployment
+
+Create a file `config.yml` based on the provided `config.yml.sample`.
+
+Replace the configuration variables (especially the "**ChangeMe**" variables) with the appropriate configurations for
+you environment.
+
+Install the required python dependencies (preferably in a virtual environment):
+
+```shell
+pip3 install -r requirements.txt
+```
+
+Then, start the connector from vmray-platform/src:
+
+```shell
+python3 main.py
+```
+
+## Usage
+
+After Installation, the connector should require minimal interaction to use, and should update automatically at a regular interval specified in your `docker-compose.yml` or `config.yml` in `duration_period`.
+
+However, if you would like to force an immediate download of a new batch of entities, navigate to:
+
+`Data management` -> `Ingestion` -> `Connectors` in the OpenCTI platform.
+
+Find the connector, and click on the refresh button to reset the connector's state and force a new
+download of data by re-running the connector.
+
+## Behavior
+
+The connector pulls feeds from VMRay Platform and ingests into OpenCTI.
+
+
+## Debugging
+
+The connector can be debugged by setting the appropriate log level.
+Note that logging messages can be added using `self.helper.connector_logger,{LOG_LEVEL}("Sample message")`, i.e., `self.helper.connector_logger.error("An error message")`.

external-import/vmray-platform/__metadata__/connector_manifest.json

@@ -0,0 +1,21 @@
+{
+  "title": "VMRay Platform",
+  "slug": "vmray-platform",
+  "description": "VMRay provides advanced threat analysis and detection by integrating its unique agentless hypervisor-based sandbox with a real-time analysis. \n\nThis connector enables the ingestion and correlation of VMRay analysis data including IOCs, VTIs, and MITRE ATT&CK techniques for faster detection and response.",
+  "short_description": "VMRay provides advanced threat analysis and detection by integrating its unique agentless hypervisor-based sandbox with a real-time analysis.",
+  "logo": "external-import/vmray-platform/__metadata__/logo.png",
+  "use_cases": [
+    "Commercial Threat Intel"
+  ],
+  "verified": false,
+  "last_verified_date": null,
+  "playbook_supported": false,
+  "max_confidence_level": 100,
+  "support_version": ">= 6.9.0",
+  "subscription_link": "https://www.vmray.com/vmray-platform/",
+  "source_code": "https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/vmray-platform",
+  "manager_supported": false,
+  "container_version": "rolling",
+  "container_image": "opencti/connector-vmray-platform",
+  "container_type": "EXTERNAL_IMPORT"
+}

external-import/vmray-platform/__metadata__/logo.png

@@ -0,0 +1,24 @@
+version: "3"
+
+services:
+  connector-vmray-platform:
+    image: opencti/connector-vmray-platform:latest
+    environment:
+      - OPENCTI_URL=http://opencti:8080
+      - OPENCTI_TOKEN=ChangeMe(UUIDv4 token)
+      - CONNECTOR_ID=VMRay
+      - CONNECTOR_NAME=VMRay Platform
+      - CONNECTOR_SCOPE=VMRay 
+      - CONNECTOR_LOG_LEVEL=info
+      - CONNECTOR_DURATION_PERIOD=P1D
+      - VMRAY_SERVER=https://cloud.vmray.com
+      - VMRAY_API_KEY=ChangeMe
+      - VMRAY_INITIAL_FETCH_DATE=2025-09-09
+      - VMRAY_SAMPLE_VERDICT='malicious'
+      - VMRAY_IOCS_VERDICT='malicious'
+      - VMRAY_DEFAULT_TLP=TLP:AMBER      
+      - VMRAY_THREAT_NAMES_COLOR=#d60904
+      - VMRAY_CLASSIFICATIONS_COLOR=#fa560a
+      - VMRAY_VTI_COLOR=#40f5ef
+      - VMRAY_MITRE_COLOR=#a9f723 
+    restart: always

external-import/vmray-platform/docker-compose.yml

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Correct working directory
+cd /opt/opencti-connector-vmray-platform
+
+# Start the connector
+python3 main.py

external-import/vmray-platform/entrypoint.sh

@@ -0,0 +1,23 @@
+opencti:
+  url: 'http://localhost:8080'
+  token: 'ChangeMe'
+
+connector:
+  id: 'VMRay'
+  type: 'EXTERNAL_IMPORT'
+  name: 'VMRay Platform'
+  scope: 'report, malware, indicator, attack-pattern, location'
+  log_level: 'info'
+  duration_period: 'P1D' # Interval given for scheduler process in ISO-8601 format
+
+vmray:
+  server: 'https://cloud.vmray.com'
+  api_key: 'ChangeMe'
+  sample_verdict: 'malicious'
+  iocs_verdict: 'malicious'
+  threat_names_color: '#d60904'
+  classifications_color: '#f76928'
+  vti_color:  '#40f5ef'
+  mitre_color:  '#a9f723'
+  default_tlp: 'TLP:AMBER'
+  initial_fetch_date: '2025-09-09'

external-import/vmray-platform/src/config.yml.sample

@@ -0,0 +1,20 @@
+"""
+Main entry point for the VMRay connector script.
+Initializes the connector and runs it.
+"""
+
+from sys import exit
+from traceback import print_exc
+
+from vmray_connector import VMRayConnector
+
+if __name__ == "__main__":
+    # Entry point of the script
+    # print_exc(): Prints the exception traceback to stderr
+    # exit(1): Signals an error to the operating system
+    try:
+        connector = VMRayConnector()
+        connector.run()
+    except Exception:
+        print_exc()
+        exit(1)

external-import/vmray-platform/src/main.py

@@ -0,0 +1,3 @@
+pycti==6.9.0
+urllib3==2.5.0
+vmray-rest-api==6.0.0

external-import/vmray-platform/src/requirements.txt

@@ -0,0 +1,9 @@
+"""
+VMRay Connector package.
+
+Exports the main `VMRayConnector` class for use by external modules.
+"""
+
+from .connector import VMRayConnector
+
+__all__ = ["VMRayConnector"]