Skip to content

[kaspersky-enrichment] Add IPV4 enrichment #5404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ninoxe wants to merge 9 commits into
base: master
Choose a base branch
from
Open

[kaspersky-enrichment] Add IPV4 enrichment #5404

Ninoxe wants to merge 9 commits into from

Conversation

@Ninoxe
Copy link
Contributor

@Ninoxe Ninoxe commented Dec 12, 2025
edited
Loading

WARNING: PR can't work without Reference models (see issue #5405 )

Proposed changes

  • Implement IPv4 enrichment
  • Use connectors_sdk models

Related issues

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

@Ninoxe Ninoxe self-assigned this Dec 12, 2025
@Ninoxe Ninoxe added feature use for describing a new feature to develop filigran team use to identify PR from the Filigran team connector: kaspersky-enrichment labels Dec 12, 2025
@Ninoxe Ninoxe linked an issue Dec 12, 2025 that may be closed by this pull request
[kaspersky-enrichment] Add IPV4 enrichment #5299
Open
@Ninoxe Ninoxe marked this pull request as ready for review December 15, 2025 16:32
mariot
mariot requested changes Dec 15, 2025
View reviewed changes
Copy link
Member

@mariot mariot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally, it works very well :)
Just a few things before merging: the new objects lack an author and markings.

Image

You should send an Identity and Marking-Definition objects in the bundle and link them to each object.

You should also send back the original bundle even if there is an exception during the enrichment.

You can ignore the code suggestions if you don't have the time.

internal-enrichment/kaspersky-enrichment/src/connector/utils.py
Comment on lines +46 to +48
if last_seen == first_seen:
return True
return False
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if last_seen == first_seen:
return True
return False
return last_seen == first_seen

internal-enrichment/kaspersky-enrichment/src/connector/use_cases/enrich_ipv4.py
self.helper.connector_logger.info("[CONNECTOR] Starting enrichment...")

# Retrieve ipv4
obs_ipv4 = observable["value"]
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe use observable_to_ref.id for the type checker?

internal-enrichment/kaspersky-enrichment/src/connector/utils.py
Comment on lines +8 to +10
if entity_info["DayRequests"] >= entity_info["DayQuota"]:
return True
return False
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if entity_info["DayRequests"] >= entity_info["DayQuota"]:
return True
return False
return entity_info["DayRequests"] >= entity_info["DayQuota"]

internal-enrichment/kaspersky-enrichment/src/connector/utils.py
from datetime import datetime, timezone


def check_quota(entity_info: dict) -> bool:
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using names like is_quota_exceeded or something

internal-enrichment/kaspersky-enrichment/src/connector/utils.py
Comment on lines +23 to +26
if entity_type in scopes:
return True
else:
return False
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if entity_type in scopes:
return True
else:
return False
return entity_type in scopes

internal-enrichment/kaspersky-enrichment/src/connector/utils.py
Comment on lines +29 to +38
def resolve_file_hash(observable: dict) -> str:
if "hashes" in observable and "SHA-256" in observable["hashes"]:
return observable["hashes"]["SHA-256"]
if "hashes" in observable and "SHA-1" in observable["hashes"]:
return observable["hashes"]["SHA-1"]
if "hashes" in observable and "MD5" in observable["hashes"]:
return observable["hashes"]["MD5"]
raise ValueError(
"Unable to enrich the observable, the observable does not have an SHA256, SHA1, or MD5"
)
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def resolve_file_hash(observable: dict) -> str:
if "hashes" in observable and "SHA-256" in observable["hashes"]:
return observable["hashes"]["SHA-256"]
if "hashes" in observable and "SHA-1" in observable["hashes"]:
return observable["hashes"]["SHA-1"]
if "hashes" in observable and "MD5" in observable["hashes"]:
return observable["hashes"]["MD5"]
raise ValueError(
"Unable to enrich the observable, the observable does not have an SHA256, SHA1, or MD5"
)
def resolve_file_hash(observable: dict) -> str:
hashes = observable.get("hashes", {})
for key in ("SHA-256", "SHA-1", "MD5"):
if key in hashes:
return hashes[key]
raise ValueError(
"Unable to enrich the observable, the observable does not have an SHA256, SHA1, or MD5"
)

internal-enrichment/kaspersky-enrichment/src/connector/utils.py
return False


def resolve_file_hash(observable: dict) -> str:
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider sending directly hashes instead of observable

internal-enrichment/kaspersky-enrichment/src/connector/use_cases/enrich_ipv4.py
Comment on lines +65 to +67
OpenCTIStix2.put_attribute_in_extension(
observable, STIX_EXT_OCTI_SCO, "score", score
)
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

observable variable is changed by the method, yes; but it would be more readable if you caught the returned object like

Suggested change
OpenCTIStix2.put_attribute_in_extension(
observable, STIX_EXT_OCTI_SCO, "score", score
)
observable = OpenCTIStix2.put_attribute_in_extension(
observable, STIX_EXT_OCTI_SCO, "score", score
)

internal-enrichment/kaspersky-enrichment/src/connector/use_cases/enrich_ipv4.py
entity_general_info["CountryCode"]
)

if obs_country:
Copy link
Member

@mariot mariot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

obs_country is never None, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mariot mariot mariot requested changes

@Kakudou Kakudou Awaiting requested review from Kakudou

@jabesq jabesq Awaiting requested review from jabesq

@Megafredo Megafredo Awaiting requested review from Megafredo

@helene-nguyen helene-nguyen Awaiting requested review from helene-nguyen

@throuxel throuxel Awaiting requested review from throuxel

@Powlinett Powlinett Awaiting requested review from Powlinett

Requested changes must be addressed to merge this pull request.

Assignees

@Ninoxe Ninoxe

Labels

connector: kaspersky-enrichment feature use for describing a new feature to develop filigran team use to identify PR from the Filigran team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[kaspersky-enrichment] Add IPV4 enrichment

3 participants

@Ninoxe @mariot