[YARA] propagating Malware relationships and labels from Indicators to matching Artifacts

internal-enrichment/yara/README.md

@@ -21,6 +21,8 @@ connector creates a relationship between the Artifact and Indicator.
 | `connector_id`                       | `CONNECTOR_ID`                      | Yes          | A valid arbitrary `UUIDv4` that must be unique for this connector.                                                                                         |
 | `connector_name`                     | `CONNECTOR_NAME`                    | Yes          | Set to "YARA"
 | `connector_scope`                    | `CONNECTOR_SCOPE`                   | Yes          | Supported scope: Artifact
-| `connector_auto`                    | `CONNECTOR_AUTO`                   | Yes          | Enable or disable auto-enrichment
+| `connector_auto`                     | `CONNECTOR_AUTO`                    | Yes          | Enable or disable auto-enrichment
 | `connector_confidence_level`         | `CONNECTOR_CONFIDENCE_LEVEL`        | Yes          | The default confidence level for created relationships (a number between 1 and 100).                                                                             |
 | `connector_log_level`                | `CONNECTOR_LOG_LEVEL`               | Yes          | The log level for this connector, could be `debug`, `info`, `warn` or `error` (less verbose).                                                              |
+| `propagate_malware`                  | `YARA_PROPOGATE_MALWARE_RELATIONSHIP`| No         | If a matching Yara Indicator entity has an 'indicates' Malware relationship, then a 'related-to' Relationship is created between the matching Artifact and Malware.                                                              |
+| `propagate_labels`                   | `YARA_PROPOGATE_LABELS`             | No             | If a matching Yara indicator entity has any labels, they are added to matching Artifacts.                                                             |

internal-enrichment/yara/docker-compose.yml

@@ -11,4 +11,6 @@ services:
       - CONNECTOR_AUTO=true
       - CONNECTOR_CONFIDENCE_LEVEL=100 # From 0 (Unknown) to 100 (Fully trusted)
       - CONNECTOR_LOG_LEVEL=error
+      - YARA_PROPOGATE_MALWARE_RELATIONSHIP=false
+      - YARA_PROPOGATE_LABELS=false
     restart: always

internal-enrichment/yara/src/config.yml.sample

@@ -9,4 +9,6 @@ connector:
   scope: 'Artifact' # MIME type or SCO
   auto: true # Enable/disable auto-enrichment of observables
   confidence_level: 100 # From 0 (Unknown) to 100 (Fully trusted)
-  log_level: 'info'
+  log_level: 'info'
+  propagate_malware: false # Add 'indicates' Malware relationships from Yara Indicators to matching Artifacts
+  propagate_labels: false # Add Labels from Yara Indicators to matching Artifacts

internal-enrichment/yara/src/main.py

@@ -28,6 +28,12 @@ def __init__(self):
         self.octi_api_url = get_config_variable(
             "OPENCTI_URL", ["opencti", "url"], config
         )
+        self.propagate_malware = get_config_variable(
+            "YARA_PROPAGATE_MALWARE_RELATIONSHIP", ["connector", "propagate_malware"], config, default=False
+        )
+        self.propagate_labels = get_config_variable(
+            "YARA_PROPAGATE_LABELS", ["connector", "propagate_labels"], config, default=False
+        )
 
     def _get_artifact_contents(self, artifact) -> list[bytes]:
         """
@@ -118,6 +124,41 @@ def _scan_artifact(self, artifact, yara_indicators) -> None:
                         description="YARA rule matched for this Artifact",
                     )
                     bundle_objects.append(relationship)
+                    if self.propagate_labels:
+                        try:
+                            full_indicator=self.helper.api.indicator.list(
+                                filters={
+                                    "mode": "and",
+                                    "filters": [{"key": "id", "values": [indicator["id"]]}],
+                                    "filterGroups": [],
+                                },
+                            )
+                            for label in full_indicator[0]["objectLabelIds"]:
+                                self.helper.api.stix_cyber_observable.add_label(id=artifact["id"], label_id=label)
+                        except Exception as e:
+                            self.helper.log_error(f"Error finding/adding matching labels - {e}")
+                    if self.propagate_malware:
+                        try:
+                            malware = self.helper.api.stix_core_relationship.list(fromId=indicator["id"], toTypes='Malware')
+                            if malware:
+                                self.helper.log_info(f"Adding Relationship {artifact['standard_id']} related-to {malware['stanard_id']}")
+                        except Exception as e:
+                            self.helper.log_error(f"Error finding malware - {e}")
+                        try:
+                            if malware:
+                                mal_relationship = Relationship(
+                                        id=StixCoreRelationship.generate_id(
+                                            "related_id", artifact["standard_id"], malware[0]['to']['standard_id']
+                                        ),
+                                        relationship_type="related-to",
+                                        source_ref=artifact["standard_id"],
+                                        target_ref=malware[0]['to']['standard_id'],
+                                        description="YARA rule created relationship to malware",
+                                )
+                                bundle_objects.append(mal_relationship)
+                        except Exception as e:
+                            self.helper.log_error(f"Error adding malware relationship - {e}")
+
                     self.helper.log_debug(
                         f"Created Relationship from Artifact to YARA Indicator {indicator['name']}"
                     )