OpenCTI connector for ShadowTrackr

Good news for OpenCTI users: We now have a connector available! The source is here on Github: github.com/ShadowTrackr/opencti-connector-shadowtrackr. If you run OpenCTI in Docker, you can also use the prebuilt container basvanschaik/opencti-connector-shadowtrackr:1.0.2 on Dockerhub.

This first version of the connector uses the data in ShadowTrackr to reduce false positives in OpenCTI. ShadowTrackr contains a lot of data to track Cloud and CDN systems, TOR nodes, Public DNS servers en VPNs. If you run a Threat Intelligence Platform like OpenCTI, you'll be ingesting quite a few indicators that come from automatic analyses. Some of these are Cloud, VPN or CDN ip addresses that are rotated quickly. Others might be public DNS servers that malware uses to check if the internet is reachable. I've even seen GMail servers classified as "Phishing".

You don't want to block a CDN ip for 3 months if it's used by an atacker for just a day. And you don't want to block GMail servers when one bad user abused it to send out a phishing email.

You can use the ShadowTrackr OpenCTI connectors to label indicators, automatically reduce scores, and even reduce the validity date to just one day.

If you run a similar system as OpenCTI and need a plugin/connector to reduce false positives, please let me know.