Add ability to export an analysis to well mapped STIX enriched indicators

[stanfrbd]

Based on my presentation to the interCERT, some people asked for OpenCTI or MISP import (via enrichment tool or direct import).

Ideas

• Can be useful to create a future connector / ingestor to OpenCTI or MISP
• Create an API endpoint
• Create a button "Export to STIXv2"
• Create a button "Ingest as new MISP Event"
• Create a button "Add IoCs to OpenCTI"
• Make sure to add the ability to select indicators that should be created (via form)
• Make sure all of this is configurable through secrets.json or ENV
• Make sure it is well documented

Problems

• How to map correctly to STIX when there is no predictable data? (map every possible field? one by one?)
• How to make sure the observable should be an indicator and that it is not an expired / invalid one?

Resources

https://oasis-open.github.io/cti-documentation/stix/examples

[ubahmapk]

"...when there is no predictable data..."

Can we create some sort of standard Report data type? Or perhaps a wrapper Report dataclass that has a list of EngineReports that fit a particular data shape? (Similar to the engine ABCs/Protocol conversation?)

If we could allow the Engines to extend their own EngineReport that would help with the variable nature of the resulting report.