Recorded Future Connector not ingesting Insikt Group Reports

[nhuber0724]

Prerequisites

Description

A client has advised that Recorded Future Insikt Group Reports have not ingested into OpenCTI since 7 November 2024. Platform team conduct initial research and identified a HTTP 403 error. The logs show failure to ping the RF API.

Environment

OpenCTI v.6.4.3

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Log into Grafana and check Recorded Future logs
2. You will see multiple failure to ping the RF API error.

[romain-filigran]

Hi @nhuber0724 . I guess the problem comes from the permissions associated with the API token used.
Definition of RecordedFuture error 403: "Although the API credentials are valid, they do not include permission to access the API endpoint used."
https://support.recordedfuture.com/hc/en-us/articles/360046682533-Connect-API-Troubleshooting

I did several tests with our access and I could not reproduce the problem.

[Lhorus6]

After investigation, this is what the problem appears to be:

The connector processes sequentially:

1. get RF_ALERTS → 403 but error caught well (so here it indicates that the Token does not have permissions)
2. get RF_PLAYBOOK_ALERTS → 403 but error caught badly (so here it indicates that the Token does not have permissions and as the error seems badly managed the code stops)
3. Get RF_REPORTS → If a 403 error at the previous step, the connector never executes this part.

On the client side, they seem to have 403 errors in step 2, which explains why it doesn't retrieve a report (step 3). The connector will need to be fixed so that it doesn't stop in step 2 in case of a problem, but we already have enough to unblock the client.