MISP has a threat actor dataset (intrusion set in STIX senses) that would be interesting to add to OpenCTI and could be integrated into our dataset.

Resources:

• The MISP threat actor dataset : https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json
• A MISP script to convert their MISP file into STIX format (the problem is that it does not correctly manage the migration of information contained in the "cfr-..." fields): https://github.com/MISP/misp-stix/blob/main/documentation/misp_galaxies_to_stix21.md

Note:

• "cfr-suspected-state-sponsor" -> Seems to be the "Originates from" field for intrusions set
• "cfr-suspected-victims" -> Should be a country and a relationship "targets" with the intrusion set
• "cfr-target-category -> Should be a sector and a relationship "targets" with the intrusion set
• "cfr-type-of-incident" -> Seems to be the "Primary motivation" field for intrusions set