[DRAFT] Enhancement/threat actor group

[409H]

Adds the ability to create threat actor groups via the GraphQL API. The plan of usage (from me, anyway) is to build out more blockchain-based connectors using @security-alliance/seal-isac-sdk.js so we can get more granular with DaaS (TA groups) and their affiliates (individuals)

Rationale

• Threat Actor Groups: This will be used to document organised threat groups, such as DaaS vendors.

  • Created with createThreatGroup()

• Threat Actor Individuals: This will be used to document individuals affiliated with a known group, such as a client of a DaaS.

  • Created with createThreatIndividual()

• Individual: This will be used to document entities that are/could be targeted by threat actors. Having them as individuals will allow us to assign them in victimology relationships to an attack/campaign.

  • Created with createIndividual()

[samczsun]

I know it's a draft but two quick comments:

• For any open vocabularies (like threat-actor-type-ov) we define it in security-alliance/stix.js and use the OpenVocabulary helper so that people can extend it with any string they like (example)
• To convert STIX types to OpenCTI types, we use StixToOCTI in order to automatically map from STIX to OpenCTI, complete with all the OpenCTI-specific fields (example). If it's a custom STIX object that OpenCTI has defined, we define the STIX type in src/stix/types.ts (example) first. The Individual type hasn't been migrated to this new helper yet, which was an oversight on my part

[samczsun]

Also it looks like the standard ID is generated via the name and opencti_type fields (which means that a TAG and TAI can have the same name but different standard IDs)

[409H]

@samczsun sorry, i am still working on this, but have had my focus on other things recently. Will update soon