OpenCTI#
README
OpenCTI is an open cyber threat intelligence platform which aims at providing a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations and based on STIX 2.
The analyzer comes in only one flavor to look for an observable in the platform. The analyzer comes in two flavors to search for an observable in the platform:
- OpenCTI_SearchExactObservable: returns an exact match only
- OpenCTI_SearchObservables: returns all observables containing the input data
Requirements#
The OpenCTI analyzer requires you to have access to one or several OpenCTI instances. You can also deploy your own instance. instances in version 4. You can also deploy your own instance.
Three parameters are required for each instance to make the analyzer work:
url: URL of the instance, e.g. "https://demo.opencti.io"
OpenCTI_SearchExactObservable#
Author: ANSSI
License: AGPL-V3
Version: 2.0
Supported observables types:
- domain
- ip
- url
- fqdn
- uri_path
- user-agent
- hash
- mail
- mail_subject
- registry
- regexp
- other
- filename
Registration required: True
Subscription required: False
Free subscription: False
Third party service: https://www.opencti.io
Description#
Query multiple OpenCTI instances for a specific observable.
Configuration#
| name | Name of OpenCTI servers |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| url | URL of OpenCTI servers |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| key | API key for each server |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| cert_check | Verify server certificate |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
No template samples to display.
OpenCTI_SearchObservables#
Author: ANSSI
License: AGPL-V3
Version: 2.0
Supported observables types:
- domain
- ip
- url
- fqdn
- uri_path
- user-agent
- hash
- mail
- mail_subject
- registry
- regexp
- other
- filename
Registration required: True
Subscription required: False
Free subscription: False
Third party service: https://www.opencti.io
Description#
Query multiple OpenCTI instances for a list of observables matching a pattern.
Configuration#
| name | Name of OpenCTI servers |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| url | URL of OpenCTI servers |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| key | API key for each server |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| cert_check | Verify server certificate |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
No template samples to display.