# OpenCTI Connectors
## Introduce
Connectors are little programs that connect to OpenCTI dedicate API. Will interact with OpenCTI to keep their state, authenticatre and fulfill their role. To keep their state they can use a data slot dedicated to each connector. It can contain a brief JSON document.
Connectors are the cornerstone of the OpenCTI platform and allow organizations to easily ingest, enrich or export data.
## Configure a connector
Most of OpenCTi connector are available in a . They are grouped by type:
* `external-import`: connectors that automatically fetch data from external source to feed into OpenCTI.
* `internal-enrichment`: connectors that fetch data from external sources to enrich already existing data. This is typically used by users when clicking the enrichment buttons.
* `internal-export-file`: connectors that allow to export data from OpenCTI to a file. They are triggered when a user asks for an export from the platform.
* `internal-import-file`: connectors that allow to import data from a file. They are triggered when a user imports a file into the platform.
* `stream` : connectors adapting OpenCTI data sharing stream, typically used to send data to tools incompatible with standard feeds (SIEM, SOAR, v.v.)
### Parameter
Here is an example of a connector `docker-compose.yml` file:
```
- CONNECTOR_ID=ChangeMe
- CONNECTOR_TYPE=EXTERNAL_IMPORT
- CONNECTOR_NAME=MITRE ATT&CK
- CONNECTOR_SCOPE=identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report
- CONNECTOR_LOG_LEVEL=info
```
Here is an example in a connector `config.yml` file:
```
connector:
id: 'ChangeMe'
type: 'EXTERNAL_IMPORT'
name: 'MITRE ATT&CK'
scope: 'identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report'
log_level: 'info'
```
### Networking
Connector must be able to reach RabbitMQ on the specified hostname and port. If you have a specific Docker network configuration, please be sure to adapt your `docker-compose.yml` file in such way that the connector container gets attached to the OpenCTI Network.
```docker
networks:
default:
external: true
name: opencti-docker_default
```
### Connector token
#### Create the user
By default in platform, a group name `Connectors` already exists. Let's create a new user with the name `[C] Name of the connector` in Settings > Security > Users.
#### Put the user in the group
Just go to the user you have just created and add it to the `Connectors` group.
Now, you have get the token of the user displayed in the interface.
### Docker activation
You can either directly run the Docker image of connectors or add them to your current `docker-compose.yml` file. Enable the MISP connector, you can add a new service to your `docker-compose.yml` file.
# https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/misp/docker-compose.yml
version: "3"
services:
connector-misp:
image: opencti/connector-misp:6.7.4
environment:
- OPENCTI_URL=http://localhost
- OPENCTI_TOKEN=ChangeMe
- CONNECTOR_ID=ChangeMe
- CONNECTOR_NAME=MISP
- CONNECTOR_SCOPE=misp
- CONNECTOR_LOG_LEVEL=error
- CONNECTOR_EXPOSE_METRICS=false
- MISP_URL=http://localhost # Required
- MISP_REFERENCE_URL= # Optional, will be used to create external reference to MISP event (default is "url")
- MISP_KEY=ChangeMe # Required
- MISP_SSL_VERIFY=false # Required
- MISP_DATETIME_ATTRIBUTE=timestamp # Required, filter to be used in query for new MISP events
- MISP_DATE_FILTER_FIELD=timestamp # Required, field to filter on date
- MISP_REPORT_DESCRIPTION_ATTRIBUTE_FILTER= # Optional, filter to be used to find the attribute with report description (example: "type=comment,category=Internal reference")
- MISP_CREATE_REPORTS=true # Required, create report for MISP event
- MISP_CREATE_INDICATORS=true # Required, create indicators from attributes
- MISP_CREATE_OBSERVABLES=true # Required, create observables from attributes
- MISP_CREATE_OBJECT_OBSERVABLES=true # Required, create text observables for MISP objects
- MISP_CREATE_TAGS_AS_LABELS=true # Optional, create tags as labels (sanitize MISP tag to OpenCTI labels)
- MISP_GUESS_THREAT_FROM_TAGS=false # Optional, try to guess threats (threat actor, intrusion set, malware, etc.) from MISP tags when they are present in OpenCTI
- MISP_AUTHOR_FROM_TAGS=false # Optional, map creator:XX=YY (author of event will be YY instead of the author of the event)
- MISP_MARKINGS_FROM_TAGS=false # Optional, map marking:XX=YY (in addition to TLP, add XX:YY as marking definition, where XX is marking type, YY is marking value)
- MISP_ENFORCE_WARNING_LIST=false # Optional, enforce warning list in MISP queries
- MISP_REPORT_TYPE=misp-event # Optional, report_class if creating report for event
- MISP_IMPORT_FROM_DATE=2000-01-01 # Required, import all event from this date
- MISP_IMPORT_TAGS= # Optional, list of tags used to filter events to import
- MISP_IMPORT_TAGS_NOT= # Optional, list of tags to not include
- MISP_IMPORT_CREATOR_ORGS= # Optional, only import events created by those orgs (put the identifiers here)
- MISP_IMPORT_CREATOR_ORGS_NOT= # Optional, do not import events created by those orgs (put the identifiers here)
- MISP_IMPORT_OWNER_ORGS= # Optional, only import events owned by those orgs (put the identifiers here)
- MISP_IMPORT_OWNER_ORGS_NOT= # Optional, do not import events owned by those orgs (put the identifiers here)
- MISP_IMPORT_KEYWORD= # Optional, search only events based on a keyword
- MISP_IMPORT_DISTRIBUTION_LEVELS= # Optional, only import events with the given distribution levels (ex: 0,1,2,3)
- MISP_IMPORT_THREAT_LEVELS= # Optional only import events with the given threat levels (ex: 1,2,3,4)
- MISP_IMPORT_ONLY_PUBLISHED=false
- MISP_IMPORT_WITH_ATTACHMENTS=false # Optional, try to import a PDF file from the attachment attribute
- MISP_IMPORT_TO_IDS_NO_SCORE=40 # Optional, use as a score for the indicator/observable if the attribute to_ids is no
- MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT=false # Optional, import unsupported observable as x_opencti_text
- MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT_TRANSPARENT=true # Optional, import unsupported observable as x_opencti_text just with the value
- MISP_INTERVAL=5 # Required, in minutes
- MISP_PROPAGATE_LABELS=false # Optional, propagate labels to the observables
restart: always
depends_on:
- opencti
### Connectors status
The connector status can be displayed in the dedicate section of the platform available in Data > Ingestion > Connectors. You will be able to see the statistics of the RabbitMQ queue of the connector:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://vanluong.gitbook.io/book-of-vanluong/cyber-threat-intelligence/opencti/opencti-connectors.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.