OpenCTI Connectors

Introduce

Connectors are little programs that connect to OpenCTI dedicate API. Will interact with OpenCTI to keep their state, authenticatre and fulfill their role. To keep their state they can use a data slot dedicated to each connector. It can contain a brief JSON document.

Connectors are the cornerstone of the OpenCTI platform and allow organizations to easily ingest, enrich or export data.

Configure a connector

Most of OpenCTi connector are available in a https://github.com/OpenCTI-Platform/connectors. They are grouped by type:

• external-import: connectors that automatically fetch data from external source to feed into OpenCTI.

• internal-enrichment: connectors that fetch data from external sources to enrich already existing data. This is typically used by users when clicking the enrichment buttons.

• internal-export-file: connectors that allow to export data from OpenCTI to a file. They are triggered when a user asks for an export from the platform.

• internal-import-file: connectors that allow to import data from a file. They are triggered when a user imports a file into the platform.

• stream : connectors adapting OpenCTI data sharing stream, typically used to send data to tools incompatible with standard feeds (SIEM, SOAR, v.v.)

Parameter

Here is an example of a connector docker-compose.yml file:

- CONNECTOR_ID=ChangeMe
- CONNECTOR_TYPE=EXTERNAL_IMPORT
- CONNECTOR_NAME=MITRE ATT&CK
- CONNECTOR_SCOPE=identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report
- CONNECTOR_LOG_LEVEL=info

Here is an example in a connector config.yml file:

connector:
  id: 'ChangeMe'
  type: 'EXTERNAL_IMPORT'
  name: 'MITRE ATT&CK'
  scope: 'identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report'
  log_level: 'info'

Networking

Connector must be able to reach RabbitMQ on the specified hostname and port. If you have a specific Docker network configuration, please be sure to adapt your docker-compose.yml file in such way that the connector container gets attached to the OpenCTI Network.

networks:
  default:
    external: true
    name: opencti-docker_default

Connector token

Create the user

By default in platform, a group name Connectors already exists. Let's create a new user with the name [C] Name of the connector in Settings > Security > Users.

Put the user in the group

Just go to the user you have just created and add it to the Connectors group.

Now, you have get the token of the user displayed in the interface.

Docker activation

You can either directly run the Docker image of connectors or add them to your current docker-compose.yml file. Enable the MISP connector, you can add a new service to your docker-compose.yml file.

# https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/misp/docker-compose.yml
version: "3"
services:
  connector-misp:
    image: opencti/connector-misp:6.7.4
    environment:
      - OPENCTI_URL=http://localhost
      - OPENCTI_TOKEN=ChangeMe
      - CONNECTOR_ID=ChangeMe
      - CONNECTOR_NAME=MISP
      - CONNECTOR_SCOPE=misp
      - CONNECTOR_LOG_LEVEL=error
      - CONNECTOR_EXPOSE_METRICS=false
      - MISP_URL=http://localhost # Required
      - MISP_REFERENCE_URL= # Optional, will be used to create external reference to MISP event (default is "url")
      - MISP_KEY=ChangeMe # Required
      - MISP_SSL_VERIFY=false # Required
      - MISP_DATETIME_ATTRIBUTE=timestamp # Required, filter to be used in query for new MISP events
      - MISP_DATE_FILTER_FIELD=timestamp # Required, field to filter on date
      - MISP_REPORT_DESCRIPTION_ATTRIBUTE_FILTER= # Optional, filter to be used to find the attribute with report description (example: "type=comment,category=Internal reference")
      - MISP_CREATE_REPORTS=true # Required, create report for MISP event
      - MISP_CREATE_INDICATORS=true # Required, create indicators from attributes
      - MISP_CREATE_OBSERVABLES=true # Required, create observables from attributes
      - MISP_CREATE_OBJECT_OBSERVABLES=true # Required, create text observables for MISP objects
      - MISP_CREATE_TAGS_AS_LABELS=true # Optional, create tags as labels (sanitize MISP tag to OpenCTI labels)
      - MISP_GUESS_THREAT_FROM_TAGS=false # Optional, try to guess threats (threat actor, intrusion set, malware, etc.) from MISP tags when they are present in OpenCTI
      - MISP_AUTHOR_FROM_TAGS=false # Optional, map creator:XX=YY (author of event will be YY instead of the author of the event)
      - MISP_MARKINGS_FROM_TAGS=false # Optional, map marking:XX=YY (in addition to TLP, add XX:YY as marking definition, where XX is marking type, YY is marking value)
      - MISP_ENFORCE_WARNING_LIST=false # Optional, enforce warning list in MISP queries
      - MISP_REPORT_TYPE=misp-event # Optional, report_class if creating report for event
      - MISP_IMPORT_FROM_DATE=2000-01-01 # Required, import all event from this date
      - MISP_IMPORT_TAGS= # Optional, list of tags used to filter events to import
      - MISP_IMPORT_TAGS_NOT= # Optional, list of tags to not include
      - MISP_IMPORT_CREATOR_ORGS= # Optional, only import events created by those orgs (put the identifiers here)
      - MISP_IMPORT_CREATOR_ORGS_NOT= # Optional, do not import events created by those orgs (put the identifiers here)
      - MISP_IMPORT_OWNER_ORGS= # Optional, only import events owned by those orgs (put the identifiers here)
      - MISP_IMPORT_OWNER_ORGS_NOT= # Optional, do not import events owned by those orgs (put the identifiers here)
      - MISP_IMPORT_KEYWORD= # Optional, search only events based on a keyword
      - MISP_IMPORT_DISTRIBUTION_LEVELS= # Optional, only import events with the given distribution levels (ex: 0,1,2,3)
      - MISP_IMPORT_THREAT_LEVELS= # Optional only import events with the given threat levels (ex: 1,2,3,4)
      - MISP_IMPORT_ONLY_PUBLISHED=false
      - MISP_IMPORT_WITH_ATTACHMENTS=false # Optional, try to import a PDF file from the attachment attribute
      - MISP_IMPORT_TO_IDS_NO_SCORE=40 # Optional, use as a score for the indicator/observable if the attribute to_ids is no
      - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT=false #  Optional, import unsupported observable as x_opencti_text
      - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT_TRANSPARENT=true #  Optional, import unsupported observable as x_opencti_text just with the value
      - MISP_INTERVAL=5 # Required, in minutes
      - MISP_PROPAGATE_LABELS=false # Optional, propagate labels to the observables
    restart: always
    depends_on:
      - opencti

Connectors status

The connector status can be displayed in the dedicate section of the platform available in Data > Ingestion > Connectors. You will be able to see the statistics of the RabbitMQ queue of the connector: