OpenCTI Overview

Hi everyone, before starting the installtion OpenCTI, let's discover how OpenCTI is working, dependencies are needed.

Architecture

OpenCTI system architecture

Platform

Component	CPU	RAM
OpenCTI core	2	8GB
Workers	1	128MB
Connectors	1	128MB

Connectors

Connectors in OpenCTI are external Python processes that integrate with the platform via the GraphQL API and message queues (RabbitMQ)

Type	Description	Examples
EXTERNAL_IMPORT	Pull data from external threat intelligence sources, convert it to STIX 2 and ingest it into OpenCTI	MISP, MITRE ATT&CK, CVE, AlienVault, Mandiant, v.v.
INTERNAL_ERICHMENT	React to new data or enrich request in OpenCTI. Pull enrichment infomation from external resource and update existing entities.	Shodan, VirusTotal, Whois, v.v.
INTERNAL_IMPORT_FILE	Parse file upload via the UI/API and convert their contents to STIX2 for ingestion.	STIX 2.1, PDF, HTML, Text
INTERNAL_EXPORT_FILE	Generate export of data in OpenCTI	STIX 2.1, CSV, PDF
Stream	Subscribe to real-time data streams (with RabbitMQ) from the platform the perform actions like forwarding or trigger external system,	Send log to SIEM (ELK, Wazuh, Splunk, v.v.) syns with external DB.

Dependencies

Component	Version
ElasticSearch / OpenSearch	>=8.0 / >=2.9
Redis	>=7.1
RabbitMQ	>=3.1
S3 / MinIO	>= RELEASE.2023-02