OpenCTI is an open source threat intelligence platform developed by Filigran in collaboration with French national cybersecurity agency (ANSSI), CERT-EU and Luatix. Organizations can manage threat intelligence knowledge and observables such as TTPs structuring data in STIX2, store, organize and visualize cyber threats. This product is available on GitHub.
Developing a Connector OpenCTI connector is developed using Python3 and the type of connector depends on the Use Case. There are five connector types to choose from based on your Use Cases:
The connector should pass the following criteria for the community to use:
- # Linting with flake8 contains no errors or warnings
- $ flake8 –ignore=E,W
- # Verify formatting with black
- $ black
Data Model OpenCTI uses concept of Nodes and Edges as two entities for Graphical visualization of threats. Nodes to describe an entity and its values like IP address, domain, malware etc. Edges to describe relationship between two entity nodes. Once data is integrated in OpenCTI by analysts, new relations may be inferred from current to facilitate the understanding of information. This allows the analysts to leverage meaningful knowledge on the observables.
The value of OpenCTI integration allows organizations manage data from multiple sources for enhanced threat hunting and detection.
