OpenCTI supports multiple ways to integrate with other systems which do not have native connectors or plugins to the platform. Here are the technical features available to ease the connection and the integration of the platform with other applications.
If you are looking to the list of OpenCTI connectors or native integration, please check the OpenCTI Ecosystem.
Native feeds and streams
To ease integrations with other products, OpenCTI has built-in capabilities to deliver the data to third-parties.
It is possible to create as many CSV feeds as needed, based on filters and accessible in HTTP. CSV feeds are available in Data > Data sharing > Feeds (CSV).
When creating a CSV feed, you need to select one or multiple types of entity to make available. For all columns available in the CSV, you've to select which field will be used for each type of entity:
For more information about CSV feeds, filters and configuration, please check the Export in structured format section.
Most of the moden cybersecurity systems such as SIEMs, EDRs, XDRs and even firewalls supports the TAXII protocol which is basically a paginated HTTP STIX feed. OpenCTI implements a TAXII 2.1 server with the ability to create as many TAXII collections as needed in Data > Data sharing > TAXII Collections?
TAXII collections are a sub-selection of the knowledge available in the platform and relie on filters. For instance, it is possible to create TAXII collections for pieces of malware with a given label, for indicators with a score greater than n, etc.
After implementing CSV feeds and TAXII collections, we figured out that those 2 stateless APIs are definitely not enough when it comes to tackle advanced information sharing challenges such as:
- Real time transmission of the information (ie. avoid hundreds of systems to pull data every 5 minutes).
- Dependencies resolution (ie. an intrusion created by an organization but the organization is not in the TAXII collection).
- Partial update for huge entities such as report (ie. just having the update event).
- Delete events when necessary (ie. to handle indicators expiration in third party systems for instance).
Live streams are available in Data > Data sharing > Live streams. As TAXII collections, it is possible to create as many streams as needed using filters.
Streams implement the HTTP SSE (Server-sent events) protocol and give applications to consume a real time pure STIX 2.1 stream. Stream connectors in the OpenCTI Ecosystem are using live streams to consume data and do something such as create / update / delete information in SIEMs, XDRs, etc.
For all previously explained capabilities, as they are over the HTTP protocol, 3 authentication mechanisms are available to consume them.
Using a bearer header with your OpenCTI API key
Your API key can be found in your profile available clicking on the top right icon.
Using basic authentication
Using client certificate authentication
To know how to configure the client certificate authentication, please consult the authentication configuration section.
API and libraries
To allow analysts and developers to implement more custom or complex use cases, a full GraphQL API is available in the application on the
The API can be queried using various GraphQL client such as Postman but you can leverage any HTTP client to forge GraphQL queries using
The API authentication can be performed using the token of a user and a classic Authorization header:
The playground is available on the
/graphql endpoint. A link button is also available in the profile of your user.
All the schema documentation is directly available in the playground.
If you already logged to OpenCTI with the same browser you should be able to directly do some requests. If you are not authenticated or want to authenticate only through the playground you can use a header configuration using your profile token
Example of configuration (bottom left of the playground):
Since not everyone is familiar with GraphQL APIs, we've developed a Python library to ease the interaction with it. The library is pretty easy to use. To initiate the client:
Then just use the available helpers:
For more detailed information about the Python library, please read the dedicated section.