The purpose of this section is to learn how to configure OpenCTI to have it tailored for your production and development needs. It is possible to check all default parameters implemented in the platform in the default.json file.
Here are the configuration keys, for both containers (environment variables) and manual deployment.
Parameters equivalence
The equivalent of a config variable in environment variables is the usage of a double underscores (__) for a level of config.
For example:
"providers":{"ldap":{"strategy":"LdapStrategy"}}
will become:
PROVIDERS__LDAP__STRATEGY=LdapStrategy
If you need to put a list of elements for the key, it must have a special formatting. Here is an example for redirect URIs for OpenID config:
Introspection is allowed to auth users but can be disabled in needed
app:concurrency:retry_count
APP__CONCURRENCY__RETRY_COUNT
200
Number of try to get the lock to work an element (create/update/merge, ...)
app:concurrency:retry_delay
APP__CONCURRENCY__RETRY_DELAY
100
Delay between 2 lock retry (in milliseconds)
app:concurrency:retry_jitter
APP__CONCURRENCY__RETRY_JITTER
50
Random jitter to prevent concurrent retry (in milliseconds)
app:concurrency:max_ttl
APP__CONCURRENCY__MAX_TTL
30000
Global maximum time for lock retry (in milliseconds)
Dependencies
XTM Suite
Parameter
Environment variable
Default value
Description
xtm:openbas_url
XTM__OPENBAS_URL
OpenBAS URL
xtm:openbas_api_url
XTM__OPENBAS_API_URL
If sets, overrides the API base URL used for the OpenBAS integration
xtm:openbas_token
XTM__OPENBAS_TOKEN
OpenBAS token
xtm:openbas_reject_unauthorized
XTM__OPENBAS_REJECT_UNAUTHORIZED
false
Enable TLS certificate check
xtm:openbas_disable_display
XTM__OPENBAS_DISABLE_DISPLAY
false
Disable OpenBAS posture in the UI
ElasticSearch
Parameter
Environment variable
Default value
Description
elasticsearch:engine_selector
ELASTICSEARCH__ENGINE_SELECTOR
auto
elk or opensearch, default is auto, please put elk if you use token auth.
elasticsearch:engine_check
ELASTICSEARCH__ENGINE_CHECK
false
Disable Search Engine compatibility matrix verification. Caution: OpenCTI was developed in compliance with the compatibility matrix. Setting the parameter to true may result in negative impacts.
elasticsearch:url
ELASTICSEARCH__URL
http://localhost:9200
URL(s) of the ElasticSearch (supports http://user:pass@localhost:9200 and list of URLs)
elasticsearch:username
ELASTICSEARCH__USERNAME
Username can be put in the URL or with this parameter
elasticsearch:password
ELASTICSEARCH__PASSWORD
Password can be put in the URL or with this parameter
elasticsearch:api_key
ELASTICSEARCH__API_KEY
API key for ElasticSearch token auth. Please set also engine_selector to elk
elasticsearch:index_prefix
ELASTICSEARCH__INDEX_PREFIX
opencti
Prefix for the indices
elasticsearch:ssl:reject_unauthorized
ELASTICSEARCH__SSL__REJECT_UNAUTHORIZED
true
Enable TLS certificate check
elasticsearch:ssl:ca
ELASTICSEARCH__SSL__CA
Custom certificate path or content
elasticsearch:search_wildcard_prefix
ELASTICSEARCH__SEARCH_WILDCARD_PREFIX
false
Search includes words with automatic fuzzy comparison
elasticsearch:search_fuzzy
ELASTICSEARCH__SEARCH_FUZZY
false
Search will include words not starting with the search keyword
Redis
Parameter
Environment variable
Default value
Description
redis:mode
REDIS__MODE
single
Connect to redis in "single", "sentinel or "cluster" mode
redis:namespace
REDIS__NAMESPACE
Namespace (to use as prefix)
redis:hostname
REDIS__HOSTNAME
localhost
Hostname of the Redis Server
redis:hostnames
REDIS__HOSTNAMES
Hostnames definition for Redis cluster or sentinel mode: a list of host:port objects.
redis:port
REDIS__PORT
6379
Port of the Redis Server
redis:sentinel_master_name
REDIS__SENTINEL_MASTER_NAME
Name of your Redis Sentinel Master (mandatory in sentinel mode)
redis:use_ssl
REDIS__USE_SSL
false
Is the Redis Server has TLS enabled
redis:username
REDIS__USERNAME
Username of the Redis Server
redis:password
REDIS__PASSWORD
Password of the Redis Server
redis:database
REDIS__DATABASE
Database of the Redis Server (only work in single mode)
redis:ca
REDIS__CA
[]
List of path(s) of the CA certificate(s)
redis:trimming
REDIS__TRIMMING
2000000
Number of elements to maintain in the stream. (0 = unlimited)
RabbitMQ
Parameter
Environment variable
Default value
Description
rabbitmq:hostname
RABBITMQ__HOSTNAME
localhost
Hostname of the RabbitMQ server
rabbitmq:port
RABBITMQ__PORT
5672
Port of the RabbitMQ server
rabbitmq:port_management
RABBITMQ__PORT_MANAGEMENT
15672
Port of the RabbitMQ Management Plugin
rabbitmq:username
RABBITMQ__USERNAME
guest
RabbitMQ user
rabbitmq:password
RABBITMQ__PASSWORD
guest
RabbitMQ password
rabbitmq:queue_type
RABBITMQ__QUEUE_TYPE
"classic"
RabbitMQ Queue Type ("classic" or "quorum")
-
-
-
-
rabbitmq:use_ssl
RABBITMQ__USE_SSL
false
Use TLS connection
rabbitmq:use_ssl_cert
RABBITMQ__USE_SSL_CERT
Path or cert content
rabbitmq:use_ssl_key
RABBITMQ__USE_SSL_KEY
Path or key content
rabbitmq:use_ssl_pfx
RABBITMQ__USE_SSL_PFX
Path or pfx content
rabbitmq:use_ssl_ca
RABBITMQ__USE_SSL_CA
[]
List of path(s) of the CA certificate(s)
rabbitmq:use_ssl_passphrase
RABBITMQ__SSL_PASSPHRASE
Passphrase for the key certificate
rabbitmq:use_ssl_reject_unauthorized
RABBITMQ__SSL_REJECT_UNAUTHORIZED
false
Reject rabbit self signed certificate
-
-
-
-
rabbitmq:management_ssl
RABBITMQ__MANAGEMENT_SSL
false
Is the Management Plugin has TLS enabled
rabbitmq:management_ssl_reject_unauthorized
RABBITMQ__SSL_REJECT_UNAUTHORIZED
true
Reject management self signed certificate
S3 Bucket
Parameter
Environment variable
Default value
Description
minio:endpoint
MINIO__ENDPOINT
localhost
Hostname of the S3 Service. Example if you use AWS Bucket S3: s3.us-east-1.amazonaws.com (if minio:bucket_region value is us-east-1). This parameter value can be omitted if you use Minio as an S3 Bucket Service.
minio:port
MINIO__PORT
9000
Port of the S3 Service. For AWS Bucket S3 over HTTPS, this value can be changed (usually 443).
minio:use_ssl
MINIO__USE_SSL
false
Indicates whether the S3 Service has TLS enabled. For AWS Bucket S3 over HTTPS, this value could be true.
minio:access_key
MINIO__ACCESS_KEY
ChangeMe
Access key for the S3 Service.
minio:secret_key
MINIO__SECRET_KEY
ChangeMe
Secret key for the S3 Service.
minio:bucket_name
MINIO__BUCKET_NAME
opencti-bucket
S3 bucket name. Useful to change if you use AWS.
minio:bucket_region
MINIO__BUCKET_REGION
us-east-1
Region of the S3 bucket if you are using AWS. This parameter value can be omitted if you use Minio as an S3 Bucket Service.
minio:use_aws_role
MINIO__USE_AWS_ROLE
false
Indicates whether to use AWS role auto credentials. When this parameter is configured, the minio:access_key and minio:secret_key parameters are not necessary.
SMTP Service
Parameter
Environment variable
Default value
Description
smtp:hostname
SMTP__HOSTNAME
SMTP Server hostname
smtp:port
SMTP__PORT
465
SMTP Port (25 or 465 for TLS)
smtp:use_ssl
SMTP__USE_SSL
false
SMTP over TLS
smtp:reject_unauthorized
SMTP__REJECT_UNAUTHORIZED
false
Enable TLS certificate check
smtp:username
SMTP__USERNAME
SMTP Username if authentication is needed
smtp:password
SMTP__PASSWORD
SMTP Password if authentication is needed
AI Service
AI deployment and cloud services
There are several possibilities for Enterprise Edition customers to use OpenCTI AI endpoints:
Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.
Use OpenAI or MistralAI cloud endpoints using your own tokens.
Deploy or use local AI endpoints (Filigran can provide you with the custom model).
Parameter
Environment variable
Default value
Description
ai:enabled
AI__ENABLED
true
Enable AI capabilities
ai:type
AI__TYPE
mistralai
AI type (mistralai or openai)
ai:endpoint
AI__ENDPOINT
Endpoint URL (empty means default cloud service)
ai:token
AI__TOKEN
Token for endpoint credentials
ai:model
AI__MODEL
Model to be used for text generation (depending on type)
ai:model_images
AI__MODEL_IMAGES
Model to be used for image generation (depending on type)
In some cases, it may not be possible to put directly dependencies credentials directly in environment variables or static configuration. The platform can then retrieve them from a credentials provider. Here is the list of supported providers:
Credentials provider
Provider key
CyberArk
cyberark
For each dependency, special configuration keys are available to ensure the platform retrieves credentials during start process. Not all dependencies support this mechanism, here is the exhaustive list:
Fields targets in the data content response after splitting
Here is an example for ElasticSearch:
Environment variables:
-ELASTICSEARCH__CREDENTIALS_PROVIDER__CYBERARK__URI=http://my.cyberark.com/AIMWebService/api/Accounts-ELASTICSEARCH__CREDENTIALS_PROVIDER__CYBERARK__APP_ID=opencti-elastic-ELASTICSEARCH__CREDENTIALS_PROVIDER__CYBERARK__SAFE=mysafe-key-ELASTICSEARCH__CREDENTIALS_PROVIDER__CYBERARK__OBJECT=myobject-key-"ELASTICSEARCH__CREDENTIALS_PROVIDER__CYBERARK__DEFAULT_SPLITTER=:"# As default is already ":", may not be necessary-"ELASTICSEARCH__CREDENTIALS_PROVIDER__CYBERARK__FIELD_TARGETS=[\"username\",\"password\"]"
-MINIO__CREDENTIALS_PROVIDER__HTTPS_CERT__CRT=/cert_volume/mycert.crt-MINIO__CREDENTIALS_PROVIDER__HTTPS_CERT__KEY=/cert_volume/mycert.key-MINIO__CREDENTIALS_PROVIDER__HTTPS_CERT__CA=/cert_volume/ca.crt-MINIO__CREDENTIALS_PROVIDER__CYBERARK__URI=http://my.cyberark.com/AIMWebService/api/Accounts-MINIO__CREDENTIALS_PROVIDER__CYBERARK__APP_ID=opencti-s3-MINIO__CREDENTIALS_PROVIDER__CYBERARK__SAFE=mysafe-key-MINIO__CREDENTIALS_PROVIDER__CYBERARK__OBJECT=myobject-key-"MINIO__CREDENTIALS_PROVIDER__CYBERARK__DEFAULT_SPLITTER=:"# As default is already ":", may not be necessary-"MINIO__CREDENTIALS_PROVIDER__CYBERARK__FIELD_TARGETS=[\"access_key\",\"secret_key\"]"
Engines, Schedules and Managers
Parameter
Environment variable
Default value
Description
rule_engine:enabled
RULE_ENGINE__ENABLED
true
Enable/disable the rule engine
rule_engine:lock_key
RULE_ENGINE__LOCK_KEY
rule_engine_lock
Lock key of the engine in Redis
-
-
-
-
history_manager:enabled
HISTORY_MANAGER__ENABLED
true
Enable/disable the history manager
history_manager:lock_key
HISTORY_MANAGER__LOCK_KEY
history_manager_lock
Lock key for the manager in Redis
-
-
-
-
task_scheduler:enabled
TASK_SCHEDULER__ENABLED
true
Enable/disable the task scheduler
task_scheduler:lock_key
TASK_SCHEDULER__LOCK_KEY
task_manager_lock
Lock key for the scheduler in Redis
task_scheduler:interval
TASK_SCHEDULER__INTERVAL
10000
Interval to check new task to do (in ms)
-
-
-
-
sync_manager:enabled
SYNC_MANAGER__ENABLED
true
Enable/disable the sync manager
sync_manager:lock_key
SYNC_MANAGER__LOCK_KEY
sync_manager_lock
Lock key for the manager in Redis
sync_manager:interval
SYNC_MANAGER__INTERVAL
10000
Interval to check new sync feeds to consume (in ms)
-
-
-
-
expiration_scheduler:enabled
EXPIRATION_SCHEDULER__ENABLED
true
Enable/disable the scheduler
expiration_scheduler:lock_key
EXPIRATION_SCHEDULER__LOCK_KEY
expired_manager_lock
Lock key for the scheduler in Redis
expiration_scheduler:interval
EXPIRATION_SCHEDULER__INTERVAL
300000
Interval to check expired indicators (in ms)
-
-
-
-
retention_manager:enabled
RETENTION_MANAGER__ENABLED
true
Enable/disable the retention manager
retention_manager:lock_key
RETENTION_MANAGER__LOCK_KEY
retention_manager_lock
Lock key for the manager in Redis
retention_manager:interval
RETENTION_MANAGER__INTERVAL
60000
Interval to check items to be deleted (in ms)
-
-
-
-
notification_manager:enabled
NOTIFICATION_MANAGER__ENABLED
true
Enable/disable the notification manager
notification_manager:lock_live_key
NOTIFICATION_MANAGER__LOCK_LIVE_KEY
notification_live_manager_lock
Lock live key for the manager in Redis
notification_manager:lock_digest_key
NOTIFICATION_MANAGER__LOCK_DIGEST_KEY
notification_digest_manager_lock
Lock digest key for the manager in Redis
notification_manager:interval
NOTIFICATION_MANAGER__INTERVAL
10000
Interval to push notifications
-
-
-
-
publisher_manager:enabled
PUBLISHER_MANAGER__ENABLED
true
Enable/disable the publisher manager
publisher_manager:lock_key
PUBLISHER_MANAGER__LOCK_KEY
publisher_manager_lock
Lock key for the manager in Redis
publisher_manager:interval
PUBLISHER_MANAGER__INTERVAL
10000
Interval to send notifications / digests (in ms)
-
-
-
-
ingestion_manager:enabled
INGESTION_MANAGER__ENABLED
true
Enable/disable the ingestion manager
ingestion_manager:lock_key
INGESTION_MANAGER__LOCK_KEY
ingestion_manager_lock
Lock key for the manager in Redis
ingestion_manager:interval
INGESTION_MANAGER__INTERVAL
30000
Interval to check for new data in remote feeds
ingestion_manager:rss_feed:min_interval_minutes
INGESTION_MANAGER__RSS_FEED__MIN_INTERVAL_MINUTES
5
Minimum interval before requesting again same RSS Feed
ingestion_manager:rss_feed:user_agent
INGESTION_MANAGER__RSS_FEED__USER_AGENT
User agent to use for RSS Feed requests
ingestion_manager:csv_feed:min_interval_minutes
INGESTION_MANAGER__CSV_FEED__MIN_INTERVAL_MINUTES
5
Minimum interval before requesting again same CSV Feed
-
-
-
-
playbook_manager:enabled
PLAYBOOK_MANAGER__ENABLED
true
Enable/disable the playbook manager
playbook_manager:lock_key
PLAYBOOK_MANAGER__LOCK_KEY
publisher_manager_lock
Lock key for the manager in Redis
playbook_manager:interval
PLAYBOOK_MANAGER__INTERVAL
60000
Interval to check new playbooks
-
-
-
-
activity_manager:enabled
ACTIVITY_MANAGER__ENABLED
true
Enable/disable the activity manager
activity_manager:lock_key
ACTIVITY_MANAGER__LOCK_KEY
activity_manager_lock
Lock key for the manager in Redis
-
-
-
-
connector_manager:enabled
CONNECTOR_MANAGER__ENABLED
true
Enable/disable the connector manager
connector_manager:lock_key
CONNECTOR_MANAGER__LOCK_KEY
connector_manager_lock
Lock key for the manager in Redis
connector_manager:works_day_range
CONNECTOR_MANAGER__WORKS_DAY_RANGE
7
Days range before considering the works as too old