Integrations
Introduction
OpenCTI supports multiple ways to integrate with other systems which do not have native connectors or plugins to the platform. Here are the technical features available to ease the connection and the integration of the platform with other applications.
Connectors list
If you are looking for the list of OpenCTI connectors or native integration, please check the OpenCTI Ecosystem.
Native feeds and streams
To ease integrations with other products, OpenCTI has built-in capabilities to deliver the data to third-parties.
CSV Feeds
It is possible to create as many CSV feeds as needed, based on filters and accessible in HTTP. CSV feeds are available in Data > Data sharing > CSV deeds.
When creating a CSV feed, you need to select one or multiple types of entities to make available. Then, you must assign a field (of an entity type) to each column in the CSV:
Details
For more information about CSV feeds, filters and configuration, please check the Native feeds page.
TAXII collections
Most of the modern cybersecurity systems such as SIEMs, EDRs, XDRs and even firewalls support the TAXII protocol which is basically a paginated HTTP STIX feed. OpenCTI implements a TAXII 2.1 server with the ability to create as many TAXII collections as needed in Data > Data sharing > TAXII Collections.
TAXII collections are a sub-selection of the knowledge available in the platform and rely on filters. For instance, it is possible to create TAXII collections for pieces of malware with a given label, for indicators with a score greater than n, etc.
Live Streams
After implementing CSV feeds and TAXII collections, we figured out that those 2 stateless APIs are definitely not enough when it comes to tackle advanced information sharing challenges such as:
- Real time transmission of the information (i.e. avoid hundreds of systems to pull data every 5 minutes).
- Dependencies resolution (i.e. an intrusion created by an organization but the organization is not in the TAXII collection).
- Partial update for huge entities such as report (i.e. just having the update event).
- Delete events when necessary (i.e. to handle indicators expiration in third party systems for instance).
That's why we've developed the live streams. They are available in Data > Data sharing > Live streams. As with TAXII collections, it is possible to create as many streams as needed using filters.
Streams implement the HTTP SSE (Server-sent events) protocol and give applications the possibility to consume a real time pure STIX 2.1 stream. Stream connectors in the OpenCTI Ecosystem are using live streams to consume data and do something such as create / update / delete information in SIEMs, XDRs, etc.
Authentication
For all previously explained capabilities, as they are over the HTTP protocol, 3 authentication mechanisms are available to consume them.
-
Using a bearer header with your OpenCTI API key
API Key
Your API key can be found in your profile available clicking on the top right icon.
-
Using basic authentication
-
Using client certificate authentication
To know how to configure the client certificate authentication, please consult the authentication configuration section.
API and libraries
GraphQL API
To allow analysts and developers to implement more custom or complex use cases, a full GraphQL API is available in the application on the /graphql
endpoint.
The API can be queried using various GraphQL client such as Postman but you can leverage any HTTP client to forge GraphQL queries using POST
methods.
Authentication
The API authentication can be performed using the token of a user and a classic Authorization header:
Playground
The playground is available on the /graphql
endpoint. A link button is also available in the profile of your user.
All the schema documentation is directly available in the playground.
If you already logged to OpenCTI with the same browser you should be able to directly do some requests. If you are not authenticated or want to authenticate only through the playground you can use a header configuration using your profile token
Example of configuration (bottom left of the playground):
Additional GraphQL documentation
To find out more about GraphQL and the playground, you can find two additional documentation pages: the GraphQL API page and the GraphQL playground page.
Python library
Since not everyone is familiar with GraphQL APIs, we've developed a Python library to ease the interaction with it. The library is pretty easy to use. To initiate the client:
# coding: utf-8
from pycti import OpenCTIApiClient
# Variables
api_url = "http://opencti:4000"
api_token = "bfa014e0-e02e-4aa6-a42b-603b19dcf159"
# OpenCTI initialization
opencti_api_client = OpenCTIApiClient(api_url, api_token)
Then just use the available helpers:
# Search for malware with the keyword "windows"
malwares = opencti_api_client.malware.list(search="windows")
# Print
print(malwares)
Details
For more detailed information about the Python library, please read the dedicated section.