OpenCTI Threat Intel Enrichment

the opencti connector provides actionable threat intelligence enrichment capabilities, enabling automated incident creation and indicator management within the swimlane platform opencti is an open source platform that specializes in the analysis and sharing of cyber threat intelligence the opencti threat intel enrichment connector for swimlane turbine allows users to create and manage threat intelligence incidents and indicators directly within the swimlane ecosystem by integrating with opencti, users can enrich their security automation workflows with detailed threat intelligence, enabling more informed decision making and proactive defense strategies this connector facilitates the retrieval and filtering of threat indicators, incident management, and the searching of observables for precise threat intelligence matching, enhancing the overall security posture of organizations prerequisites to utilize the opencti threat intel enrichment connector, ensure you have the following custom api key authentication with the necessary parameters url the endpoint url for the opencti api api key a valid api key to authenticate requests to the opencti platform capabilities the opencti threat intel enrichment connector has the following capabilities create incidents create indicators filter indicators get incidents search observables notes more information on opencti threat intel enrichment can be found https //docs opencti io/latest/ configurations opencti threat intel enrichment authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create incidents create new incidents in opencti to bolster threat intelligence, requiring an incident name for execution input argument name type required description name string required name of the resource description string optional parameter for create incidents first seen string optional parameter for create incidents confidence string optional unique identifier severity string optional parameter for create incidents input example {"name" "c2 server of the new campaign","description" "this is the c2 server of the campaign","first seen" "2019 12 01"} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource createdbyid object unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "5f6e3a41 beed 46e0 b397 bd9c2bdc48bc","standard id" "incident 4b522d08 2880 51aa 8153 0f68454a7303","entity type" "incident","parent types" \["basic object","stix object","stix core object"],"createdbyid"\ null}} create indicators creates an indicator object in opencti using details such as name, pattern, pattern type, and main observable type for monitoring malicious activities input argument name type required description name string required name of the resource description string optional parameter for create indicators pattern type string required type of the resource pattern string required parameter for create indicators x opencti main observable type string required type of the resource valid from string optional unique identifier input example {"name" "c2 server of the new campaign","description" "this is the c2 server of the campaign","pattern type" "stix","pattern" "\[domain name\ value = 'www 5z8 info']","x opencti main observable type" "ipv4 addr","valid from" "2019 12 01"} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource observables array output field observables createdbyid string unique identifier observablesids array unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "2ca5deca 79a6 486f 80c6 df4a52510d71","standard id" "indicator 6378a591 75f1 5dd8 910a 6c1b835af84f","entity type" "indicator","parent types" \["basic object","stix object","stix core object"],"observables" \[{}],"createdbyid" "","observablesids" \[""]}} filter indicators retrieve targeted threat intelligence indicators from opencti based on specified criteria for focused analysis input argument name type required description id string optional the id of the threat actor group filters object optional parameter for filter indicators filters mode string optional parameter for filter indicators filters filters array optional parameter for filter indicators filters filters key array required parameter for filter indicators filters filters values array required value for the parameter filters filters operator string required parameter for filter indicators filters filtergroups array optional parameter for filter indicators input example {"id" "2ca5deca 79a6 486f 80c6 df4a52510d71","filters" {"mode" "and","filters" \[{"key" \["id"],"values" \["2ca5deca 79a6 486f 80c6 df4a52510d71"],"operator" "eq"}],"filtergroups" \[]}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource spec version string output field spec version created at string output field created at updated at string output field updated at creators array output field creators creators id string unique identifier creators name string name of the resource createdby object output field createdby objectorganization array output field objectorganization objectmarking array output field objectmarking objectlabel array output field objectlabel externalreferences array output field externalreferences revoked boolean output field revoked confidence number unique identifier created string output field created modified string output field modified pattern type string type of the resource pattern version object output field pattern version pattern string output field pattern name string name of the resource output example {"id" "12345678 1234 1234 1234 123456789abc","standard id" "string","entity type" "string","parent types" \["string"],"spec version" "string","created at" "string","updated at" "string","creators" \[{"id" "12345678 1234 1234 1234 123456789abc","name" "example name"}],"createdby" {},"objectorganization" \[],"objectmarking" \[],"objectlabel" \[],"externalreferences" \[],"revoked"\ true,"confidence" 123} get incidents retrieves the first set of incidents from opencti with optional filtering by id or custom filters, and supports fetching all records input argument name type required description id string optional incident id to fetch a single incident if set, other list options are ignored filters object optional opencti filter group (mode, filters, filtergroups) to narrow results custom attributes string optional custom graphql attributes to return top number optional max number of incidents to return when listing (no id) default 10 get all boolean optional if true, return all incidents (paginated) ignored when id is set input example {"id" "12345678 1234 1234 1234 123456789abc","filters" {},"custom attributes" "string","top" 10,"get all"\ true} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource spec version string output field spec version created at string output field created at updated at string output field updated at createdby object output field createdby objectorganization array output field objectorganization objectmarking array output field objectmarking objectlabel array output field objectlabel externalreferences array output field externalreferences revoked boolean output field revoked confidence number unique identifier created string output field created modified string output field modified name string name of the resource description string output field description aliases object output field aliases first seen string output field first seen last seen string output field last seen objective string output field objective incident type object unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "cf272350 eb4f 4fb5 a32f 11e0ac7f03e2","standard id" "incident ee744d5b a875 5f72 aed0 3af3e4a43b5e","entity type" "incident","parent types" \["basic object","stix object","stix core object"],"spec version" "2 1","created at" "2024 06 24t07 46 04 364z","updated at" "2024 06 24t07 46 04 364z","createdby"\ null,"objectorganization" \[],"objectmarking" \[],"objectlabel" \[],"externalreferences" \[],"revoked"\ false,"confidence" 100, search observables search opencti for exact match observables like ip, domain, url, or file hash and return results only if an exact match is found endpoint url graphql method post input argument name type required description observable string required the observable value to search for (e g , ip, domain, url, or file hash) input example {"observable" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error string error message if any found boolean output field found description string output field description entity type string type of the resource observable value string value for the parameter labels string output field labels raw object object output field raw object output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"error" "no search item provided","found"\ false}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt