OpenCTI Threat Intel Enrichment

the opencti connector allows for seamless integration with swimlane turbine, enabling automated threat intelligence enrichment and incident management opencti is an open source platform that allows organizations to manage their cyber threat intelligence knowledge and observables the opencti turbine connector enables users to create and manage incidents and indicators directly within the swimlane turbine platform, streamlining the threat intelligence process by integrating with opencti threat intel enrichment, swimlane turbine users can automate the enrichment of incidents and indicators, filter through intelligence data using specific criteria, and retrieve detailed incident reports for comprehensive analysis this connector empowers security teams to enhance their threat detection and response capabilities with enriched, actionable intelligence prerequisites to effectively utilize the opencti threat intel enrichment connector in swimlane turbine, ensure you have the following prerequisites custom api key authentication with the necessary parameters url the endpoint url for the opencti api api key a valid api key to authenticate requests to the opencti platform capabilities the opencti threat intel enrichment connector has the following capabilities create incidents create indicators filter indicators get incidents notes more information on opencti threat intel enrichment can be found https //docs opencti io/latest/ configurations opencti threat intel enrichment authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create incidents create new incidents within the opencti platform to enhance threat intelligence and response, with a mandatory incident name input argument name type required description name string required name of the resource description string optional parameter for create incidents first seen string optional parameter for create incidents confidence string optional unique identifier severity string optional parameter for create incidents input example {"name" "c2 server of the new campaign","description" "this is the c2 server of the campaign","first seen" "2019 12 01"} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource createdbyid object unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "5f6e3a41 beed 46e0 b397 bd9c2bdc48bc","standard id" "incident 4b522d08 2880 51aa 8153 0f68454a7303","entity type" "incident","parent types" \["basic object","stix object","stix core object"],"createdbyid"\ null}} create indicators creates an indicator object in opencti with details like name, pattern, pattern type, and main observable type to monitor malicious activities input argument name type required description name string required name of the resource description string optional parameter for create indicators pattern type string required type of the resource pattern string required parameter for create indicators x opencti main observable type string required type of the resource valid from string optional unique identifier input example {"name" "c2 server of the new campaign","description" "this is the c2 server of the campaign","pattern type" "stix","pattern" "\[domain name\ value = 'www 5z8 info']","x opencti main observable type" "ipv4 addr","valid from" "2019 12 01"} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource observables array output field observables createdbyid string unique identifier observablesids array unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "2ca5deca 79a6 486f 80c6 df4a52510d71","standard id" "indicator 6378a591 75f1 5dd8 910a 6c1b835af84f","entity type" "indicator","parent types" \["basic object","stix object","stix core object"],"observables" \[{}],"createdbyid" "","observablesids" \[""]}} filter indicators retrieve targeted threat intelligence indicators from opencti for focused analysis based on specified criteria input argument name type required description id string optional the id of the threat actor group filters object optional parameter for filter indicators filters mode string optional parameter for filter indicators filters filters array optional parameter for filter indicators filters filters key array required parameter for filter indicators filters filters values array required value for the parameter filters filters operator string required parameter for filter indicators filters filtergroups array optional parameter for filter indicators input example {"id" "2ca5deca 79a6 486f 80c6 df4a52510d71","filters" {"mode" "and","filters" \[{"key" \["id"],"values" \["2ca5deca 79a6 486f 80c6 df4a52510d71"],"operator" "eq"}],"filtergroups" \[]}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource spec version string output field spec version created at string output field created at updated at string output field updated at creators array output field creators creators id string unique identifier creators name string name of the resource createdby object output field createdby objectorganization array output field objectorganization objectmarking array output field objectmarking objectlabel array output field objectlabel externalreferences array output field externalreferences revoked boolean output field revoked confidence number unique identifier created string output field created modified string output field modified pattern type string type of the resource pattern version object output field pattern version pattern string output field pattern name string name of the resource output example {"id" "12345678 1234 1234 1234 123456789abc","standard id" "string","entity type" "string","parent types" \["string"],"spec version" "string","created at" "string","updated at" "string","creators" \[{"id" "12345678 1234 1234 1234 123456789abc","name" "example name"}],"createdby" {},"objectorganization" \[],"objectmarking" \[],"objectlabel" \[],"externalreferences" \[],"revoked"\ true,"confidence" 123} get incidents retrieve a list of incidents from opencti threat intel enrichment for analysis and potential correlation input argument name type required description id string optional unique identifier filters string optional parameter for get incidents custom attributes string optional parameter for get incidents input example {"filters" "domain"} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier standard id string unique identifier entity type string type of the resource parent types array type of the resource spec version string output field spec version created at string output field created at updated at string output field updated at createdby object output field createdby objectorganization array output field objectorganization objectmarking array output field objectmarking objectlabel array output field objectlabel externalreferences array output field externalreferences revoked boolean output field revoked confidence number unique identifier created string output field created modified string output field modified name string name of the resource description string output field description aliases object output field aliases first seen string output field first seen last seen string output field last seen objective string output field objective incident type object unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "cf272350 eb4f 4fb5 a32f 11e0ac7f03e2","standard id" "incident ee744d5b a875 5f72 aed0 3af3e4a43b5e","entity type" "incident","parent types" \["basic object","stix object","stix core object"],"spec version" "2 1","created at" "2024 06 24t07 46 04 364z","updated at" "2024 06 24t07 46 04 364z","createdby"\ null,"objectorganization" \[],"objectmarking" \[],"objectlabel" \[],"externalreferences" \[],"revoked"\ false,"confidence" 100, response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt