Software Development
Threat Intelligence

Introducing threat intelligence automation and playbooks in OpenCTI

Oct 16, 2023 4 min read

Our priorities for the upcoming months are quite clear: make OpenCTI easier and faster to use. Whether it is by indexing documents, implementing natural language processing and AI, enhancing the overall user experience and develop new integrations, our teams are dedicated to bringing the platform into a new era.

Example of workflow

Following on more advanced dashboards, triggers, digests and webhooks, we have introduced playbooks in OpenCTI 5.11. To be clear, we have no intention to turn OpenCTI into a SOAR platform. Nevertheless, threat intelligence and hunting teams as well as detection engineers and incident responders — the OpenCTI community and customers — need to be able to automate and decrease manual work when it comes to collect, investigate and mitigate threats.


Overview of the feature

OpenCTI playbooks are flexible automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform. Those scenarios rely on “components”, which can be:

  • an internal capability, such as filters, transforms, webhooks, digests, emails, rules, etc.
  • an enrichment connector, such as VirusTotal, Domain Tools, Hybrid Analysis, etc. (see playbook compatible connectors in the OpenCTI ecosystem page).
Available components in playbooks

The availability of playbooks in OpenCTI unlocks so many use cases which will be extended in the future with the release of dozens of new components. With the current release, administrators are now able to:

  • add labels depending on enrichment results to be used in threat intelligence driven detection feeds ;
  • create reports and cases based on various criteria ;
  • trigger enrichments or webhooks in given conditions ;
  • modify attributes such as first_seen and last_seen based on other pieces of knowledge ;
  • etc.

The power of the OpenCTI automation engine comes from its ability to be triggered on any event happening in the platform (create, update, or delete) as well as the capability to use branches and intersections in the data flow without writing anything until the user explicitly put one (or multiple) “Send for ingestion” component within the scenario.

Create a playbook

Playbooks are available for users with administration permissions (aka. SET_ACCESS capability or above) directly in the user interface (Data > Processing > Playbooks). It is possible to create as many playbooks as needed which are running independently.

Create a new playbook

The first step to define in the playbook is the “triggering event”, which can be any knowledge event (create, update or delete) with customizable filters.

Triggering event

Then you have flexible choices for the next steps to:

  • filter the initial knowledge ;
  • enrich data using external sources and internal rules ;
  • modify entities and relationships by applying patches ;
  • write the data, send notifications, etc.
Double filters after the triggering events

Here is an example of a playbook just creating incident response cases based on given conditions:

Create a case based on an incident

Another example here is to automate adding a labels to elements within a container (aka a report or a case) based on the attribute of the case. First, configure the event with the criteria you need, here reports written by CrowdStrike:

Filter reports from CrowdStrike

Then, add the component “Complex rule to apply”, to include all elements of this report in the workflow:

Rule: resolve container references

Then, use a label or a status on indicators contained in this report:

Add labels to all elements within the container

Here is the overview of this workflow:

Put labels “detection” on all indicators within CrowdStrike report

Monitor playbook activity

All activities happening within a playbook are monitored and tracked with all the details for each executed step.

Steps monitoring

Also, for each step, it is possible to click to see the actual raw data after the step has been executed.

Next steps

The available components in this first version of the automation engine can handle hundreds of use cases. Our priority now is to gather feedback on the feature and collect ideas and workflows which cannot be addressed with the current version. Also, we will continue to work on making more enrichment connectors compatible with the playbook engine.

Obviously, we will develop on new components such as:

  • rule for case creation based on multiple sources ;
  • relationship management component (extract relationships from labels) ;
  • NLP / Search / Full text indexing capabilities ;
  • etc.

If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.