OpenCTI Ecosystem Snapshot
Since the release of the first version of the OpenCTI platform, its ecosystem and the integrations available to the community have evolved significantly. The objective of this article is to snapshot and explain more this ecosystem, without claiming to be exhaustive. Indeed, some organizations and vendors use connectors and integrations that unfortunately are not yet publicly available.
Ecosystem overview
As a reminder, OpenCTI has 5 different types of connectors:
- External Import: pull knowledge from external sources and ingest data in the platform.
- Internal Enrichment: Listen for new knowledge created in the platform or users requests, pull data from remote sources to enrich it.
- Import Files: Extract data from files uploaded in OpenCTI and ingest extracted data in the platform.
- Export Files: Generate export from OpenCTI data, based on a list of entities or for a single entity (and its relations).
- Stream: Consume a platform live stream and insert the data in a third-party system.
One of the first statement we can establish on this ecosystem is that their creation are well balanced between Filigran development, community contributions and original vendor creation.
Distribution of connectors
Unsurprisingly, import and enrichment connectors are present in large numbers in the OpenCTI ecosystem.
Our priority from now is to increase the number of stream connectors to allow OpenCTI data to be consumed by third-party systems in real time, starting with:
- SIEM: Azure Sentinel, IBM QRadar, Exabeam, Wazuh
- XDR: Google Chronicle, CrowdStrike, SentinelOne, SEKOIA.IO
- EDR: HarfangLab, CyberReason
Also, the OpenCTI ecosystem is also well balanced between open sources and closed / paying sources:
The development of OpenCTI integrations is a very important step in the overall platform maturity increase we aim with the creation of Filigran and the hiring of more software engineers to deliver the roadmap and maintain the solution over time.
Ecosystem latest evolutions
The OpenCTI ecosystem is evolving very quickly, here are some key information and points regarding the latest developments.
Focus on sandboxes
Thanks to the amazing work of the Deepwatch team the number of available connectors to enrich artifacts and extract relevant knowledge (observable, behaviors, hashes and injections) is now outstanding:
Using the available sandboxes gives CTI / SOC / DFIR teams the ability to just upload an artifact in the platform and trigger automatically or manually all of them to extract data.
Focus on new import connectors
Some highlights about latest created connectors:
- SOCPrime announced this summer an integration with OpenCTI. The OpenCTI SOC Prime connector can be used to import Sigma rules from the SOC Prime Platform. The connector leverages the SOC Prime Continuous Content Management API to get the rules.
- Intel471 integration team released the OpenCTI connector a few weeks ago. Intel 471 delivers structured technical and non-technical data and intelligence on cyber threats. This connector ingests STIX 2.1 objects from Intel 471’s Titan cybercrime intelligence platform.
- The IronNet engineering team developed the OpenCTI connector for IronRadar data.
Also, our team developed integrations with Orange Cyberdefense platforms, Citalid threat intelligence and any native MISP feed available!
Third-parties natives integrations
Recently, multiple vendors have enhanced and upgraded their native integrations with OpenCTI. Among them:
- Maltego
OpenCTI integration directly available in the Maltego Transforms hub.
- Cortex XSOAR (by Palo Alto Networks)
Palo Alto Networks has developed a native integration pack with OpenCTI.
- CORTEX Analyser
The StrangeBee team has upgraded the CORTEX analyzer to be compatible with the latest versions.
- Recorded Future
Recorded Future’s integration comes in two parts.
- A feeds connector to convert Recorded Future IP, Hash, Domain, and URL Risklists into STIX2 and regularly import them into OpenCTI.
- An enrichment connector to enrich existing Indicators with Recorded Future intelligence
Takeaways and future work
OpenCTI connectors are covering most of the essential cyber threat intelligence providers: CrowdStrike, Kaspersky, Mandiant, AlienVault, Sekoia, Intel471, etc. as well as broadly used detection systems such as Tanium, Elastic Security and Splunk Enterprise Security.
Maintaining this ecosystem over time is a important challenge of the months to come, which is why a new connector framework (thanks to one of the major OpenCTI contributor nor3th) is in preparation as well as multiple enhancements in the integration with the user interface.
Our connectors roadmap is very dense and we plan to double the number of integrations in the coming months. If you have questions, requests or integration perspectives don’t hesitate to consult connectors development documentation and join the Filigran community!
Read more
Explore related topics and insights