Integrations
Threat Intelligence

OpenCTI Ecosystem Snapshot

Nov 1, 2022 5 min read

Since the release of the first version of the OpenCTI platform, its ecosystem and the integrations available to the community have evolved significantly. The objective of this article is to snapshot and explain more this ecosystem, without claiming to be exhaustive. Indeed, some organizations and vendors use connectors and integrations that unfortunately are not yet publicly available.

OpenCTI Connectors Overview

Ecosystem overview

As a reminder, OpenCTI has 5 different types of connectors:

  • External Import: pull knowledge from external sources and ingest data in the platform.
  • Internal Enrichment: Listen for new knowledge created in the platform or users requests, pull data from remote sources to enrich it.
  • Import Files: Extract data from files uploaded in OpenCTI and ingest extracted data in the platform.
  • Export Files: Generate export from OpenCTI data, based on a list of entities or for a single entity (and its relations).
  • Stream: Consume a platform live stream and insert the data in a third-party system.

One of the first statement we can establish on this ecosystem is that their creation are well balanced between Filigran development, community contributions and original vendor creation.

Distribution of connectors

Unsurprisingly, import and enrichment connectors are present in large numbers in the OpenCTI ecosystem.

Distribution of connectors by type

Our priority from now is to increase the number of stream connectors to allow OpenCTI data to be consumed by third-party systems in real time, starting with:

  • SIEM: Azure Sentinel, IBM QRadar, Exabeam, Wazuh
  • XDR: Google Chronicle, CrowdStrike, SentinelOne, SEKOIA.IO
  • EDR: HarfangLab, CyberReason

Also, the OpenCTI ecosystem is also well balanced between open sources and closed / paying sources:

Distribution of connectors by type of service

The development of OpenCTI integrations is a very important step in the overall platform maturity increase we aim with the creation of Filigran and the hiring of more software engineers to deliver the roadmap and maintain the solution over time.

Ecosystem latest evolutions

The OpenCTI ecosystem is evolving very quickly, here are some key information and points regarding the latest developments.

Focus on sandboxes

Thanks to the amazing work of the Deepwatch team the number of available connectors to enrich artifacts and extract relevant knowledge (observable, behaviors, hashes and injections) is now outstanding:

8 different sandboxes are available

Using the available sandboxes gives CTI / SOC / DFIR teams the ability to just upload an artifact in the platform and trigger automatically or manually all of them to extract data.

Focus on new import connectors

Some highlights about latest created connectors:

  • SOCPrime announced this summer an integration with OpenCTI. The OpenCTI SOC Prime connector can be used to import Sigma rules from the SOC Prime Platform. The connector leverages the SOC Prime Continuous Content Management API to get the rules.
SOC Prime and OpenCTI Integration

Also, our team developed integrations with Orange Cyberdefense platforms, Citalid threat intelligence and any native MISP feed available!

Third-parties natives integrations

Recently, multiple vendors have enhanced and upgraded their native integrations with OpenCTI. Among them:

  • Maltego

OpenCTI integration directly available in the Maltego Transforms hub.

STIX2 entity types for Maltego / OpenCTI compability
  • Cortex XSOAR (by Palo Alto Networks)

Palo Alto Networks has developed a native integration pack with OpenCTI.

XSOAR Playbook leveraging OpenCTI pack
  • CORTEX Analyser

The StrangeBee team has upgraded the CORTEX analyzer to be compatible with the latest versions.

CORTEX OpenCTI Analyzer output
  • Recorded Future

Recorded Future’s integration comes in two parts.

  • A feeds connector to convert Recorded Future IP, Hash, Domain, and URL Risklists into STIX2 and regularly import them into OpenCTI.
  • An enrichment connector to enrich existing Indicators with Recorded Future intelligence

Takeaways and future work

OpenCTI connectors are covering most of the essential cyber threat intelligence providers: CrowdStrike, Kaspersky, Mandiant, AlienVault, Sekoia, Intel471, etc. as well as broadly used detection systems such as Tanium, Elastic Security and Splunk Enterprise Security.

Maintaining this ecosystem over time is a important challenge of the months to come, which is why a new connector framework (thanks to one of the major OpenCTI contributor nor3this in preparation as well as multiple enhancements in the integration with the user interface.

Connector development documentation

Our connectors roadmap is very dense and we plan to double the number of integrations in the coming months. If you have questions, requests or integration perspectives don’t hesitate to consult connectors development documentation and join the Filigran community!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.