OpenCTI knowledge streams can now be turned into public feeds!
OpenCTI has multiple ways of sharing data with other platform and third-party systems: TAXII collections, CSV feeds, custom connectors and live streams. Until now, those features required to obtain a user account (and an API token) from the remote platform to be able to ingest/consume pieces of data. From OpenCTI 5.6.0, it is now possible to make a stream “public” which can therefore be consumed by any other OpenCTI platform without any further action.
In the context of this new feature, we have made significant improvements in the user experience of both streams creation and configuration of remote OpenCTI instances ingestion.
Public streams
A public stream is mostly the same as a custom / private live stream you were previously able to create in OpenCTI but it does not require an authentication to be consumed by another platforms. Thus, when creating a public stream, the users are not able to assign them groups restrictions as it is available for private ones. Obviously, the public streams are supporting advanced (and enhanced) filtering capabilities to only publish a subset of the platform data.
To strengthen the security and the resilience of live streams, it is now possible to start and stop them. This allows granted users to be able to stop a stream when a suspicion of misconfiguration is encountered, and to start it again when checks have been made.
Also, it is important to mention that all the public streams created in a platform are now displayed on a specific non-protected URL accessible at https://your_platform/public. In this page, pieces of information about available public streams are displayed:
- Name and description
- Current status (started / stopped)
- Filters applied
Ingestion of public streams
On the “/public” endpoint of a platform, it is possible to get the URL of the platform copied in the clipboard. This allows users to easily configure the ingestion feed in their platform available in “Data / Ingestion / Remote OCTI Streams”.
Then, it is possible to create a new synchronizer for the remote OCTI stream.
When creating a synchronizer the user needs to set the remote OpenCTI configuration before getting access to the streams. For a public streams, the “Remote OpenCTI token” is optional.
Once the remote configuration has been validated, the available streams are displayed in the select box.
The list of streams is automatically loaded / computed depending on the remote streams you are able to consume. If you have set a token, it will check your permissions and show the streams according to your user and group in the remote OpenCTI platform.
If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!
Read more
Explore related topics and insights