Development
Threat Intelligence

OpenCTI knowledge streams can now be turned into public feeds!

Apr 18, 2023 3 min read

OpenCTI has multiple ways of sharing data with other platform and third-party systems: TAXII collections, CSV feeds, custom connectors and live streams. Until now, those features required to obtain a user account (and an API token) from the remote platform to be able to ingest/consume pieces of data. From OpenCTI 5.6.0, it is now possible to make a stream “public” which can therefore be consumed by any other OpenCTI platform without any further action.

A public stream in the OpenCTI platform

In the context of this new feature, we have made significant improvements in the user experience of both streams creation and configuration of remote OpenCTI instances ingestion.


Public streams

A public stream is mostly the same as a custom / private live stream you were previously able to create in OpenCTI but it does not require an authentication to be consumed by another platforms. Thus, when creating a public stream, the users are not able to assign them groups restrictions as it is available for private ones. Obviously, the public streams are supporting advanced (and enhanced) filtering capabilities to only publish a subset of the platform data.

To strengthen the security and the resilience of live streams, it is now possible to start and stop them. This allows granted users to be able to stop a stream when a suspicion of misconfiguration is encountered, and to start it again when checks have been made.

Streams can be started / stopped on-demand

Also, it is important to mention that all the public streams created in a platform are now displayed on a specific non-protected URL accessible at https://your_platform/public. In this page, pieces of information about available public streams are displayed:

  • Name and description
  • Current status (started / stopped)
  • Filters applied
Page on /public showing all available public streams

Ingestion of public streams

On the “/public” endpoint of a platform, it is possible to get the URL of the platform copied in the clipboard. This allows users to easily configure the ingestion feed in their platform available in “Data / Ingestion / Remote OCTI Streams”.

Ingestion / Remote OCTI Streams

Then, it is possible to create a new synchronizer for the remote OCTI stream.

When creating a synchronizer the user needs to set the remote OpenCTI configuration before getting access to the streams. For a public streams, the “Remote OpenCTI token” is optional.

Once the remote configuration has been validated, the available streams are displayed in the select box.

The list of streams is automatically loaded / computed depending on the remote streams you are able to consume. If you have set a token, it will check your permissions and show the streams according to your user and group in the remote OpenCTI platform.

If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.