Development
Threat Intelligence

Webhooks in OpenCTI: now supported in triggers and digests

Sep 12, 2023 3 min read

OpenCTI has always been extremely powerful and useful when connecting to distant system. We already had a large library of python connectors, streams, feeds, everything that you already are familiar with.

As a huge increment for being able to share information, the new version of OpenCTI allows you to trigger a webhook call from a notification.


Notifications

As a reminder, triggers and digests allow you to receive notification from modification applied on knowledge (and most recently on users’ activity under EE)

Until now, you could choose the outcomes (renamed to notifiers) of your triggers and digests between User Interface and Email:

Live trigger creation for outcomes

Notifiers

In the settings of OpenCTI, administrators can now create Notifiers based on Notifier Connectors. Those connectors will register on the platform, describing their schema and how they should be filled.

For example, a Webhook Notifier Connector needs:

  • a Verb (GET, POST, PUT)
  • a URL
  • a Template
  • optional HTTP params
  • optional HTTP headers

Administrators will be able to create notifiers from those connectors.

Notifier administration page

Currently, there are 3 available notifier connectors:

  • Webhook
  • Platform mailer -> to send fully customizable mails
  • Simple mailer -> to send a mail based on the builtin mailer, with customizable Header, Footer, Logo and background color.

We also provisioned two webhook notifiers samples, working with Microsoft Teams to simplify your first webhooks usage.

Testing

To ease the configuration of your custom notifiers, we add a “Test” button inside the form.

This test button will allow you to send a sample through your notifier:

  • Sample Notification (the one received by a live trigger)
  • Sample Digest
  • Sample Activity Alert

When sending the test request, you will either receive a “OK” result, or the stack trace of the failing one

Ok test result for notifier
Error test result for notifier

Usage

In this section we will guide you through a simple use case : I want to be notified on Microsoft Teams about updates regarding Malwares in OpenCTI

Configuring the notifier

As described previously you can configure notifiers in the settings section of OpenCTI. You can configure the Sample of Team message for live trigger with your informations (Teams webhook endpoint, OpenCTI url)

Creating a trigger

In the Notifications and triggers part of OpenCTI, under Triggers and digests you can create a new live trigger. When selecting an outcome for this trigger, you can select the previously customized Sample of Team message for live trigger and add Malware as entity type filtering.

New notifiers in trigger and digests

When triggered, those notifiers will be able to consume several data coming from the notification to send the right amount of data to the distant system. You can check technically what and how in the OpenCTI documentation.

Result

Try to update an existing Malware on your platform, the result of the Sample of Teams message for live trigger should be something like:

Result of teams webhook

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.