Webhooks in OpenCTI: now supported in triggers and digests
OpenCTI has always been extremely powerful and useful when connecting to distant system. We already had a large library of python connectors, streams, feeds, everything that you already are familiar with.
As a huge increment for being able to share information, the new version of OpenCTI allows you to trigger a webhook call from a notification.
Notifications
As a reminder, triggers and digests allow you to receive notification from modification applied on knowledge (and most recently on users’ activity under EE)
Until now, you could choose the outcomes (renamed to notifiers) of your triggers and digests between User Interface and Email:
Notifiers
In the settings of OpenCTI, administrators can now create Notifiers based on Notifier Connectors. Those connectors will register on the platform, describing their schema and how they should be filled.
For example, a Webhook Notifier Connector needs:
- a Verb (GET, POST, PUT)
- a URL
- a Template
- optional HTTP params
- optional HTTP headers
Administrators will be able to create notifiers from those connectors.
Currently, there are 3 available notifier connectors:
- Webhook
- Platform mailer -> to send fully customizable mails
- Simple mailer -> to send a mail based on the builtin mailer, with customizable Header, Footer, Logo and background color.
We also provisioned two webhook notifiers samples, working with Microsoft Teams to simplify your first webhooks usage.
Testing
To ease the configuration of your custom notifiers, we add a “Test” button inside the form.
This test button will allow you to send a sample through your notifier:
- Sample Notification (the one received by a live trigger)
- Sample Digest
- Sample Activity Alert
When sending the test request, you will either receive a “OK” result, or the stack trace of the failing one
Usage
In this section we will guide you through a simple use case : I want to be notified on Microsoft Teams about updates regarding Malwares in OpenCTI
Configuring the notifier
As described previously you can configure notifiers in the settings section of OpenCTI. You can configure the Sample of Team message for live trigger with your informations (Teams webhook endpoint, OpenCTI url)
Creating a trigger
In the Notifications and triggers part of OpenCTI, under Triggers and digests you can create a new live trigger. When selecting an outcome for this trigger, you can select the previously customized Sample of Team message for live trigger and add Malware as entity type filtering.
When triggered, those notifiers will be able to consume several data coming from the notification to send the right amount of data to the distant system. You can check technically what and how in the OpenCTI documentation.
Result
Try to update an existing Malware on your platform, the result of the Sample of Teams message for live trigger should be something like:
Read more
Explore related topics and insights