Introduction

<aside> 💡 You are looking for the available connectors? The list is in the OpenCTI Ecosystem.

</aside>

Connectors are the cornerstone of the OpenCTI platform and allow organizations to easily ingest, enrich or export new data on the platform. According to their functionality and use case, they are categorized in following classes:

External Input Connector

Automatically retrieve information from an external entity or service and import it into OpenCTI

Stream Input Connector

Connect to a data stream and continously ingest the retrieved information into OpenCTI. When used in combination with EDR systems like Tanium, the connector is also able to answer the originating system and turn this into a two way interaction between another system and OpenCTI.

Internal Enrichment Connector

SDOs and SCOs can be enriched using external lookup services to increase the knowledge of that object in OpenCTI. An example would be a whois lookup for an IP address.

Internal Import File Connector

Information from an uploaded file can be extracted and ingested into OpenCTI. Examples are files attached to a report or a json (STIX2) file.

Internal Export Connector

Information stored in OpenCTI can be extracted into different file formats like .csv or .json (STIX 2).

Those connectors should be launched with a user that has an “Administrator” role (with bypass all capabilities enabled).

Untitled

API Interactions

API interactions are not connectors per definition, nonetheless they allow a script or a program to interact with OpenCTI using a client library.

Information Processing

Every data the connector wants to sent to OpenCTI has to be converted into a STIX2 object, which will then be pushed via a messaging system to the OpenCTI worker.

The worker is responsible for the error and performance handling and for interacting with the OpenCTI API interface for creating or updating the respective objects.

<aside> 💡 For the moment, only a valid STIX2 bundle is supported, by we intend to support CSV and other formats in the future.

</aside>

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/6de31dd5-17b8-4897-9295-aa3a6d597695/connector_architecture.png

Connector configuration

All connectors have to be able to access to the OpenCTI API. To allow this connection, they have 2 mandatory configuration parameters, the OPENCTI_URL and the OPENCTI_TOKEN. In addition of these 2 parameters, connectors have other mandatory parameters that need to be set in order to get them work.

<aside> ⚠️ Be careful, we advise you to use a dedicated token for each of your connector. So you have to create a specific user for each of your connector. You can see the user token by clicking on "Edit" on a user in the Settings / Accesses / Users panel. A good example of this configuration is in the demonstration instance. Please see the section Create Connector User and Role at the end of this page for detailed user and role creation.

</aside>

Example in a docker-compose.yml file:

Example in a config.yml file:

- CONNECTOR_ID=ChangeMe
- CONNECTOR_TYPE=EXTERNAL_IMPORT
- CONNECTOR_NAME=MITRE ATT&CK
- CONNECTOR_SCOPE=identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report
- CONNECTOR_CONFIDENCE_LEVEL=3
- CONNECTOR_UPDATE_EXISTING_DATA=true
- CONNECTOR_LOG_LEVEL=info