OpenCTI Feed

Ingest indicator feeds from OpenCTI.

Configure OpenCTI Feed on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for OpenCTI Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
apikeyAPI KeyTrue
base_urlBase URLTrue
indicator_typesIndicators Type to fetchTrue
max_indicator_to_fetchMax. indicators per fetch (default is 500)False
feedFetch indicatorsFalse
feedReputationIndicator ReputationFalse
feedReliabilitySource ReliabilityTrue
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedTagsTagsFalse
feedBypassExclusionListBypass exclusion listFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Indicator type parameter

Possible values that are supported in XSOAR and will be generated out of the box:

Types
ALL
User-Account
Domain
Email-Address
File-md5
File-sha1
File-sha256
HostName
IPV4-Addr
IPV6-Addr
Registry-Key-Value
URL

The following types are supported in OpenCTI but are not supported out of the box in XSOAR. To pull these indicator types from OpenCTI you will need to either create dedicated classification and mapping and/or create corresponding indicator types in your XSOAR system.

Types
autonomous-system
cryptographic-key
cryptocurrency-wallet
email-subject
directory
file-name
file-path
mac-addr
mutex
pdb-path
process
registry-key-value
user-agent
windows-service-name
windows-service-display-name
windows-scheduled-task
x509-certificate-issuer
x509-certificate-serial-number
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

opencti-get-indicators


Gets indicators from the feed.

Base Command

opencti-get-indicators

Input

Argument NameDescriptionRequired
limitThe maximum number of indicators to return per fetch. The default value is "50".Optional
indicator_typesThe indicator types to fetch. Out of the box indicator types supported in XSOAR are: "User-Account", "Domain", "Email-Address", "File-md5", "File-sha1", "File-sha256", "HostName", "IPV4-Addr", "IPV6-Addr", "Registry-Key-Value", and "URL". The rest will not cause automatic indicator creation in XSOAR. Please refer to the integration documentation for more information. The default is "ALL".Optional
last_idThe last ID from the previous call from which to begin pagination for this call.Optional

Context Output

PathTypeDescription
OpenCTI.Indicators.typeStringIndicator type.
OpenCTI.Indicators.valueStringIndicator value.
OpenCTI.LastRunIDStringthe id of the last fetch to use pagination.

Command Example

!opencti-get-indicators limit=2 indicator_types=domain

Context Example

{
"OpenCTI": {
"Indicators": [
{
"type": "Domain",
"value": "test.com"
},
{
"type": "Domain",
"value": "test1.com"
}
],
"LastRunID": "YXJyYXljb25uZWN0aW9uOjI="
}
}

Human Readable Output

Indicators from OpenCTI

typevalue
Domaintest.com
Domaintest.com

opencti-reset-fetch-indicators


WARNING: This command will reset your fetch history.

Base Command

opencti-reset-fetch-indicators

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!opencti-reset-fetch-indicators

Context Example

{}

Human Readable Output

Fetch history deleted successfully