OpenCTI

  • Updated on Apr 3, 2025
  • Published on Apr 3, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

OpenCTI logs

openCTI_logs

NDJSON

S3

OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed for managing, sharing, and analyzing cyber threat intelligence (CTI). It provides a comprehensive solution for organizations to collect, process, and disseminate intelligence on cyber threats, including indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and adversary behaviors.

OpenCTI logs

Table name: opencti_logs

OpenCTI (Open Cyber Threat Intelligence) logs provide detailed records of the platform’s operations, including data ingestion, threat intelligence processing, and system events. These logs help administrators monitor performance, troubleshoot issues, and ensure data integrity across connectors, enrichment modules, and integrations. By analyzing OpenCTI logs, users can maintain visibility into the flow of threat intelligence and identify any anomalies or operational errors.

Hunters supports the ingestion of OpenCTI logs via an intermediary AWS S3 bucket.

STEP 1: Export OpenCTI logs

Export your logs from OpenCTI to an AWS S3 bucket

  1. Install Fluentd on your OpenCTI host machine or in a dedicated container.

  2. Install S3 Plugin for Fluentd.

  3. Edit the Fluentd config file (usually at /etc/td-agent/td-agent.conf):

    <source>
  @type tail
  path /var/lib/docker/containers/*/*.log
  pos_file /var/log/td-agent/docker-containers.pos
  tag docker.opencti
  format json
  time_key time
  time_format %Y-%m-%dT%H:%M:%S.%N%:z
</source>

<match docker.opencti>
  @type s3
  aws_key_id YOUR_AWS_ACCESS_KEY_ID
  aws_sec_key YOUR_AWS_SECRET_ACCESS_KEY
  s3_bucket your-s3-bucket-name
  s3_region us-east-1
  path logs/opencti/
  time_slice_format %Y/%m/%d/%H
  time_slice_wait 10m
  utc
  buffer_path /var/log/td-agent/buffer/s3
  buffer_chunk_limit 5MB
  buffer_queue_limit 128
  flush_interval 1m
  retry_limit 17
  retry_wait 1s
</match>
    Conf

    📘Note

    • Make sure the log path matches where your OpenCTI Docker logs are stored (usually /var/lib/docker/containers).

    • Use environment variables or an IAM role instead of hardcoding credentials in production.

  4. Create required directories:

    sudo mkdir -p /var/log/td-agent/buffer/s3
sudo chown -R td-agent:td-agent /var/log/td-agent
    Bash

  5. Start or restart Fluentd:

    sudo systemctl restart td-agent
    Bash

STEP 2: Set up Hunters

Once the export is completed and the logs are collected to S3, follow the steps in this section.

OpenCTI log sample

Logs are expected in JSON format.

{"event":"create","data":{"id":"indicator--af15f28b-abcd-577a-8ebd-f03b373924c8","spec_version":"2.1","type":"indicator","extensions":{"extension-definition--eaabcde-5c71-4632-ac08-831c66a786ba":{"extension_type":"property-extension","id":"fb500e63-dfe1-abcd-87f8-69f6176d032a","type":"Indicator","created_at":"2024-07-03T16:55:59.746Z","updated_at":"2024-07-03T16:55:59.975Z","is_inferred":false,"creator_ids":["88ec0c6a-13ce-1234-b486-354fe4a7084f"],"labels_ids":["cd16ac64-a824-1234-b20b-d4a1593d64dc","2a0bdb53-8834-a123-abf9-b73376d078e7","769d24b1-f10e-456a-bffd-2243ca187206","c3cc1cf5-e222-4sf5-bda2-e9f3c3c175f1","a5bc449f-5f67-1234-8bd3-6e8dc998ada4","8541b6f1-5a10-1234-8ba8-5f0d362a877e","9936625c-a2a7-1234-9a82-7ed21cf7ef65"],"created_by_ref_id":"93f37d0b-c4a4-1234-b921-3ee0d372c320","detection":false,"score":50,"main_observable_type":"StixFile","observable_values":[{"type":"StixFile","hashes":{"SHA-256":"a4acfc5d3ac99d85149db8cc11234567890aa900ce225aa87e1b14ed6cf1de16"}}]},"extension-definition--322b8f77-1234-4cb8-a915-1e441e00329b":{"extension_type":"property-extension"}},"created":"2024-07-03T15:37:36.600Z","modified":"2024-07-03T16:55:59.975Z","revoked":false,"confidence":100,"lang":"en","labels":["maliciousconfidence/high","mitreattck/execution/userexecution","threattype/criminal","mitreattck/execution/powershell","threattype/commodity","malware/netwire","mitreattck/persistence/officetemplatemacros"],"object_marking_refs":["marking-definition--f88d31f6-486f-1234-b317-01333bde0b82"],"created_by_ref":"identity--f29f12ba-1234-5642-9b3e-d11e9b296aed","name":"a4acfc5d3ac99d85149db8cc110f5912345aa900ce225aa87e1b14ed6cf1de16","pattern":"[file:hashes.'SHA-256' = 'a4acfc5d3ac99d85149db8cc111234567890aa900ce225aa87e1b14ed6cf1de16']","pattern_type":"stix","pattern_version":"2.1","valid_from":"2024-07-02T00:02:59.000Z","valid_until":"2025-04-18T11:12:43.557Z"}}
JSON