Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
OpenCTI logs | ✅ | ✅ | openCTI_logs | NDJSON | S3 |
Overview
OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed for managing, sharing, and analyzing cyber threat intelligence (CTI). It provides a comprehensive solution for organizations to collect, process, and disseminate intelligence on cyber threats, including indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and adversary behaviors.
Supported data types
OpenCTI logs
Table name: opencti_logs
OpenCTI (Open Cyber Threat Intelligence) logs provide detailed records of the platform’s operations, including data ingestion, threat intelligence processing, and system events. These logs help administrators monitor performance, troubleshoot issues, and ensure data integrity across connectors, enrichment modules, and integrations. By analyzing OpenCTI logs, users can maintain visibility into the flow of threat intelligence and identify any anomalies or operational errors.
Send data to Hunters
Hunters supports the ingestion of OpenCTI logs via an intermediary AWS S3 bucket.
STEP 1: Export OpenCTI logs
Export your logs from OpenCTI to an AWS S3 bucket
Install Fluentd on your OpenCTI host machine or in a dedicated container.
Install S3 Plugin for Fluentd.
Edit the Fluentd config file (usually at
/etc/td-agent/td-agent.conf
):📘Note
Make sure the log path matches where your OpenCTI Docker logs are stored (usually
/var/lib/docker/containers
).Use environment variables or an IAM role instead of hardcoding credentials in production.
Create required directories:
Start or restart Fluentd:
STEP 2: Set up Hunters
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
OpenCTI log sample
Logs are expected in JSON format.