The article discusses how to efficiently use the OpenCTI platform through its API and Python SDK, allowing users to automate tasks, enhance threat intelligence, and interact programmatically with the system. It highlights authentication, common use cases, bulk import scripts, best practices, and the benefits of using the SDK to streamline workflows. Affected: OpenCTI platform
Keypoints :
- OpenCTI enables programmatic access through its GraphQL API for automated threat intelligence management.
- Users need an API token for authentication, which can be generated in the user profile.
- The API endpoint for all requests is located at https://your-opencti-url/graphql.
- Common use cases include searching for indicators, ingesting threat data, and building custom dashboards.
- The Python SDK simplifies interactions with OpenCTI, eliminating the need for raw GraphQL queries.
- Best practices include using environment variables for credentials and implementing error handling in scripts.
- Automation can enhance efficiency in tasks like bulk importing IOCs and managing vulnerabilities.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Used API to interact with OpenCTI and perform bulk data manipulation.
- T1406 – Data from Information Repositories: Bulk importation of IOCs (e.g., malicious domains, CVEs) using Python scripts.
Indicator of Compromise :
- [Domain] badsite1.com
- [Domain] evilhost.net
- [Domain] suspicious.org
- [CVE] CVE-2021-44228
- [CVE] CVE-2022-30190