OpenCTI

edit

Version

2.4.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

The OpenCTI integration allows you to ingest data from the OpenCTI threat intelligence platform.

Use this integration to get indicator data from OpenCTI. You can monitor and explore the ingested data on the OpenCTI dashboard or in Kibana’s Discover tab. Indicator match rules in Elastic Security can then use the ingested indicator data to generate alerts about detected threats.

Data streams

edit

The OpenCTI integration collects one type of data stream: logs.

Logs are lists of records created over time. Each event in the log data stream collected by the OpenCTI integration is an indicator that can be used to detect suspicious or malicious cyber activity. The data is fetched from OpenCTI’s GraphQL API.

Requirements

edit

This integration requires Filebeat version 8.9.0, or later.

It has been updated for OpenCTI version 5.12.24 and requires that version or later.

Setup

edit

For additional information about threat intelligence integrations, including the steps required to add an integration, please refer to the Enable threat intelligence integrations page of the Elastic Security documentation.

When adding the OpenCTI integration, you will need to provide a base URL for the target OpenCTI instance. It should be just the base URL (e.g. https://demo.opencti.io) and not include an additional path for the API or UI.

The simplest authentication method to use is an API key (bearer token). You can find a value for the API key on your profile page in the OpenCTI user interface. Advanced integration settings can be used to configure various OAuth2-based authentication arrangements, and to enter SSL settings for mTLS authentication and for other purposes. For information on setting up the OpenCTI side of an authentication strategy, please refer to OpenCTI’s authentication documentation.

Logs

edit
Indicator
edit

The indicator data stream includes indicators of the following types (threat.indicator.type): artifact, autonomous-system, bank-account, cryptocurrency-wallet, cryptographic-key, directory, domain-name, email-addr, email-message, email-mime-part-type, hostname, ipv4-addr, ipv6-addr, mac-addr, media-content, mutex, network-traffic, payment-card, phone-number, process, software, file, text, url, user-account, user-agent, windows-registry-key, windows-registry-value-type, x509-certificate, unknown.

OpenCTI’s data model closely follows the STIX standard. It supports complex indicators defined using STIX patterns or other languages, and each indicator can be related to one or more observables. In the ECS threat fields the focus is on atomic indicators. This integration fetches as much data as possible about indicators and their related observables, and populates relevant ECS fields wherever possible. It uses related observables rather than the indicator pattern as the data source for type-specific indicator fields.

Expiration of inactive indicators
edit

The opencti.indicator.invalid_or_revoked_from field is set to the earliest time at which an indicator reaches its valid_until time or is marked as revoked. From that time the indicator should no longer be considered active.

An Elastic Transform is created to provide a view of active indicators for end users. This transform creates destination indices that are accessible via the alias logs-ti_opencti_latest.indicator. When querying for active indicators or setting up indicator match rules, use that alias to avoid false positives from expired indicators.

The dashboards show only active indicators, except the Ingestion dashboard, which shows data from both the source data stream and the indices of the latest indicators.

Indicators that are never expired or revoked will not be removed from the indices of the latest indicators. If accumulation of indicators is a problem there, it can be managed upstream in OpenCTI, or by manually deleting indicators from those indices.

To prevent unbounded growth of the source data stream logs-ti_opencti.indicator-*, it has an index lifecycle management (ILM) policy that deletes records 5 days after ingestion.

Example
edit

Here is an example indicator event:

Example

An example event for indicator looks as following:

{
    "@timestamp": "2024-08-02T05:53:33.529Z",
    "agent": {
        "ephemeral_id": "a21855cb-722e-430f-8d9a-e6dfedf565b1",
        "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "ti_opencti.indicator",
        "namespace": "82985",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "created": "2018-02-05T08:04:53.000Z",
        "dataset": "ti_opencti.indicator",
        "id": "d019b01c-b637-4eb2-af53-6d527be3193d",
        "ingested": "2024-08-02T05:53:45Z",
        "kind": "enrichment",
        "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":[],\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":[{\"value\":\"information-credibility-6\"},{\"value\":\"osint\"}],\"objectMarking\":[{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}],\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}",
        "type": [
            "indicator"
        ]
    },
    "input": {
        "type": "cel"
    },
    "opencti": {
        "indicator": {
            "creator_identity_class": "organization",
            "detection": false,
            "invalid_or_revoked_from": "2019-02-05T08:04:53.000Z",
            "is_inferred": false,
            "lang": "en",
            "observables_count": 1,
            "pattern": "[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "revoked": true,
            "score": 40,
            "standard_id": "indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b",
            "valid_from": "2018-02-05T08:04:53.000Z",
            "valid_until": "2019-02-05T08:04:53.000Z"
        },
        "observable": {
            "hostname": {
                "entity_type": "Hostname",
                "id": "b0a91059-5637-4050-8dce-a976a607f75c",
                "standard_id": "hostname--2047cd44-ffae-5b34-b912-5856add59b59",
                "value": "ec2-23-21-172-164.compute-1.amazonaws.com"
            }
        }
    },
    "related": {
        "hosts": [
            "ec2-23-21-172-164.compute-1.amazonaws.com"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "opencti-indicator",
        "information-credibility-6",
        "osint",
        "ecs-indicator-detail"
    ],
    "threat": {
        "feed": {
            "dashboard_id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd",
            "description": "Indicator data from OpenCTI",
            "name": "OpenCTI",
            "reference": "https://docs.opencti.io/latest/usage/overview/"
        },
        "indicator": {
            "confidence": "Low",
            "marking": {
                "tlp": "GREEN"
            },
            "modified_at": "2023-01-17T05:53:42.851Z",
            "name": "ec2-23-21-172-164.compute-1.amazonaws.com",
            "provider": "CthulhuSPRL.be",
            "reference": "http://svc-opencti_stub:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d",
            "type": "hostname",
            "url": {
                "domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                "top_level_domain": "compute-1.amazonaws.com"
            }
        }
    }
}
Exported fields
edit

Fields for indicators of any type are mapped to ECS fields when possible (primarily threat.indicator.*) and otherwise stored with a vendor prefix (opencti.indicator.*).

Fields for related observables of the various types are always stored under opencti.observable.<type>.* and when possible their values will be copied into corresponding ECS fields.

The related.* fields will also be populated with any relevant data.

Timestamps are mapped as follows:

Source Destination Description

-

@timestamp

Time the event was received by the pipeline

-

event.ingested

Time the event arrived in the central data store

created

event.created

Time of the indicator’s creation

modified

threat.indicator.modified_at

Time of the indicator’s last modification

valid_from

opencti.indicator.valid_from

Time from which this indicator is considered a valid indicator of the behaviors it is related to or represents

valid_until

opencti.indicator.valid_until

Time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents

-

opencti.indicator.invalid_or_revoked_from

The earliest time at which an indicator reaches its valid_until time or is marked as revoked

The table below lists all opencti.* fields.

The documentation for ECS fields can be found at:

Exported fields
Field Description Type

@timestamp

Time the event was received by the pipeline.

date

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.module

Event module

constant_keyword

input.type

Input type.

keyword

labels.is_ioc_transform_source

Indicates whether an IOC is in the raw source data stream, or the in latest destination index.

constant_keyword

opencti.indicator.creator_identity_class

The type of the creator of this indicator (e.g. "organization").

keyword

opencti.indicator.detection

Whether the indicator has been detected.

boolean

opencti.indicator.external_reference.description

A description for a related record in an external system.

keyword

opencti.indicator.external_reference.external_id

A non-STIX ID for a related record in an external system.

keyword

opencti.indicator.external_reference.source_name

The name of an external source of related records.

keyword

opencti.indicator.external_reference.url

A URL for a related record in an external system.

keyword

opencti.indicator.invalid_or_revoked_from

A time from which this indicator should be considered invalid or revoked.

date

opencti.indicator.is_inferred

Whether the indicator is inferred.

boolean

opencti.indicator.kill_chain_phase

The kill chain name and kill change phase name (e.g. "[mitre-attack] exfiltration").

keyword

opencti.indicator.lang

A language associated with the indicator record.

keyword

opencti.indicator.observables_count

The number of observables related to this indicator, which may exceed the number fetched.

long

opencti.indicator.pattern

The detection pattern for this indicator, expressed as a STIX pattern or using another appropriate language such as SNORT, YARA, etc.

keyword

opencti.indicator.pattern_type

The pattern language used in this indicator.

keyword

opencti.indicator.pattern_version

The version of the pattern language used in this indicator.

keyword

opencti.indicator.revoked

Whether the indicator is revoked.

boolean

opencti.indicator.score

An integer score for the indicator.

long

opencti.indicator.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the indicator.

keyword

opencti.indicator.valid_from

The time from which this indicator is considered a valid indicator of the behaviors it is related to or represents.

date

opencti.indicator.valid_until

The time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents.

date

opencti.observable.artifact.additional_names

Additional names of the artifact.

keyword

opencti.observable.artifact.decryption_key

The decryption key for the encrypted binary data.

keyword

opencti.observable.artifact.encryption_algorithm

The type of encryption algorithm the binary data is encoded in, if the artifact is encrypted.

keyword

opencti.observable.artifact.entity_type

The observable type.

keyword

opencti.observable.artifact.hash.md5

MD5 hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.hash.sha1

SHA1 hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.hash.sha256

SHA-256 hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.hash.sha3_256

SHA3-256 hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.hash.sha3_512

SHA3-512 hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.hash.sha512

SHA-512 hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.hash.ssdeep

SSDEEP hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.hash.tlsh

TLSH hash for the contents of the url or the payload_bin.

keyword

opencti.observable.artifact.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.artifact.mime_type

MIME type of the artifact, given as of the values defined in the Template column in the IANA media type registry, when feasible.

keyword

opencti.observable.artifact.payload_bin

The binary data contained in the artifact as a base64-encoded string.

keyword

opencti.observable.artifact.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.artifact.url

A valid URL that resolves to the unencoded content.

keyword

opencti.observable.artifact.value

The main value for the observable.

keyword

opencti.observable.autonomous_system.entity_type

The observable type.

keyword

opencti.observable.autonomous_system.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.autonomous_system.name

The name of the AS.

keyword

opencti.observable.autonomous_system.number

The number assigned to the AS, typically by a Regional Internet Registry (RIR).

long

opencti.observable.autonomous_system.rir

The name of the Regional Internet Registry (RIR) that assigned the number to the AS.

keyword

opencti.observable.autonomous_system.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.autonomous_system.value

The main value for the observable.

keyword

opencti.observable.bank_account.account_number

A bank account number.

keyword

opencti.observable.bank_account.bic

A Bank Identifier Code (BIC).

keyword

opencti.observable.bank_account.entity_type

The observable type.

keyword

opencti.observable.bank_account.iban

An International Bank Account Number (IBAN).

keyword

opencti.observable.bank_account.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.bank_account.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.bank_account.value

The main value for the observable.

keyword

opencti.observable.cryptocurrency_wallet.entity_type

The observable type.

keyword

opencti.observable.cryptocurrency_wallet.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.cryptocurrency_wallet.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.cryptocurrency_wallet.value

A cryptocurrency wallet ID.

keyword

opencti.observable.cryptographic_key.entity_type

The observable type.

keyword

opencti.observable.cryptographic_key.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.cryptographic_key.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.cryptographic_key.value

A cryptographic key.

keyword

opencti.observable.directory.atime

The date/time the directory was last accessed.

date

opencti.observable.directory.ctime

The date/time the directory was created.

date

opencti.observable.directory.entity_type

The observable type.

keyword

opencti.observable.directory.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.directory.mtime

The date/time the directory was last written to/modified.

date

opencti.observable.directory.path

The path, as originally observed, to the directory on the file system.

keyword

opencti.observable.directory.path_enc

The observed encoding for the path, using the IANA character set registry.

keyword

opencti.observable.directory.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.directory.value

The main value for the observable.

keyword

opencti.observable.domain_name.entity_type

The observable type.

keyword

opencti.observable.domain_name.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.domain_name.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.domain_name.value

The value of the domain name, using RFC1034, RFC5890.

keyword

opencti.observable.email_addr.display_name

A single email display name, i.e., the name that is displayed to the human user of a mail application, using RFC5322.

keyword

opencti.observable.email_addr.entity_type

The observable type.

keyword

opencti.observable.email_addr.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.email_addr.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.email_addr.value

The value of the email address, using RFC5322.

keyword

opencti.observable.email_message.attribute_date

The date/time that the email message was sent.

date

opencti.observable.email_message.body

A string containing the email body.

keyword

opencti.observable.email_message.content_type

The value of the "Content-Type" header of the email message.

keyword

opencti.observable.email_message.entity_type

The observable type.

keyword

opencti.observable.email_message.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.email_message.is_multipart

Indicates whether the email body contains multiple MIME parts.

boolean

opencti.observable.email_message.message_id

The Message-ID field of the email message.

keyword

opencti.observable.email_message.received_lines

One or more "Received" header fields that may be included in the email headers.

keyword

opencti.observable.email_message.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.email_message.subject

The subject of the email message.

keyword

opencti.observable.email_message.value

The main value for the observable.

keyword

opencti.observable.email_mime_part_type.body

The contents of the MIME part.

keyword

opencti.observable.email_mime_part_type.content_disposition

The value of the "Content-Disposition" header field of the MIME part.

keyword

opencti.observable.email_mime_part_type.content_type

The value of the "Content-Type" header field of the MIME part.

keyword

opencti.observable.email_mime_part_type.entity_type

The observable type.

keyword

opencti.observable.email_mime_part_type.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.email_mime_part_type.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.email_mime_part_type.value

The main value for the observable.

keyword

opencti.observable.file.additional_names

Additional names of the file.

keyword

opencti.observable.file.atime

The date/time the file was last accessed.

date

opencti.observable.file.content.decryption_key

The decryption key for the encrypted binary data.

keyword

opencti.observable.file.content.encryption_algorithm

The type of encryption algorithm the binary data is encoded in, if the file is encrypted.

keyword

opencti.observable.file.content.payload_bin

The binary data contained in the file as a base64-encoded string.

keyword

opencti.observable.file.content.url

A valid URL that resolves to the unencoded content.

keyword

opencti.observable.file.ctime

The date/time the file was created.

date

opencti.observable.file.entity_type

The observable type.

keyword

opencti.observable.file.hash.md5

MD5 hash for the file.

keyword

opencti.observable.file.hash.sha1

SHA1 hash for the file.

keyword

opencti.observable.file.hash.sha256

SHA-256 hash for the file.

keyword

opencti.observable.file.hash.sha3_256

SHA3-256 hash for the file.

keyword

opencti.observable.file.hash.sha3_512

SHA3-512 hash for the file.

keyword

opencti.observable.file.hash.sha512

SHA-512 hash for the file.

keyword

opencti.observable.file.hash.ssdeep

SSDEEP hash for the file.

keyword

opencti.observable.file.hash.tlsh

TLSH hash for the file.

keyword

opencti.observable.file.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.file.magic_number_hex

The hexadecimal constant ("magic number") associated with a specific file format that corresponds to the file, if applicable.

keyword

opencti.observable.file.mime_type

MIME type of the file, given as of the values defined in the Template column in the IANA media type registry, when feasible.

keyword

opencti.observable.file.mtime

The date/time the file was last written to/modified.

date

opencti.observable.file.name

The name of the file.

keyword

opencti.observable.file.name_enc

The observed encoding for the name of the file, using the IANA character set registry.

keyword

opencti.observable.file.size

The size of the file, in bytes.

long

opencti.observable.file.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.file.value

The main value for the observable.

keyword

opencti.observable.hostname.entity_type

The observable type.

keyword

opencti.observable.hostname.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.hostname.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.hostname.value

A hostname.

keyword

opencti.observable.ipv4_addr.entity_type

The observable type.

keyword

opencti.observable.ipv4_addr.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.ipv4_addr.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.ipv4_addr.value

The values of one or more IPv4 addresses expressed using CIDR notation.

keyword

opencti.observable.ipv6_addr.entity_type

The observable type.

keyword

opencti.observable.ipv6_addr.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.ipv6_addr.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.ipv6_addr.value

The values of one or more IPv6 addresses expressed using CIDR notation.

keyword

opencti.observable.mac_addr.entity_type

The observable type.

keyword

opencti.observable.mac_addr.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.mac_addr.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.mac_addr.value

The value of a single MAC address.

keyword

opencti.observable.media_content.content

The content of an item of media content.

keyword

opencti.observable.media_content.entity_type

The observable type.

keyword

opencti.observable.media_content.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.media_content.media_category

The category of an item of media content.

keyword

opencti.observable.media_content.publication_date

The publication date of an item of media content.

date

opencti.observable.media_content.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.media_content.title

The title of an item of media content.

keyword

opencti.observable.media_content.url

The URL of an item of media content.

keyword

opencti.observable.media_content.value

The main value for the observable.

keyword

opencti.observable.mutex.entity_type

The observable type.

keyword

opencti.observable.mutex.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.mutex.name

The name of the mutex object.

keyword

opencti.observable.mutex.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.mutex.value

The main value for the observable.

keyword

opencti.observable.network_traffic.dst_byte_count

The number of bytes, as a positive integer, sent from the destination to the source.

long

opencti.observable.network_traffic.dst_packets

The number of packets, as a positive integer, sent from the destination to the source.

long

opencti.observable.network_traffic.dst_port

The destination port used in the network traffic, as an integer.

long

opencti.observable.network_traffic.end

The date/time the network traffic ended, if known.

date

opencti.observable.network_traffic.entity_type

The observable type.

keyword

opencti.observable.network_traffic.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.network_traffic.is_active

Indicates whether the network traffic is still ongoing.

boolean

opencti.observable.network_traffic.protocols

The protocols observed in the network traffic, along with their corresponding state.

keyword

opencti.observable.network_traffic.src_byte_count

The number of bytes, as a positive integer, sent from the source to the destination.

long

opencti.observable.network_traffic.src_packets

The number of packets, as a positive integer, sent from the source to the destination.

long

opencti.observable.network_traffic.src_port

The source port used in the network traffic, as an integer.

long

opencti.observable.network_traffic.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.network_traffic.start

The date/time the network traffic was initiated, if known.

date

opencti.observable.network_traffic.value

The main value for the observable.

keyword

opencti.observable.payment_card.card_number

A payment card number.

keyword

opencti.observable.payment_card.cvv

A Card Verification Value (CVV) for a payment card.

keyword

opencti.observable.payment_card.entity_type

The observable type.

keyword

opencti.observable.payment_card.expiration_date

A payment card expiration date.

date

opencti.observable.payment_card.holder_name

The name of a payment card holder.

long

opencti.observable.payment_card.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.payment_card.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.payment_card.value

The main value for the observable.

keyword

opencti.observable.phone_number.entity_type

The observable type.

keyword

opencti.observable.phone_number.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.phone_number.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.phone_number.value

A phone number.

keyword

opencti.observable.process.aslr_enabled

Whether Address Space Layout Randomization (ASLR) is enabled for the process (on Windows).

boolean

opencti.observable.process.command_line

The full command line used in executing the process, including the process name and any arguments.

keyword

opencti.observable.process.created_time

The date/time at which the process was created.

date

opencti.observable.process.cwd

The current working directory of the process.

keyword

opencti.observable.process.dep_enabled

Whether Data Execution Prevention (DEP) is enabled for the process (on Windows).

boolean

opencti.observable.process.description

Description of the process.

keyword

opencti.observable.process.descriptions

The descriptions defined for the (Windows) service.

keyword

opencti.observable.process.display_name

The display name of the service in Windows GUI controls.

keyword

opencti.observable.process.entity_type

The observable type.

keyword

opencti.observable.process.environment_variables

The list of environment variables associated with the process.

keyword

opencti.observable.process.group_name

The name of the load ordering group of which the (Windows) service is a member.

keyword

opencti.observable.process.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.process.integrity_level

The Windows integrity level, or trustworthiness, of the process.

keyword

opencti.observable.process.is_hidden

Whether the process is hidden.

boolean

opencti.observable.process.owner_sid

The Security ID (SID) value of the owner of the process (on Windows).

keyword

opencti.observable.process.pid

The Process ID, or PID, of the process.

long

opencti.observable.process.priority

The current priority class of the process in Windows.

keyword

opencti.observable.process.service_dll.additional_names

Additional names of the service DLL file.

keyword

opencti.observable.process.service_dll.atime

The date/time the service DLL file was last accessed.

date

opencti.observable.process.service_dll.content.decryption_key

The decryption key for the encrypted binary data of the service DLL file.

keyword

opencti.observable.process.service_dll.content.encryption_algorithm

The type of encryption algorithm the binary data is encoded in, if the service DLL file is encrypted.

keyword

opencti.observable.process.service_dll.content.payload_bin

The binary data contained in the service DLL file as a base64-encoded string.

keyword

opencti.observable.process.service_dll.content.url

A valid URL that resolves to the unencoded content of the service DLL file.

keyword

opencti.observable.process.service_dll.ctime

The date/time the service DLL file was created.

date

opencti.observable.process.service_dll.hash.md5

MD5 hash for the service DLL file.

keyword

opencti.observable.process.service_dll.hash.sha1

SHA1 hash for the service DLL file.

keyword

opencti.observable.process.service_dll.hash.sha256

SHA-256 hash for the service DLL file.

keyword

opencti.observable.process.service_dll.hash.sha3_256

SHA3-256 hash for the service DLL file.

keyword

opencti.observable.process.service_dll.hash.sha3_512

SHA3-512 hash for the service DLL file.

keyword

opencti.observable.process.service_dll.hash.sha512

SHA-512 hash for the service DLL file.

keyword

opencti.observable.process.service_dll.hash.ssdeep

SSDEEP hash for the service DLL file.

keyword

opencti.observable.process.service_dll.hash.tlsh

TLSH hash for the service DLL file.

keyword

opencti.observable.process.service_dll.magic_number_hex

The hexadecimal constant ("magic number") associated with a specific file format that corresponds to the service DLL file, if applicable.

keyword

opencti.observable.process.service_dll.mime_type

MIME type of the service DLL file, given as of the values defined in the Template column in the IANA media type registry, when feasible.

keyword

opencti.observable.process.service_dll.mtime

The date/time the service DLL file was last written to/modified.

date

opencti.observable.process.service_dll.name

The name of the service DLL file.

keyword

opencti.observable.process.service_dll.name_enc

The observed encoding for the name of the service DLL file, using the IANA character set registry.

keyword

opencti.observable.process.service_dll.size

The size of the service DLL file, in bytes.

long

opencti.observable.process.service_name

The name of the (Windows) service.

keyword

opencti.observable.process.service_status

The type of the (Windows) service.

keyword

opencti.observable.process.service_type

The DLLs loaded by the (Windows) service, as a reference to one or more File objects.

keyword

opencti.observable.process.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.process.start_type

The start options defined for the (Windows) service.

keyword

opencti.observable.process.startup_info

The STARTUP_INFO struct used by the process (on Windows).

flattened

opencti.observable.process.value

The main value for the observable.

keyword

opencti.observable.process.window_title

The title of the main window of the process (on Windows).

keyword

opencti.observable.software.cpe

The Common Platform Enumeration (CPE) entry for the software, if available.

keyword

opencti.observable.software.entity_type

The observable type.

keyword

opencti.observable.software.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.software.languages

The languages supported by the software, using RFC5646.

keyword

opencti.observable.software.name

The name of the software.

keyword

opencti.observable.software.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.software.swid

The Software Identification (SWID) Tags entry for the software, if available.

keyword

opencti.observable.software.value

The main value for the observable.

keyword

opencti.observable.software.vendor

The name of the vendor of the software.

keyword

opencti.observable.software.version

The version of the software.

keyword

opencti.observable.text.entity_type

The observable type.

keyword

opencti.observable.text.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.text.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.text.value

Text.

keyword

opencti.observable.url.entity_type

The observable type.

keyword

opencti.observable.url.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.url.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.url.value

The value of the URL, using RFC3986.

keyword

opencti.observable.user_account.account_created

When the account was created.

date

opencti.observable.user_account.account_expires

The expiration date of the account.

date

opencti.observable.user_account.account_first_login

When the account was first accessed.

date

opencti.observable.user_account.account_last_login

When the account was last accessed.

date

opencti.observable.user_account.account_login

The account login string, where it differs from the user_id.

keyword

opencti.observable.user_account.account_type

The type of the account.

keyword

opencti.observable.user_account.can_escalate_privs

That the account has the ability to escalate privileges.

boolean

opencti.observable.user_account.credential

A cleartext credential, not PII.

keyword

opencti.observable.user_account.credential_last_changed

When the account credential was last changed.

date

opencti.observable.user_account.display_name

The display name of the account, to be shown in user interfaces, if applicable.

keyword

opencti.observable.user_account.entity_type

The observable type.

keyword

opencti.observable.user_account.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.user_account.is_disabled

If the account is disabled.

boolean

opencti.observable.user_account.is_privileged

That the account has elevated privileges.

boolean

opencti.observable.user_account.is_service_account

Indicates that the account is associated with a network service or system process (daemon), not a specific individual.

boolean

opencti.observable.user_account.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.user_account.user_id

The identifier of the account and may be a numeric ID, a GUID, an account name, an email address, etc.

keyword

opencti.observable.user_account.value

The main value for the observable.

keyword

opencti.observable.user_agent.entity_type

The observable type.

keyword

opencti.observable.user_agent.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.user_agent.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.user_agent.value

An HTTP User-Agent string.

keyword

opencti.observable.windows_registry_key.attribute_key

The full registry key including the hive.

keyword

opencti.observable.windows_registry_key.entity_type

The observable type.

keyword

opencti.observable.windows_registry_key.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.windows_registry_key.modified_time

The last date/time that the registry key was modified.

date

opencti.observable.windows_registry_key.number_of_subkeys

The number of subkeys contained under the registry key.

long

opencti.observable.windows_registry_key.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.windows_registry_key.value

The main value for the observable.

keyword

opencti.observable.windows_registry_value_type.data

The data contained in the registry value.

keyword

opencti.observable.windows_registry_value_type.data_type

The registry (REG_*) data type used in the registry value.

keyword

opencti.observable.windows_registry_value_type.entity_type

The observable type.

keyword

opencti.observable.windows_registry_value_type.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.windows_registry_value_type.name

The name of the registry value.

keyword

opencti.observable.windows_registry_value_type.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.windows_registry_value_type.value

The main value for the observable.

keyword

opencti.observable.x509_certificate.authority_key_identifier

The identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate.

keyword

opencti.observable.x509_certificate.basic_constraints

A multi-valued extension which indicates whether a certificate is a CA certificate.

keyword

opencti.observable.x509_certificate.certificate_policies

A sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers.

keyword

opencti.observable.x509_certificate.crl_distribution_points

How CRL information is obtained.

keyword

opencti.observable.x509_certificate.entity_type

The observable type.

keyword

opencti.observable.x509_certificate.extended_key_usage

A list of usages indicating purposes for which the certificate public key can be used for.

keyword

opencti.observable.x509_certificate.hash.md5

MD5 hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.hash.sha1

SHA1 hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.hash.sha256

SHA-256 hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.hash.sha3_256

SHA3-256 hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.hash.sha3_512

SHA3-512 hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.hash.sha512

SHA-512 hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.hash.ssdeep

SSDEEP hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.hash.tlsh

TLSH hash calculated for the entire contents of the certificate.

keyword

opencti.observable.x509_certificate.id

The ID of the observable in OpenCTI.

keyword

opencti.observable.x509_certificate.inhibit_any_policy

The number of additional certificates that may appear in the path before anyPolicy is no longer permitted.

keyword

opencti.observable.x509_certificate.is_self_signed

Whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies.

boolean

opencti.observable.x509_certificate.issuer

The name of the Certificate Authority that issued the certificate.

keyword

opencti.observable.x509_certificate.issuer_alternative_name

The additional identities to be bound to the issuer of the certificate.

keyword

opencti.observable.x509_certificate.key_usage

A multi-valued extension consisting of a list of names of the permitted key usages.

keyword

opencti.observable.x509_certificate.name_constraints

A namespace within which all subject names in subsequent certificates in a certification path are located.

keyword

opencti.observable.x509_certificate.policy_constraints

Any constraints on path validation for certificates issued to CAs.

keyword

opencti.observable.x509_certificate.policy_mappings

One or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy.

keyword

opencti.observable.x509_certificate.private_key_usage_period_not_after

The date on which the validity period ends for the private key, if it is different from the validity period of the certificate.

date

opencti.observable.x509_certificate.private_key_usage_period_not_before

The date on which the validity period begins for the private key, if it is different from the validity period of the certificate.

date

opencti.observable.x509_certificate.serial_number

The unique identifier for the certificate, as issued by a specific Certificate Authority.

keyword

opencti.observable.x509_certificate.signature_algorithm

The name of the algorithm used to sign the certificate.

keyword

opencti.observable.x509_certificate.standard_id

A predictable STIX ID, generated based on one or multiple attributes of the observable.

keyword

opencti.observable.x509_certificate.subject

The name of the entity associated with the public key stored in the subject public key field of the certificate.

keyword

opencti.observable.x509_certificate.subject_alternative_name

The additional identities to be bound to the subject of the certificate.

keyword

opencti.observable.x509_certificate.subject_directory_attributes

The identification attributes (e.g., nationality) of the subject.

keyword

opencti.observable.x509_certificate.subject_key_identifier

The identifier that provides a means of identifying certificates that contain a particular public key.

keyword

opencti.observable.x509_certificate.subject_public_key_algorithm

The name of the algorithm with which to encrypt data being sent to the subject.

keyword

opencti.observable.x509_certificate.subject_public_key_exponent

The exponent portion of the subject’s public RSA key, as an integer.

long

opencti.observable.x509_certificate.subject_public_key_modulus

The modulus portion of the subject’s public RSA key.

keyword

opencti.observable.x509_certificate.validity_not_after

The date on which the certificate validity period ends.

date

opencti.observable.x509_certificate.validity_not_before

The date on which the certificate validity period begins.

date

opencti.observable.x509_certificate.value

The main value for the observable.

keyword

opencti.observable.x509_certificate.version

The version of the encoded certificate.

keyword

threat.indicator.file.hash.sha3_256

SHA3-256 hash.

keyword

threat.indicator.file.hash.sha3_512

SHA3-512 hash.

keyword

threat.indicator.first_seen

The date and time when intelligence source first reported sighting this indicator.

date

threat.indicator.last_seen

The date and time when intelligence source last reported sighting this indicator.

date

threat.indicator.modified_at

The date and time when intelligence source last modified information for this indicator.

date

threat.indicator.type

Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

2.4.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

2.3.4

Bug fix (View pull request)
Fix labels.is_ioc_transform_source values

8.13.0 or higher

2.3.3

Bug fix (View pull request)
Add missing fields in transform

8.13.0 or higher

2.3.2

Bug fix (View pull request)
Fix ECS date mapping on threat fields.

8.13.0 or higher

2.3.1

Bug fix (View pull request)
Ignore missing createdBy, improve registry hive name handling.

8.13.0 or higher

2.3.0

Enhancement (View pull request)
Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.2.0

Enhancement (View pull request)
Extend threat.indicator.type definition to allow ECS conformance.

8.12.0 or higher

2.1.1

Bug fix (View pull request)
Adjust field mappings for transform destination index.

8.12.0 or higher

2.1.0

Enhancement (View pull request)
Set sensitive values as secret.

8.12.0 or higher

2.0.0

Bug fix (View pull request)
Update for OpenCTI v5.12.24 GraphQL schema change

8.10.1 or higher

1.1.0

Enhancement (View pull request)
Add support for IOC expiration

8.10.1 or higher

1.0.1

Enhancement (View pull request)
Changed owners

8.9.0 or higher

1.0.0

Enhancement (View pull request)
Release package as GA.

8.9.0 or higher

0.3.5

Bug fix (View pull request)
Keep expected nulls, improve error handling

0.3.4

Enhancement (View pull request)
Tolerate suffixes on the OpenCTI instance URL

0.3.3

Bug fix (View pull request)
Support OpenCTI 5.12.X by removing filters parameter

0.3.2

Bug fix (View pull request)
Fix processing of externalReferences.

0.3.1

Bug fix (View pull request)
Fix event.original field type conflict

0.3.0

Enhancement (View pull request)
Limit request tracer log count to five.

0.2.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

0.1.0

Enhancement (View pull request)
Initial version of the package