Indicators
Ingests Indicators of Compromise (IOCs) from OpenCTI via GraphQL for threat intelligence integration and analysis.
Sync Type: Incremental
Description
The OpenCTI Indicators input connector retrieves threat indicator data from your OpenCTI instance. Indicators represent observations about suspicious activity or artifacts that may indicate compromise, such as file hashes, IP addresses, domain names, email addresses, and URLs. This input provides continuous visibility into threat intelligence data from your OpenCTI deployment.
Requirements
Before configuring this input, you need:
-
OpenCTI Instance: An operational OpenCTI instance with API access enabled
- Cloud-hosted or on-premises deployment
- GraphQL API endpoint accessible from Monad
-
API Credentials: An API key with proper permissions
- API keys can be created by OpenCTI users with appropriate roles
- The API key is used as a Bearer token for authentication
-
Network Access: Ensure network connectivity between Monad and your OpenCTI instance
- For Monad SaaS deployments, verify firewall rules allow connections to your OpenCTI GraphQL endpoint
- For on-premises Monad deployments, ensure your network permits outbound connections
Setup Instructions
-
Generate an API Key:
- Log in to your OpenCTI instance with administrator or privileged user account
- Navigate to Profile > Settings > API access
- Click Create a new token or Generate new API key
- Copy the generated API key and store it securely (this is the secret for configuration)
- Note the API key cannot be viewed again after generation
-
Obtain the Endpoint URL:
- Identify your OpenCTI instance base URL (e.g.,
https://opencti.example.comorhttps://opencti-prod.mycompany.net) - The GraphQL endpoint will be at
{base_url}/graphql
- Identify your OpenCTI instance base URL (e.g.,
-
Configure the Connector:
- Use the API key and base URL in the configuration settings
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Default | Description |
|---|---|---|---|---|
| Endpoint URL | string | Yes | - | Base URL of your OpenCTI instance (e.g., https://opencti.example.com) |
| Minimum Confidence | integer | No | 50 | Minimum confidence score for indicators (0-100). Only indicators with confidence >= this value are ingested. |
| Pattern Type | string | No | "stix" | STIX pattern type filter for indicators (e.g., "stix"). Set to empty string to include all pattern types. |
| Filter Mode | string | Yes | "and" | Logical operator for combining filters: "and" or "or" |
| Backfill Start Time | string | No | - | Start time for initial data fetch in RFC3339 format (e.g., 2024-01-01T00:00:00Z). If not specified, only new indicators created after the first sync will be fetched on subsequent runs. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| API Key | string | Yes | API key used as a Bearer token for authentication against the OpenCTI instance. |
Troubleshooting
Common Issues
-
Authentication Errors:
- Verify the API key is correct and has not expired or been revoked
- Confirm the API key was created for the correct OpenCTI user/role
- Check that the API key still has access permissions in OpenCTI
- Regenerate the API key if needed and update the configuration
-
Connection Issues:
- Verify the Endpoint URL is correct and accessible from your network
- Check for firewall or network restrictions blocking access to the OpenCTI instance
- Ensure the URL uses HTTPS (HTTP endpoints are rejected for security)
- For on-premises instances, verify DNS resolution and routing
-
Invalid Confidence Score:
- Confidence must be a number between 0 and 100
- Default is 50 if not specified
- Common values: 0 (all indicators), 50 (medium and above), 75 (high and above), 100 (only highest confidence)
-
Filter Mode Errors:
- Filter mode must be either "and" or "or" (case-sensitive, lowercase only)
- Default is "and" if not specified
- "and" means all filters must be satisfied; "or" means any filter can be satisfied
-
No Data Retrieved:
- Check if indicators exist in your OpenCTI instance with the configured confidence level
- Verify the pattern type filter matches indicators in your instance (empty string includes all types)
- Check the backfill start time; if set to a future date, no data will be retrieved
- Review connector logs for detailed error messages
-
Invalid Backfill Start Time:
- Backfill start time must be in RFC3339 format (e.g.,
2024-01-01T00:00:00Z) - The timestamp cannot be in the future
- Backfill time affects only the initial sync; subsequent syncs use the saved cursor timestamp
- Backfill start time must be in RFC3339 format (e.g.,
Related Articles
Sample Record
{
"id": "indicator--f61078c4-e59f-404e-8b5e-8f7f2f5e4a3d",
"standard_id": "indicator--f61078c4-e59f-404e-8b5e-8f7f2f5e4a3d",
"entity_type": "Indicator",
"name": "example.com",
"description": "Malicious domain associated with Emotet botnet",
"pattern": "[domain-name:value = 'example.com']",
"pattern_type": "stix",
"valid_from": "2024-01-15T10:30:00Z",
"valid_until": "2025-01-15T10:30:00Z",
"x_opencti_score": 85,
"confidence": 90,
"created_at": "2024-01-15T10:30:00Z",
"updated_at": "2024-01-16T14:22:15Z",
"created": "2024-01-15T10:30:00Z",
"modified": "2024-01-16T14:22:15Z",
"objectMarking": [
{
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"standard_id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"entity_type": "Marking-Definition",
"definition_type": "tlp",
"definition": "tlp:amber",
"x_opencti_order": 2,
"x_opencti_color": "#FBB917"
}
],
"objectLabel": [
{
"id": "label--f1c1de4d-60cd-4e13-8e67-399788629775",
"value": "malware",
"color": "#d90e18"
},
{
"id": "label--36218b84-3861-514a-8360-29160fbee5a9",
"value": "emotet",
"color": "#ff5500"
}
],
"killChainPhases": [
{
"id": "kill-chain-phase--b6e30425-13c7-40eb-8bfc-e1da1527367d",
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control",
"x_opencti_order": 6
}
]
}