Skip to main content

OpenCTI Plugin

OpenCTI connector which enriches your knowledge by using CrowdSec's CTI API. It enriches knowledge about every incoming IP in OpenCTI by looking it up in CrowdSec CTI.

Installation

Via Docker Compose using official repo

Add a connector-crowdsec in your docker-compose.yml file containing your OpenCTI deployment. Replace environment value changeme with appropriate values.

connector-crowdsec:
    image: opencti/connector-crowdsec:5.5.2
    environment:
      - OPENCTI_URL=http://changeme
      - OPENCTI_TOKEN=changeme
      - CROWDSEC_VERSION=v2
      - CROWDSEC_KEY=changeme
      - CROWDSEC_DESCRIPTION=crowdsec_desc
      - CROWDSEC_MAX_TLP=TLP:AMBER
      - CONNECTOR_ID=changeme
      - CONNECTOR_TYPE=INTERNAL_ENRICHMENT
      - CONNECTOR_NAME=crowdsec
      - CONNECTOR_SCOPE=IPv4-Addr # MIME type or Stix Object
      - CONNECTOR_CONFIDENCE_LEVEL=100 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_LOG_LEVEL=info
    restart: always

Manual activation

If you want to manually launch connector, you just have to install Python 3 and pip3 for dependencies:

$ apt install python3 python3-pip

Download the release of the connectors:

$ wget <https://github.com/OpenCTI-Platform/connectors/archive/{RELEASE_VERSION}.zip>
$ unzip {RELEASE_VERSION}.zip
$ cd connectors-{RELEASE_VERSION}/internal-enrichment/crowdsec

Install dependencies and initialize the configuration:

$ pip3 install -r requirements.txt
$ cp config.yml.sample config.yml

The config.yml initially contains the following contents.

opencti:
  url: 'http://localhost:8080'
  token: ChangeMe

connector:
  id: ChangeMe
  type: 'INTERNAL_ENRICHMENT'
  name: 'CrowdSec'
  scope: 'IPv4-Addr' # MIME type or SCO
  confidence_level: 80 # From 0 (Unknown) to 100 (Fully trusted)
  log_level: 'info'
  auto: true

crowdsec:
  key: ChangeMe
  api_version: v2
  name: CrowdSec
  description: CrowdSec CTI
  max_tlp: 'TLP:AMBER'

Replace opencti.token with your openCTI token Replace connector.id with an ID of your choice. Replace crowdsec.key with your CrowdSec CTI API key. See instructions about obtaining it

Finally run the connector

$ python3 crowdsec.py

Usage

Make sure the crowdsec connector is registered, by navigating to http://<opencti_host>/dashboard/data/connectors

Whenever an IP object is imported in your OpenCTI instancem, it will get enriched automatically by CrowdSec knowledge.

OpenCTI enriched

CrowdSec ConsoleCrowdSec Console