OpenCTI

Serverless Observability Serverless Security Stack 9.0.0

The OpenCTI integration allows you to ingest data from the OpenCTI threat intelligence platform.

Use this integration to get indicator data from OpenCTI. You can monitor and explore the ingested data on the OpenCTI dashboard or in Kibana's Discover tab. Indicator match rules in Elastic Security can then use the ingested indicator data to generate alerts about detected threats.

The OpenCTI integration collects one type of data stream: indicator.

Indicator are lists of records created over time. Each event in the Indicator data stream collected by the OpenCTI integration is an indicator that can be used to detect suspicious or malicious cyber activity. The data is fetched from OpenCTI's GraphQL API.

This integration requires Filebeat version 8.16.0, or later.

It has been updated for OpenCTI version 6.1.0 and requires that version or later.

For additional information about threat intelligence integrations, including the steps required to add an integration, please refer to the Enable threat intelligence integrations page of the Elastic Security documentation.

When adding the OpenCTI integration, you will need to provide a base URL for the target OpenCTI instance. It should be just the base URL (e.g. https://demo.opencti.io) and not include an additional path for the API or UI.

The simplest authentication method to use is an API key (bearer token). You can find a value for the API key on your profile page in the OpenCTI user interface. Advanced integration settings can be used to configure various OAuth2-based authentication arrangements, and to enter SSL settings for mTLS authentication and for other purposes. For information on setting up the OpenCTI side of an authentication strategy, please refer to OpenCTI's authentication documentation.

The OpenCTI integration supports advanced filtering capabilities to help you control which indicators are ingested. This allows you to focus on specific types of indicators, confidence levels, authors, or time ranges that are most relevant to your security operations.

The following filters can be configured when setting up the integration (Note: The integration automatically filters for entity type 'Indicator' only):

• Pattern Types: Filter indicators by pattern type (e.g., 'stix'). The values are customizable in OpenCTI, and any custom pattern types defined in your OpenCTI instance are supported (if an observable is associated).

• Indicator Types: Filter indicators by type. Values are customizable in OpenCTI. Common defaults include: 'malicious-activity', 'attribution', 'benign', 'anomalous-activity', 'compromised', 'unknown'. Custom types defined in your OpenCTI instance are also supported.

• Revoked Status: Filter by revoked status. Set to 'true' to get only revoked indicators, 'false' for only active (non-revoked) indicators, or leave empty to get all indicators regardless of revoked status.

• Valid From (Start Date): Filter indicators with valid_from date after this date. Use ISO 8601 format (e.g., '2024-01-01T00:00:00Z') or relative date expressions (e.g., 'now-30d', 'now-7d').

• Valid Until (End Date): Filter indicators with valid_until date before this date. Use ISO 8601 format (e.g., '2024-12-31T23:59:59Z') or relative date expressions (e.g., 'now+30d', 'now+7d').

• Label IDs: Filter by label IDs. Enter the UUIDs of the labels to filter indicators that have these labels applied. Important: You must use label IDs (UUIDs), not label names. You can find label IDs in the OpenCTI interface by navigating to Settings > Taxonomies > Labels, or via the API.

• Minimum Confidence Level: Filter indicators with confidence level greater than or equal to a specified value (0-100).

• Author IDs: Filter by author IDs (createdBy relationship). Enter the UUIDs of the authors to filter indicators created by them. Important: You must use author IDs (UUIDs), not author names. You can find author IDs in the OpenCTI interface by clicking on an entity and checking its details, or via the API.

• Creator IDs: Filter by technical creator IDs. Enter the UUIDs of the internal users who created the indicators in OpenCTI.

• Created After: Filter indicators created after a specific date. Use ISO 8601 format (e.g., '2024-01-01T00:00:00Z') or relative date expressions (e.g., 'now-30d', 'now-7d', 'now-24h').

• Modified After: Filter indicators modified after a specific date. Use ISO 8601 format (e.g., '2024-01-01T00:00:00Z') or relative date expressions (e.g., 'now-30d', 'now-7d', 'now-24h').

• Marking Definition IDs: Filter by marking definitions (e.g., TLP levels). Enter the UUIDs of the marking definitions. Important: You must use marking definition IDs (UUIDs), not names. Common TLP marking IDs:

  • TLP:CLEAR (TLP:WHITE): marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da
  • TLP:GREEN: marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb
  • TLP:AMBER: marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421
  • TLP:RED: marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1

Here are some practical examples of filter configurations:

1. High-confidence indicators only: Set Minimum Confidence Level to 75 to ingest only indicators with high confidence.

2. Active threat indicators: Set Indicator Types to ['malicious-activity', 'compromised'] and Revoked Status to 'false' to focus on active, non-revoked threats.

3. Currently valid indicators: Set Valid From (Start Date) to 'now-365d' and Valid Until (End Date) to 'now+30d' to get indicators that are currently within their validity period.

4. Recent indicators: Set Created After to 'now-7d' to collect only indicators created in the last 7 days.

5. Specific pattern types: Set Pattern Types to ['stix'] to collect only STIX pattern indicators, or include your custom pattern types defined in OpenCTI.

6. Specific campaign tracking: Use Label IDs filter with specific campaign label UUIDs (e.g., ['550e8400-e29b-41d4-a716-446655440000']) to track indicators related to particular threat campaigns.

7. Indicators from specific sources: Use Author IDs with the UUIDs of specific threat intelligence sources (e.g., ['123e4567-e89b-12d3-a456-426655440000']) to filter indicators from trusted sources.

8. Recently modified high-value indicators: Combine Modified After set to 'now-24h', Minimum Confidence Level to 80, and Revoked Status to 'false' to get recently updated, high-confidence active indicators.

9. TLP-restricted indicators: Use Marking Definition IDs with TLP:CLEAR and TLP:GREEN UUIDs to only ingest indicators that are safe to share broadly: ['marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da', 'marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb'].

All filters work together using AND logic at the top level. Within each multi-value filter (like pattern types or label IDs), OR logic is applied between values.

The OpenCTI integration supports running on multiple Elastic Agents for high availability. When multiple agents fetch the same indicators:

• Automatic Deduplication: The integration uses a fingerprint-based document ID to prevent duplicates. Each indicator gets a consistent ID based on its standard_id and modified timestamp.
• No Manual Configuration Needed: Deduplication works automatically - just deploy the integration to multiple agents.
• Update Handling: When an indicator is updated in OpenCTI, the new version replaces the old one in Elasticsearch.

1. Stagger Execution Times: To avoid all agents hitting OpenCTI simultaneously, consider offsetting their schedules slightly (e.g., Agent 1 at :00, Agent 2 at :02).
2. Use the Same Configuration: Ensure all agents use identical filter settings to fetch the same dataset.
3. Monitor Performance: Check OpenCTI server load when multiple agents are polling.

Since several filters require UUIDs rather than names, here are ways to find these IDs:

1. Label IDs:

   • In OpenCTI UI: Navigate to Settings → Taxonomies → Labels. Click on a label to see its ID in the URL or details.
   • Via API: Query the labels endpoint to list all labels with their IDs.

2. Author IDs:

   • In OpenCTI UI: Click on any entity that has an author, then click on the author name to see its details including the ID.
   • Via API: Query the identities endpoint to list all identities (organizations, individuals) with their IDs.

3. Creator IDs:

   • In OpenCTI UI: Navigate to Settings → Security → Users to see user IDs.
   • Via API: Query the users endpoint (requires appropriate permissions).

For more information about OpenCTI's filtering system, refer to the OpenCTI filters documentation.

The indicator data stream includes indicators of the following types (threat.indicator.type): artifact, autonomous-system, bank-account, cryptocurrency-wallet, cryptographic-key, directory, domain-name, email-addr, email-message, email-mime-part-type, hostname, ipv4-addr, ipv6-addr, mac-addr, media-content, mutex, network-traffic, payment-card, phone-number, process, software, file, text, url, user-account, user-agent, windows-registry-key, windows-registry-value-type, x509-certificate, unknown.

OpenCTI's data model closely follows the STIX standard. It supports complex indicators defined using STIX patterns or other languages, and each indicator can be related to one or more observables. In the ECS threat fields the focus is on atomic indicators. This integration fetches as much data as possible about indicators and their related observables, and populates relevant ECS fields wherever possible. It uses related observables rather than the indicator pattern as the data source for type-specific indicator fields.

The opencti.indicator.invalid_or_revoked_from field is set to the earliest time at which an indicator reaches its valid_until time or is marked as revoked. From that time the indicator should no longer be considered active.

An Elastic Transform is created to provide a view of active indicators for end users. This transform creates destination indices that are accessible via the alias logs-ti_opencti_latest.indicator. When querying for active indicators or setting up indicator match rules, use that alias to avoid false positives from expired indicators.

The dashboards show only active indicators, except the Ingestion dashboard, which shows data from both the source data stream and the indices of the latest indicators.

Indicators that are never expired or revoked will not be removed from the indices of the latest indicators. If accumulation of indicators is a problem there, it can be managed upstream in OpenCTI, or by manually deleting indicators from those indices.

To prevent unbounded growth of the source data stream logs-ti_opencti.indicator-*, it has an index lifecycle management (ILM) policy that deletes records 5 days after ingestion.

Here is an example indicator event:

{
    "@timestamp": "2025-11-05T11:37:38.726Z",
    "agent": {
        "ephemeral_id": "638d123f-09b5-4d0f-aa84-168b3e311640",
        "id": "d9bcb055-c833-401c-836b-698a37b90613",
        "name": "elastic-agent-20893",
        "type": "filebeat",
        "version": "9.1.3"
    },
    "data_stream": {
        "dataset": "ti_opencti.indicator",
        "namespace": "26786",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d9bcb055-c833-401c-836b-698a37b90613",
        "snapshot": false,
        "version": "9.1.3"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "created": "2018-02-05T08:04:53.000Z",
        "dataset": "ti_opencti.indicator",
        "id": "d019b01c-b637-4eb2-af53-6d527be3193d",
        "ingested": "2025-11-05T11:37:41Z",
        "kind": "enrichment",
        "module": "ti_opencti",
        "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":[],\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":[{\"value\":\"information-credibility-6\"},{\"value\":\"osint\"}],\"objectMarking\":[{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}],\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":false,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}",
        "type": [
            "indicator"
        ]
    },
    "input": {
        "type": "cel"
    },
    "labels": {
        "is_ioc_transform_source": "true"
    },
    "opencti": {
        "indicator": {
            "creator_identity_class": "organization",
            "detection": false,
            "invalid_or_revoked_from": "2019-02-05T08:04:53.000Z",
            "is_inferred": false,
            "lang": "en",
            "observables_count": 1,
            "pattern": "[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "revoked": false,
            "score": 40,
            "standard_id": "indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b",
            "valid_from": "2018-02-05T08:04:53.000Z",
            "valid_until": "2019-02-05T08:04:53.000Z"
        },
        "observable": {
            "hostname": {
                "entity_type": "Hostname",
                "id": "b0a91059-5637-4050-8dce-a976a607f75c",
                "standard_id": "hostname--2047cd44-ffae-5b34-b912-5856add59b59",
                "value": "ec2-23-21-172-164.compute-1.amazonaws.com"
            }
        }
    },
    "related": {
        "hosts": [
            "ec2-23-21-172-164.compute-1.amazonaws.com"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "opencti-indicator",
        "information-credibility-6",
        "osint",
        "ecs-indicator-detail"
    ],
    "threat": {
        "feed": {
            "dashboard_id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd",
            "description": "Indicator data from OpenCTI",
            "name": "OpenCTI",
            "reference": "https://docs.opencti.io/latest/usage/overview/"
        },
        "indicator": {
            "confidence": "Low",
            "marking": {
                "tlp": "GREEN"
            },
            "modified_at": "2023-01-17T05:53:42.851Z",
            "name": "ec2-23-21-172-164.compute-1.amazonaws.com",
            "provider": "CthulhuSPRL.be",
            "reference": "http://svc-opencti_stub:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d",
            "type": "hostname",
            "url": {
                "domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                "top_level_domain": "compute-1.amazonaws.com"
            }
        }
    }
}
		

Fields for indicators of any type are mapped to ECS fields when possible (primarily threat.indicator.*) and otherwise stored with a vendor prefix (opencti.indicator.*).

Fields for related observables of the various types are always stored under opencti.observable.<type>.* and when possible their values will be copied into corresponding ECS fields.

The related.* fields will also be populated with any relevant data.

Timestamps are mapped as follows:

The table below lists all opencti.* fields.

The documentation for ECS fields can be found at:

• ECS Event Fields
• ECS Threat Fields
• ECS Related Fields

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

← →

×

×

×

×