OpenCTI Connectors

AbuseIPDB IP BlackList

Open Source Threat Intel

The AbuseIPDB Blacklist connector let you ingest IP addresses present into Blacklist database of AbuseIPDB. The blacklist is a list of the most reported IP addresses by AbuseIPDB users.

Accenture ACTI

Commercial Threat Intel

The OpenCTI Accenture ACTI Connector integrates threat intelligence from Accenture's Cyber Threat Intelligence (ACTI) service directly into OpenCTI. Accenture ACTI provides comprehensive threat reporting based on extensive research and analysis of global cyber threats, including threat actors, campaigns, malware families, and emerging attack techniques.

AlienVault OTX

Open Source Threat Intel

AlienVault OTX provides open access to a global community of threat researchers and security professionals, delivering community-generated threat data that enhances collaborative research

Bambenek Consulting

Commercial Threat Intel

The Bambenek connector ingests indicators of compromise (IOCs) from Bambenek Consulting Feeds.

CAPE Feed

Malware Analysis

Threat Intelligence

CAPE Sandbox is an Open Source software for automating analysis of suspicious files. CAPE Sandbox connector imports malware analysis results into OpenCTI, enriching threat insights.

CISA Known Exploited Vulnerabilities (KEV)

Open Source Threat Intel

Vulnerability Management

CISA KEV (Known Exploited Vulnerabilities) is a catalog maintained by the Cybersecurity and Infrastructure Security Agency that lists vulnerabilities actively exploited in the wild

CRITs

Threat Intelligence

CRITs Connector migrates threat data from CRITs to OpenCTI, facilitating platform transition.

CrowdStrike Falcon Intelligence

Commercial Threat Intel

CrowdStrike Falcon Intelligence is an integral threat intelligence module within the Falcon platform, crafted to enhance the speed and effectiveness of threat detection, investigation, and response.

NIST NVD CVE

Vulnerability Management

Open Source Threat Intel

The NVD facilitates automated vulnerability management, security measurement, and compliance processes by providing comprehensive databases that include: • Vulnerability catalogs • Software vulnerability details • Product identifiers • Severity scoring metrics

DISARM Framework

Open Source Threat Intel

DISARM is a framework designed for describing and understanding disinformation incidents. This connector import DISARM framework into OpenCTI.

DISINFOX

Threat Intelligence

FIMI

DISINFOX is a Threat Intelligence Exchange Platform developed by the University of Murcia, Spain, and specialized in disinformation campaigns and fake news. It is a platform that allows to spread intelligence about disinformation campaigns and fake news in real-time to allow organizations with CTI capabilities to act on it

Doppel

Commercial Threat Intel

Doppel is a modern Digital Risk Protection solution that detects phishing and brand cyberattacks across channels like social media, domains, ads, and the dark web. By identifying malicious content and threats early, Doppel helps organizations proactively remove digital risks.

Dragos

Commercial Threat Intel

Dragos is a cybersecurity company specializing in industrial control systems (ICS) and operational technology (OT) security. Their platform provides threat intelligence, incident response, and vulnerability management tailored to ICS/OT environments.

Email Intel IMAP

Email

Threat Intelligence

The Email Intel IMAP Connector enables the ingestion of cyber threat intelligence reports received via email into the OpenCTI platform using the IMAP protocol.

Email Intel Microsoft

Email

Threat Intelligence

The Email Intel Microsoft Connector allows for the ingestion of cyber threat intelligence reports received via email in a Microsoft 365/Exchange Online mailbox.

Feedly

Commercial Threat Intel

Feedly Connector imports curated intelligence from Feedly into OpenCTI, enhancing threat tracking.

Flashpoint

Commercial Threat Intel

Flashpoint Ignite consolidates team-tailored intelligence across various groups into a single workspace, enabling security teams to connect, collaborate, and remediate risk more efficiently with timely and active intelligence.

Google Threat Intelligence

Commercial Threat Intel

Google Threat Intelligence provides unparalleled visibility into threats, enabling the delivery of detailed and timely intelligence to security teams worldwide.

GreyNoise Feed

Commercial Threat Intel

GreyNoise Feed provides threat intelligence by distinguishing between benign internet noise and real threats, reducing false positives. Its integration with OpenCTI enables automatic ingestion of IP threat data, improving threat detection accuracy and efficiency.

HarfangLab Incidents

Incident Response & Ticketing

EDR

HarfangLab Connector imports endpoint incident data from HarfangLab EDR into OpenCTI, enriching threat intelligence.

Hunt.io

Commercial Threat Intel

Hunt.io connector imports Observables linked to C2 infrastructures detected by HuntIO sensors.

IBM X-Force

Commercial Threat Intel

IBM X-Force Connector integrates X-Force threat reports and IOCs into OpenCTI, enhancing threat intelligence.

Infoblox

Commercial Threat Intel

Infoblox Connector imports threat indicators and observables from Infoblox into OpenCTI, enhancing threat analysis.

Cognyte Luminar

Commercial Threat Intel

Cognyte is a global leader in security analytics software that empowers governments and enterprises with Actionable Intelligence for a safer world. Our open software fuses, analyzes and visualizes disparate data sets at scale to help security organizations find the needles in the haystacks.

Mandiant

Commercial Threat Intel

Import threat actors, malware, campaigns, vulnerabilities, and indicators from Mandiant Advantage.

MISP

Open Source Threat Intel

Import threat intelligence events, indicators, and observables from MISP instances.

MITRE ATLAS

Open Source Threat Intel

MITRE ATLAS is a globally accessible, living knowledge base of adversary tactics and techniques against AI-enabled systems based on real-world attack observations and realistic demonstrations from AI red teams and security groups.

MITRE ATT&CK

Open Source Threat Intel

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Phishunt

Open Source Threat Intel

Phishing

Phishunt tracks and analyzes phishing threats, helping organizations detect and mitigate email-based attacks. Integration with OpenCTI automates the import of up-to-date phishing intelligence, enhancing the ability to identify and respond to phishing threats.

Proofpoint TAP

Commercial Threat Intel

Incident Response & Ticketing

Phishing

The Proofpoint TAP connector for OpenCTI allows for the ingestion of phishing campaign data from Proofpoint TAP into the OpenCTI platform.

Ransomware.live

Open Source Threat Intel

Ransomware.live is a threat intelligence service focused on ransomware activities, providing real-time insights into ransomware campaigns.

Recorded Future

Commercial Threat Intel

Recorded Future is a cybersecurity company that specializes in providing real-time threat intelligence to help organizations anticipate, identify, and mitigate cyber threats.

Red Flag Domains

Open Source Threat Intel

Red Flag Domains are lists of very recently registered probably malicious domain names in french TLDs.

Sekoia.io

Commercial Threat Intel

Sekoia.io Cyber Threat Intelligence provides assimilable and relevant reports on the evolving threat landscape, accessible to a broader audience.

SentinelOne Incidents

Incident Response & Ticketing

SIEM & Analytics

SentinelOne delivers passive and active EDR security via AI threat detection and autonomous response. The OpenCTI SentinelOne Incidents connector will ingest alert data from SentinelOne into the OpenCTI threat intelligence platform. This integration enables security teams to centralise and enrich incident data from SentinelOne, facilitating comprehensive threat analysis and response.

ServiceNow

Incident Response & Ticketing

Ingestion of SIR and SIT as Case Incident and Tasks.

Silobreaker

Commercial Threat Intel

Silobreaker helps organizations transform data from millions of open and dark web sources into timely, actionable intelligence for a range of use cases.

SOC Prime

Commercial Threat Intel

SOC Prime builds collective cyber defense by fusing Detection as Code, Sigma, and MITRE ATT&CK® to help teams proactively defend against emerging threats.

Spycloud

Incident Response & Ticketing

SpyCloud monitors and tracks compromised data, such as login credentials and personal information, across the web and other sources.

Tenable Security Center

Vulnerability Management

Tenable delivers comprehensive solutions for vulnerability management within IT infrastructures, using detailed assessments and analytics to reduce cyber risk. Integration with OpenCTI allows for seamless import of vulnerability data, enhancing threat intelligence and prioritization.

Tenable Vulnerability Management

Vulnerability Management

Tenable delivers comprehensive solutions for vulnerability management within IT infrastructures, using detailed assessments and analytics to reduce cyber risk. Integration with OpenCTI allows for seamless import of vulnerability data, enhancing threat intelligence and prioritization.

ThreatFox

Open Source Threat Intel

ThreatFox is a platform from abuse.ch and Spamhaus dedicated to sharing indicators of compromise (IOCs) associated with malware, with the infosec community, AV vendors and cyber threat intelligence providers.

URLhaus

Open Source Threat Intel

URLhaus is a platform from abuse.ch and Spamhaus dedicated to sharing malicious URLs that are being used for malware distribution.

VulnCheck

Vulnerability Management

Commercial Threat Intel

VulnCheck provides detailed insights into software vulnerabilities, helping prioritize and remediate security weaknesses. Its integration with OpenCTI brings timely vulnerability data to the platform, enhancing patching prioritization and maintaining a strong security posture.

Zvelo

Commercial Threat Intel

The Zvelo connector ingests indicators of compromise (IOCs) from Zvelo Cyber Threat Intelligence Feeds.

AbuseIPDB

Enrichment & Analysis

AbuseIPDB collects and shares data on malicious IP addresses to help identify and block abusive activities. Integration with OpenCTI imports this data for real-time threat context, enhancing IP blocking and monitoring efforts.

FIRST EPSS

Vulnerability Management

Enrichment & Analysis

FIRST's Exploit Prediction Scoring System (EPSS) predicts the likelihood of a vulnerability being exploited, helping prioritize vulnerability management. Integration with OpenCTI adds exploit probability scores, enhancing risk-based remediation efforts.

Google DNS

Enrichment & Analysis

Google Public DNS is a Google service that provides recursive DNS servers to Internet users used to enrich.

Hygiene

Enrichment & Analysis

Proactively reduces false positives in OpenCTI by matching observables against curated allowlists (e.g., MISP Warninglists), lowering scores for benign items, tagging them with a hygiene label to avoid reprocessing and inform analysts, and when configured with high max confidence safely overriding prior scores so only actionable indicators flow to detection and blocking.

IPinfo

Enrichment & Analysis

IPinfo.io provides detailed data on IP ownership, geolocation, and more, enhancing understanding of network traffic origins. Integration with OpenCTI enriches threat intelligence, improving threat analysis and incident response accuracy.

Shodan

Enrichment & Analysis

Shodan is a metadata search engine that scans the internet for connected devices (like servers, routers, webcams). It gathers information such as open ports, SSL certificates, and banners.

URLScan Enrichment

Enrichment & Analysis

URLScan is an online service that allows you to scan URLs to analyze and detect potential security threats. It provides a platform where users can submit links to be scanned to obtain information about the page's content, loaded external resources, potential threats, and other relevant security details. The integration of URLScan with OpenCTI enables the automatic enrichment and analysis of IP addresses and URLs.

VirusTotal Downloader

Enrichment & Analysis

Malware Analysis

VirusTotal Downloader Connector is an internal enrichment Connector that enables automated and manual submissions of file hashes (MD5, SHA1, and SHA256) to VirusTotal to attempt to retrieve associated file contents. If the file is found in VirusTotal, a new Observable of type Artifact will be uploaded.

VirusTotal

Enrichment & Analysis

Malware Analysis

VirusTotal aggregates data from antivirus products and scanners to analyze files and URLs, aiding in the quick identification of malicious content. Its integration with OpenCTI imports analysis results, enriching threat intelligence for efficient threat confirmation and response.

VMray Analyzer

Malware Analysis

VMRay provides advanced threat analysis and detection by integrating its unique agentless hypervisor-based sandbox with a real-time reputation engine.

YARA Scan

Malware Analysis

This OpenCTI connector enriches Artifact Observables by scanning their contents using every YARA Indicator in the system. When a rule matches, the connector creates a relationship between the Artifact and Indicator.

Google SecOps SIEM

SIEM & Analytics

Google SecOps SIEM offers a cloud-based security information and event management solution that helps organizations collect, analyze, and respond to security incidents across their networks.

Microsoft Defender Intel

EDR

Microsoft Defender for Endpoint is an EDR platform that helps enterprise networks detect, prevent, respond to advanced threats, and perform investigations.

Microsoft Sentinel Intel

SIEM & Analytics

Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) that delivers scalable, cost-efficient security across multicloud and multi-platform environments with built-in AI, automation, threat intelligence, and a modern data lake architecture. Microsoft Sentinel provides cyberthreat detection, investigation, response, and proactive hunting, with a bird's-eye view across your enterprise.

MISP Intel

Open Source Threat Intel

Real-time streaming connector that exports OpenCTI containers and their content to MISP events, enabling bidirectional threat intelligence synchronization.

IBM QRadar

SIEM & Analytics

IBM® QRadar® is a threat detection and response solution designed to help security teams manage and respond to incidents more efficiently. It supports enterprise-scale operations and enables organizations to strengthen their security posture across core technologies.

SentinelOne Intel

SIEM & Analytics

EDR

The OpenCTI SentinelOne Intelligence connector facilitates real-time synchronisation of threat intelligence. By leveraging OpenCTI's live stream capabilities, this connector ensures that Indicators of Compromise (IOCs) are promptly shared with SentinelOne, enhancing the organisation's ability to detect and respond to threats effectively.

Splunk SOAR Push

SIEM/SOAR

Incident Response

Real-time push connector that exports OpenCTI incidents as SOAR events and containers as SOAR cases for automated incident response.

Sumo Logic Intel

SIEM & Analytics

Sumo Logic SIEM is a cloud-native security information and event management system for modern enterprises. It manages security data by automating data ingestion, analysis, and visualization processes.