Skip to main content
Version: v1.4.0

OpenCTI Plugin

OpenCTI connector which enriches your knowledge by using CrowdSec's CTI API. It enriches knowledge about every incoming IP in OpenCTI by looking it up in CrowdSec CTI.


Manual activation

If you want to manually launch connector, you just have to install Python 3 and pip3 for dependencies:

$ apt install python3 python3-pip

Download the release of the connectors:

$ wget <{RELEASE_VERSION}.zip>
$ unzip {RELEASE_VERSION}.zip
$ cd connectors-{RELEASE_VERSION}/internal-enrichment/crowdsec

Install dependencies and initialize the configuration:

$ pip3 install -r requirements.txt
$ cp config.yml.sample config.yml

The config.yml initially contains the following contents.

url: 'http://localhost:8080'
token: ChangeMe

id: ChangeMe
name: 'CrowdSec'
scope: 'IPv4-Addr' # MIME type or SCO
confidence_level: 80 # From 0 (Unknown) to 100 (Fully trusted)
log_level: 'info'
auto: true

key: ChangeMe
api_version: v2
name: CrowdSec
description: CrowdSec CTI
max_tlp: 'TLP:AMBER'

Replace opencti.token with your openCTI token Replace with an ID of your choice. Replace crowdsec.key with your CrowdSec CTI API key. See instructions about obtaining it

Finally run the connector

$ python3


Make sure the crowdsec connector is registered, by navigating to http://<opencti_host>/dashboard/data/connectors

Whenever an IP object is imported in your OpenCTI instancem, it will get enriched automatically by CrowdSec knowledge.

OpenCTI enriched