Integration with OpenCTI

The OpenCTI Connectors for RST Threat Feed and RST Report Hub integrate RST Cloud threat intelligence into OpenCTI. RST Threat Feed connector imports indicators (IP, domain, URL, hash) along with their relationships to malware, tactics, techniques, and procedures (TTPs), tools, threat groups, sectors, CVEs, and other objects. Additionally, RST Report Hub connector imports threat reports from security companies, research groups, cyber communities, and individuals into OpenCTI.

 

OpenCTI Connectors for RST Threat Feed and RST Report Hub

 

Prerequisites  

Requirements:

  • OpenCTI Platform version 5.10.x or higher.
  • An API Key for accessing RST Cloud.

Recommended connectors:

This connector is aligned with data populated by common OpenCTI connectors. We recommend to install the following connectors alongside with RST Report Hub and RST Threat Feed Connectors:

RST Threat Feed

This connector empowers users with an expanded and in-depth insight into the cyber threat landscape by tapping into the detailed threat intelligence delivered by RST Cloud.

This enhances the capability of OpenCTI by providing actionable threat intelligence data, allowing users to make informed decisions based on the latest information from (RST Threat Feed).

Key Features:

  • Lots of contextual information: Indicators come with additional info including threat category, malware name, threat actor names, tools and frameworks, TTPs, CVE, industry tags, reference to the source of the indicator and more.
  • OpenCTI Integration: Seamlessly integrates the fetched data into OpenCTI's database.
  • Customizable Data Ingestion: Users can specify a risk score threshold to control what indicators are being imported and also configure to import only new indicators.
  • Customizable Detection Flag: Users can specify per each indicator type what is the risk score threshold to mark an Indicator as ready for detection (x_opencti_detection=true|false)

This connector empowers users with an expanded and in-depth insight into the cyber threat landscape by tapping into the detailed threat intelligence delivered by RST Cloud.

Configuration:

Configuration of the connector is straightforward. The minimal configuration requires you just enter the RST Cloud API key to be provided and OpenCTI connection settings specified. Below is the full list of parameters you can set:

Parameter Docker envvar Mandatory Description
OpenCTI URL OPENCTI_URL Yes The URL of the OpenCTI platform.
OpenCTI Token OPENCTI_TOKEN Yes The default admin token set in the OpenCTI platform.
Connector ID CONNECTOR_ID Yes A unique UUIDv4 identifier for this connector instance.
Connector Name CONNECTOR_NAME Yes Name of the connector. For example: RST Threat Feed.
Connector Scope CONNECTOR_SCOPE Yes The scope or type of data the connector is importing, either a MIME type or Stix Object. E.g. application/json
Log Level CONNECTOR_LOG_LEVEL Yes Determines the verbosity of the logs. Options are debug, info, warn, or error.
Run and Terminate CONNECTOR_RUN_AND_TERMINATE Yes If set to true, the connector will terminate after a successful run. Useful for debugging or one-time runs.
Update Existing Data CONFIG_UPDATE_EXISTING_DATA Yes Decide whether the connector should update already existing data in the database.
Interval CONFIG_INTERVAL Yes Determines how often the connector will run, set in hours.
RST Threat Feed API Key RST_THREAT_FEED_API_KEY Yes Your API Key for accessing RST Cloud.
RST Threat Feed Base URL RST_THREAT_FEED_BASEURL No By default, use https://api.rstcloud.net/v1/. In some cases, you may want to use a local API endpoint
RST Threat Feed Connection Timeout RST_THREAT_FEED_CONTIMEOUT No Connection timeout to the API. Default (sec): 30
RST Threat Feed Read Timeout RST_THREAT_FEED_READTIMEOUT No Read timeout for each feed. Our API redirects the connector to download data from AWS S3. If the connector is unable to fetch the feed in time, increase the read timeout. Default (sec): 60
RST Threat Feed Download Retry Count RST_THREAT_FEED_RETRY No Default (attempts): 5
RST Threat Feed Fetch Interval RST_THREAT_FEED_INTERVAL No Default (sec): 86400
RST Threat Feed Minimal Score to Import RST_THREAT_FEED_MIN_SCORE_IMPORT No Import only indicators with risk score more than X. The objects that are related to these indicators will also be imported with corresponding relations. Default (score): 20
RST Threat Feed Minimal Score for IP to be marked for Detection RST_THREAT_FEED_MIN_SCORE_DETECTION_IP No Indicators with risk score more than X are marked with x_opencti_detection=true. Default (score): 50
RST Threat Feed Minimal Score for Domain to be marked for Detection RST_THREAT_FEED_MIN_SCORE_DETECTION_DOMAIN No Indicators with risk score more than X are marked with x_opencti_detection=true. Default (score): 45
RST Threat Feed Minimal Score for URL to be marked for Detection RST_THREAT_FEED_MIN_SCORE_DETECTION_URL No Indicators with risk score more than X are marked with x_opencti_detection=true. Default (score): 30
RST Threat Feed Minimal Score for Hash to be marked for Detection RST_THREAT_FEED_MIN_SCORE_DETECTION_HASH No Indicators with risk score more than X are marked with x_opencti_detection=true. Default (score): 25
RST Threat Feed Import only New Indicators RST_THREAT_FEED_ONLY_NEW No Defines if you only want to import indicators with recent "First Seen" or also want to re-import changes to the indicators with "First Seen" < yesterday. If set to False, there will be a big queue as we provide a lot of information. It is recommended to import with False once to get more data and observe performance. Then switch to True if you system is not ready to process all data we provide. Default: True
RST Threat Feed Temp Dir Path inside the container RST_THREAT_FEED_DIRS_TMP No Maybe used for troubleshooting. Default: /tmp
RST Threat Feed State Dir Path inside the container RST_THREAT_FEED_DIRS_STATE No Maybe used for troubleshooting. Default: /tmp

The latest RST Threat Feed connector is provided in the OpenCTI-Platform GitHub repository.

For integration instructions, please refer to the official documentation https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/rst-threat-feed/

RST Report Hub

RST Report Hub manages the conversion of human-readable reports into STIX bundles. This connector retrieves data from RST Cloud, importing the PDF version of each report along with a corresponding summary, key ideas, and facts into OpenCTI. It also includes extracted objects and relationships between them, such as Intrusion Sets (threat actors), campaigns, malware, TTPs, tools, geographic data, sectors, CVEs, indicators, and other relevant objects.

This integration enhances the capabilities of OpenCTI by providing valuable threat intelligence data, enabling CTI analysts to streamline APT report processing through automation via the RST Report Hub integration, ultimately saving time.

Key Features:

  • Brilliant Time Saver: Manual import of threat reports is a time consuming activity that does not need to happen anymore.
  • Threat Report Library: Keep all APT reports and their metadata, extracted objects in one place.
  • OpenCTI Integration: Seamlessly integrates the fetched data into OpenCTI's database.

This connector provides users with an enhanced and comprehensive understanding of the cybersecurity threat landscape by leveraging the detailed threat intelligence provided by RST Cloud.

Configuration:

Configuration of the connector is straightforward. The minimal configuration requires you just enter the RST Cloud API key to be provided and OpenCTI connection settings specified. Below is the full list of parameters you can set:

Parameter Docker envvar Mandatory Description
OpenCTI URL OPENCTI_URL Yes The URL of the OpenCTI platform.
OpenCTI Token OPENCTI_TOKEN Yes The default admin token set in the OpenCTI platform.
Connector ID CONNECTOR_ID Yes A unique UUIDv4 identifier for this connector instance.
Connector Name CONNECTOR_NAME Yes Name of the connector. For example: RST Report Hub.
Connector Scope CONNECTOR_SCOPE Yes The scope or type of data the connector is importing, either a MIME type or Stix Object. E.g. application/json
Confidence Level CONNECTOR_CONFIDENCE_LEVEL Yes The default confidence level for created sightings. It's a number between 1 and 100, with 100 being the most confident.
Log Level CONNECTOR_LOG_LEVEL Yes Determines the verbosity of the logs. Options are debug, info, warn, or error.
Run and Terminate CONNECTOR_RUN_AND_TERMINATE Yes If set to true, the connector will terminate after a successful run. Useful for debugging or one-time runs.
Update Existing Data CONFIG_UPDATE_EXISTING_DATA Yes Decide whether the connector should update already existing data in the database.
Interval CONFIG_INTERVAL Yes Determines how often the connector will run, set in hours.
RST Report Hub API Key RST_REPORT_HUB_API_KEY Yes Your API Key for accessing RST Cloud.
RST Report Hub Base URL RST_REPORT_HUB_BASE_URL No By default, use https://api.rstcloud.net/v1/. In some cases, you may want to use a local API endpoint
RST Report Hub Connection Timeout RST_REPORT_HUB_CONNECTION_TIMEOUT No Connection timeout to the API. Default (sec): 30
RST Report Hub Read Timeout RST_REPORT_HUB_READ_TIMEOUT No Read timeout for each feed. If the connector is unable to fetch a report in time, increase the read timeout. Default (sec): 60
RST Report Hub Read Timeout RST_REPORT_HUB_RETRY_DELAY No Specifies how long to wait in seconds before next attempt to connect to the API. Default (sec): 30
RST Report Hub Download Retry Count RST_REPORT_HUB_RETRY_ATTEMPTS No Default (attempts): 5
RST Report Hub Fetch Interval RST_REPORT_HUB_FETCH_INTERVAL No Default (sec): 300
RST Report Hub Minimal Score to Import RST_REPORT_HUB_IMPORT_START_DATE No Specify the date from which you want to retrieve the reports. Data import for each day will occur with a delay equal to the RST_REPORT_HUB_FETCH_INTERVAL. By default, this start date is calculated as 7 days ago.
RST Report Hub Minimal Score for IP to be marked for Detection RST_REPORT_HUB_LANGUAGE No Reach out to support@rstcloud.net if you want to update thids parameter. Default: eng

The latest RST Report Hub connector is provided in the OpenCTI-Platform GitHub repository.

For integration instructions, please refer to the official documentation.