OpenCTI Integrations and Data Sources Overview | C3SA

KB-Filigran-003 — OpenCTI Integration and Data Sources

Purpose

Provides a high-level overview of the types of integrations and data sources supported by OpenCTI to assist customers in understanding how the platform can consume, enrich, and correlate threat intelligence.

Overview

OpenCTI supports the ingestion and correlation of threat intelligence from multiple sources using a standardized data model. Integrations enable organizations to centralize intelligence from internal and external sources, enrich indicators and entities, and improve analytical context across threat intelligence and security operations.

This article describes categories of integrations and data sources only. It does not describe configuration steps, architecture patterns, or operational workflows.

Integration and Data Source Categories

OpenCTI commonly supports integration with the following categories of data sources:

  • Threat Intelligence Feeds
    Structured threat intelligence feeds providing indicators, reports, and contextual data.

  • Security and Detection Tooling
    Security platforms and tooling that produce indicators, alerts, or telemetry relevant to threat intelligence analysis.

  • Intelligence Sharing Platforms
    Platforms and communities used to exchange threat intelligence within defined trust groups.

  • Internal Intelligence Sources
    Internally generated intelligence, analysis, or observations curated by security or intelligence teams.

Integrations are designed to support correlation and analysis across indicators, threat actors, campaigns, techniques, and observed activity.

Scope

This article provides descriptive information onlyIt does not include:
  • Configuration or deployment instructions
  • Connector setup or tuning guidance
  • Architecture or data-flow diagrams
  • Automation logic or workflows
Integration implementation, data handling, and operational use are environment-specific and subject to organizational governance, privacy, and security requirements.

Authoritative Documentation

For detailed and current information on supported integrations and connectors, refer to the official Filigran documentation:

  1. https://docs.opencti.io/latest/

    Support & Escalation

    For advisory, integration, or service-related assistance, submit a support request through this portal.

    C3SA Service Context

    C3SA supports OpenCTI integrations through advisory and integration guidance services, including:

    • Integration strategy and use-case alignment

    • Architecture and data-handling considerations

    • Governance and intelligence-sharing model guidance

    C3SA does not configure, operate, or manage OpenCTI integrations unless explicitly defined in a contractual agreement.

    Compliance & Control Alignment (Informative)

    This knowledge base article supports organizational awareness, documentation, and operational understanding related to threat intelligence integration and security operations. It may contribute to regulatory and compliance objectives depending on system design, deployment scope, and control implementation.

    • ITSG-33 (Canada – GC / PBMM): PL-2, SA-9, SI-4, AU-2 / AU-6

    • CMMC (United States – DoD): SI.L2-3.14.1, AU.L2-3.3.1, RM.L2-3.11.1, CA.L2-3.12.1

    • ISO/IEC 27001:2022: A.5.1, A.5.19, A.5.23, A.8.16

    • FedRAMP (Moderate / High – Informative): SA-9, SI-4, AU-6, PL-2

    • NIS2 (EU): Article 21(2)(a), (d), (e)

    • DORA (EU – Financial Sector): Articles 6, 8, 28

    InfoImportant Note
    This article does not constitute evidence of compliance, certification, authorization, or accreditation. Compliance outcomes depend on implemented controls, governance processes, and independent assessment results.

      • Related Articles

      • KB-Filigran-001 — Overview of OpenCTI Threat Intelligence Platform

        Purpose This article provides a high-level overview of the OpenCTI Threat Intelligence Platform to support customer understanding of its role in cyber threat intelligence (CTI) operations, analysis, and sharing. Overview OpenCTI is an open-source ...

      • KB-Filigran-002 — Overview of OpenAEV Attack Emulation and Validation

        Purpose Provides a high-level overview of OpenAEV to support understanding of its role in cyber defence validation and attack emulation activities. Overview OpenAEV is an open-source Attack Emulation and Validation platform developed by Filigran. It ...

      • KB-OPSWAT-000 — Platform Overview

        Purpose This article provides an overview of OPSWAT technologies and how they are used by C3SA to reduce malware, supply-chain, and data transfer risk across IT and OT environments. OPSWAT focuses on deep content inspection, file sanitization (CDR), ...

      • KB-OPSWAT-020 — MetaDefender OT Security Documentation

        Purpose This article links to OPSWAT’s authoritative documentation for OT-focused security solutions used to protect industrial and critical infrastructure environments. Authoritative Vendor Documentation • OPSWAT OT Security Documentation ...

      • KB-OPSWAT-050 — MetaDefender Email Security Documentation

        Purpose This article links to OPSWAT’s authoritative documentation for MetaDefender Email Security, which inspects email attachments and content to reduce phishing and malware risk. Authoritative Vendor Documentation • MetaDefender Email Security ...