Set Up ReversingLabs Connectors for OpenCTI
Introduction
ReversingLabs connectors for OpenCTI deliver comprehensive, high-precision file reputation and analysis information for submitted files. Results are returned in JSON format, including file reputation data, file analysis results, and anti-virus scanner cross-reference reports. This information enables a detailed threat investigation within your security workflows.
OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to manage cyber threat intelligence information. It provides organizations with a comprehensive solution for collecting, analyzing, and sharing threat intelligence data in a structured and standardized manner.
OpenCTI offers several key capabilities:
- Centralized Threat Intelligence Management
- TAXII Support
- Containerized Deployment
- Automated Workflows
The implementation described in the document aims to set up OpenCTI on-premises, integrate it with ReversingLabs products, enable enrichment capabilities, and create automated workflows to improve efficiency in threat intelligence operations.
Installation
As of the latest update, OpenCTI platform version 6.5.6 is compatible with ReversingLabs connectors on version 6.5.6. We strongly encourage upgrading the platform before running the images after version 6.5.6 due to incompatibility issues.
-
Obtain the connector code - You can fetch any of the ReversingLabs connectors from GitHub using your preferred method (download ZIP, git clone, or sparse checkout):
-
Copy the connector configuration block from the
docker-compose.ymlfile in the connector repository.Example - ReversingLabs Malware Presence Connector
version: '3'
services:
connector-reversinglabs-malware-presence:
image: opencti/connector-reversinglabs-malware-presence:6.5.9
environment:
- CONNECTOR_NAME=ReversingLabs Malware Presence
- CONNECTOR_SCOPE=StixFile,File,File-sha1,File-sha256,Artifact,IPv4-Addr,IPv6-Addr,Url,Domain-Name
- CONNECTOR_ID=ChangeMe
- OPENCTI_TOKEN=ChangeMe
- OPENCTI_URL=http://opencti:8080
- CONNECTOR_CONFIDENCE_LEVEL=100 # From 0 (Unknown) to 100 (Fully trusted).
- CONNECTOR_LOG_LEVEL=info
- CONNECTOR_AUTO=true
- REVERSINGLABS_TITANIUMCLOUD_URL=data.reversinglabs.com
- REVERSINGLABS_TITANIUMCLOUD_USERNAME=ChangeMe
- REVERSINGLABS_TITANIUMCLOUD_PASSWORD=ChangeMe
- REVERSINGLABS_MAX_TLP=TLP:AMBER
- REVERSINGLABS_CREATE_INDICATORS=true
restart: always -
Next, paste this configuration block into your OpenCTI
docker-compose.ymlfile.
Configure container settings
After the connector container configuration block has been added, proceed to update the environment variables with the placeholder ChangeMe values.
All connectors have 2 mandatory configuration parameters, the CONNECTOR_ID and the OPENCTI_TOKEN.
| Variable | Description |
|---|---|
CONNECTOR_ID | A globally unique ID value (UUIDv4). |
OPENCTI_TOKEN | Used to access the OpenCTI API. OpenCTI strongly recommends creating a specific user for each connector. |
Use your preferred method to create a UUID string. Examples:
Python: import uuid; print(uuid.uuid4())
PowerShell: [guid]::NewGuid().ToString()
The user token can be obtained by navigating to Settings -> Security -> Users -> Select the connector user -> Copy & paste the token value:
ReversingLabs Malware Presence Connector
The following variables are specific to the Malware Presence Connector:
| Variable | Description |
|---|---|
REVERSINGLABS_TITANIUMCLOUD_USERNAME | A valid username for Spectra Intelligence (formerly TitaniumCloud) |
REVERSINGLABS_TITANIUMCLOUD_PASSWORD | A valid password for Spectra Intelligence (formerly TitaniumCloud) |
ReversingLabs Spectra Analyze Connector
The following variables are specific to the Spectra Analyze Connector:
| Variable | Description |
|---|---|
REVERSINGLABS_SPECTRA_ANALYZE_URL | A valid hostname for a Spectra Analyze (formerly A1000) instance |
REVERSINGLABS_SPECTRA_ANALYZE_TOKEN | A valid API token for a Spectra Analyze (formerly TitaniumCloud) instance |
ReversingLabs Spectra Intel Submission Connector
The following variables are specific to the Spectra Intelligence Submission Connector:
| Variable | Description |
|---|---|
REVERSINGLABS_TITANIUMCLOUD_USERNAME | A valid username for Spectra Intelligence (formerly TitaniumCloud) |
REVERSINGLABS_TITANIUMCLOUD_PASSWORD | A valid password for Spectra Intelligence (formerly TitaniumCloud) |
Ensure that any Spectra Intelligence usernames are in the correct format: u/<user>
Launch the connector
After completing the above, re-launch OpenCTI using Docker Compose:
Validate connector status
Next, log in to the OpenCTI UI and verify that the connector has been successfully created and is active.
- From the left main menu, select Data -> Ingestion -> Connectors
- ReversingLabs connectors should be visible in the list and active.
Troubleshooting
Connector logs are stored in separate containers. To view container logs:
- Find the container ID value by running
docker container ls docker logs <container_id>