building-ioc-enrichment-pipeline-with-opencti

# Building IOC Enrichment Pipeline with OpenCTI ## Overview OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using OpenCTI's connector ecosystem to enrich indicators with context from VirusTotal, Shodan, AbuseIPDB, GreyNoise, and other sources. The pipeline automatically enriches newly ingested indicators, correlates them with known threat actors and campaigns, and scores them for analyst prioritization. ## When to Use - When deploying or configuring building ioc enrichment pipeline with opencti capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Docker and Docker Compose for OpenCTI deployment - Python 3.9+ with `pycti` library - API keys for enrichment services: VirusTotal, Shodan, AbuseIPDB, GreyNoise - Understanding of STIX 2.1 data model and relationships - ElasticSearch or OpenSearch for OpenCTI backend - RabbitMQ or Redis for connector messaging ## Key Concepts ### OpenCTI Architecture OpenCTI uses a GraphQL API frontend backed by ElasticSearch for storage and Redis/RabbitMQ for connector communication. Data is natively stored as STIX 2.1 objects with relationships. Connectors are categorized as: External Impo...