OpenCTI & HarfangLab: a connector to enrich CTI data and optimize incident response

OpenCTI is a solution used by CTI teams, cyber analysts and many CERTs and SOCs. It's an IOC (Indicator Of Compromise) knowledge base that centralizes CTI data to better understand and structure information on threats and attacker groups.
3 min

All data, alerts, events… from all security tools can be centralized for analysis and contextualization, by comparing them with the IOC databases built up in OpenCTI, notably to contextualize the threat and enrich the security events identified with this information.   

Indeed, collecting all CTI (Cyber Threat Intelligence) data and being able to correlate security events promotes a better understanding of the cyber context to know how to:  

  • protect against attacks,   
  • react to incidents,  
  • take advantage of what has already been put in place in incident response, capitalizing on the knowledge acquired…  

This is a need obviously shared by many organizations, from companies of all sizes to public institutions and partners, and it is one of the reasons why Filigran, publisher of OpenCTI, decided to develop a connector between our two tools. To benefit from the advantages of this connector, you need to have a certain number of assets in place (SOC, governance, resources dedicated to analysis, etc.). 

What can the OpenCTI x HarfangLab connector do? 

In concrete terms, the connector developed by Filigran enables :  

  • integrate OpenCTI IOCs into HarfangLab,   
  • retrieve Security Events and Threats from HarfangLab and integrate them into OpenCTI.   

This integration makes it possible to manage the entire CTI knowledge base in OpenCTI, and to export data to other tools.  

In practice, IOCs are integrated into OpenCTI, and can then be integrated into the EDR, enriching them with the information needed to categorize them, describe them, manage their lifecycle…  

These IOCs can be hash, fullpath (execution of a binary at a given location with details of the complete path), filename (file with a specific name), domain name, IP (in the case of exchanges with a known problematic IP)…  

Also, all IOCs can be configured in HarfangLab in blocking mode (to kill the process) or in alert mode, depending on the policy chosen. 

Want to know more about our connector’s source code? 
It’s available here. 

What are the perks of the OpenCTI x HarfangLab connector? 

Here are 4 major advantages of OpenCTI and HarfangLab integration:   

Enhanced detection capabilities   

The connector enhances HarfangLab’s threat detection, leveraging OpenCTI’s extensive repository of high-quality indicators. This collaboration guarantees access to a complete and varied set of indicators, improving the accuracy of threat identification and reducing the risk of false positives.   

Automation and efficiency 

Filigran’s connector facilitates the automatic, real-time transmission of OpenCTI indicators. This streamlines the detection process, ensuring that critical threat information is quickly communicated and taken into account by the agent’s detection engines, as well as IOCs are automatically added.   

Data-driven incident response 

Alerts, based on Security Events and Threats retrieved by OpenCTI, leverage OpenCTI’s comprehensive threat knowledge base, providing analysts with the context they need to effectively assess threats.   

Analysts also have access to the full range of OpenCTI features, including case management and automation rules, contributing to effective incident response.   

In addition, the Threats available in HarfangLab are also retrieved by OpenCTI, providing analysts with harmonized information between the different tools. 

Integration and usability   

This integration provides a seamless experience of data exchange between OpenCTI and HarfangLab, significantly reducing the manual workload for analysts.   

In short, this collaboration saves security experts precious time, allowing them to focus on more critical tasks! 


How do you investigate effectively on a day-to-day basis?
Why is human analysis still essential?