Internal enrichment for threat intelligence
Enrich your OpenCTI observables with real-time threat intelligence from isMalicious. Automatic risk scoring, threat categorization, and geolocation data for IPs and domains.
Everything you need to protect your infrastructure and users
Enrich IPv4, IPv6 addresses, and domain names with threat intelligence data.
Get a 0-100 risk score based on multi-source threat analysis.
Automatic threat categorization: phishing, malware, C2, botnet, ransomware, spam, scam.
Links to original detection sources and isMalicious detailed reports.
Country location entities with sighting relationships when available.
Easy deployment with Docker and docker-compose. Production-ready container.
How security teams use this tool
Enable auto mode to automatically enrich new observables as they enter OpenCTI.
Manually enrich observables during investigations to get instant threat context.
Use threat labels and risk scores to correlate related malicious infrastructure.
Respect TLP markings with configurable maximum TLP level for enrichment.
The isMalicious OpenCTI connector is an internal enrichment connector that automatically adds threat intelligence data to your OpenCTI observables. When an IPv4, IPv6, or domain observable is processed, the connector queries the isMalicious API and enriches the observable with risk scores, threat labels, and external references. This integration is perfect for security teams using OpenCTI as their threat intelligence platform who want to augment their data with real-time reputation information from multiple threat intelligence sources.
When an observable is enriched, the connector adds comprehensive threat intelligence data: **Risk Score (0-100)**: A confidence-weighted score based on analysis from multiple threat intelligence sources. Higher scores indicate higher risk. **Threat Labels**: Automatic categorization including malicious, phishing, malware, command-and-control, botnet, ransomware, spam, and scam labels. **External References**: Direct links to the isMalicious report and original detection sources for further investigation. **Geographic Data**: When available, country location entities are created with sighting relationships to the observable. This enrichment data integrates seamlessly with OpenCTI's data model, enabling correlation, analysis, and reporting workflows.
Deploy the connector using Docker for production environments. The official image is available on Docker Hub at opencti/connector-ismalicious.
# Pull from Docker Hub docker pull opencti/connector-ismalicious:latest # Or using docker-compose docker compose up -d
The connector requires your OpenCTI URL and token, plus an isMalicious API key. You can fine-tune enrichment behavior with the following environment variables:
| Parameter | Docker envvar | Mandatory | Description |
|---|---|---|---|
| OpenCTI URL | OPENCTI_URL | Yes | The URL of the OpenCTI platform |
| OpenCTI Token | OPENCTI_TOKEN | Yes | The token of the OpenCTI user |
| API Key | ISMALICIOUS_API_KEY | Yes | Your isMalicious API key |
| Auto Mode | CONNECTOR_AUTO | No | Enable automatic enrichment (default: false) |
| Max TLP | ISMALICIOUS_MAX_TLP | No | Max TLP to process (default: TLP:AMBER) |
| Min Score | ISMALICIOUS_MIN_SCORE | No | Minimum risk score to report (default: 0) |
Join thousands of security teams using isMalicious to protect their infrastructure.