Internal enrichment for threat intelligence
Enrich your OpenCTI observables with real-time threat intelligence from isMalicious. Automatic risk scoring, threat categorization, and geolocation data for IPs and domains.
Everything you need to protect your infrastructure and users
Enrich IPv4, IPv6 addresses, and domain names with threat intelligence data.
Get a 0-100 risk score based on multi-source threat analysis.
Automatic threat categorization: phishing, malware, C2, botnet, ransomware, spam, scam.
Links to original detection sources and isMalicious detailed reports.
Country location entities with sighting relationships when available.
Easy deployment with Docker and docker-compose. Production-ready container.
How security teams use this tool
Enable auto mode to automatically enrich new observables as they enter OpenCTI.
Manually enrich observables during investigations to get instant threat context.
Use threat labels and risk scores to correlate related malicious infrastructure.
Respect TLP markings with configurable maximum TLP level for enrichment.
The isMalicious OpenCTI connector is an internal enrichment connector that automatically adds threat intelligence data to your OpenCTI observables. When an IPv4, IPv6, or domain observable is processed, the connector queries the isMalicious API and enriches the observable with risk scores, threat labels, and external references. This integration is perfect for security teams using OpenCTI as their threat intelligence platform who want to augment their data with real-time reputation information from multiple threat intelligence sources.
Deploy the connector using Docker for production environments. The connector requires your OpenCTI URL and token, plus an isMalicious API key. Key configuration options include: - OPENCTI_URL: Your OpenCTI platform URL - OPENCTI_TOKEN: Authentication token for OpenCTI - ISMALICIOUS_API_KEY: Your isMalicious API key - CONNECTOR_AUTO: Enable automatic enrichment (true/false) - ISMALICIOUS_MAX_TLP: Maximum TLP level to process - ISMALICIOUS_MIN_SCORE: Minimum score threshold for reporting The connector runs as a standalone service that connects to both OpenCTI and isMalicious, processing enrichment requests in real-time.
When an observable is enriched, the connector adds comprehensive threat intelligence data: **Risk Score (0-100)**: A confidence-weighted score based on analysis from multiple threat intelligence sources. Higher scores indicate higher risk. **Threat Labels**: Automatic categorization including malicious, phishing, malware, command-and-control, botnet, ransomware, spam, and scam labels. **External References**: Direct links to the isMalicious report and original detection sources for further investigation. **Geographic Data**: When available, country location entities are created with sighting relationships to the observable. This enrichment data integrates seamlessly with OpenCTI's data model, enabling correlation, analysis, and reporting workflows.
Join thousands of security teams using isMalicious to protect their infrastructure.