开源威胁情报项目OpenCTI安装及排坑

背景：

最近在做情报相关的工作，涉及到很多的爬虫、存储、统一展示的问题，自己和团队做的产品在调度和统一管理上还是存在一些缺陷

所以就想着看看有没有一些好的实践项目，能够学到一些经验和思路，更好的给产品做赋能。搜了一大圈，发现基本国外的企业和个人工作室都在用Opencti这个东西，看了一圈介绍和成熟度感觉这个项目还不错。无论是框架的热插拔设计还是后期社区的维护都挺成熟的。

那么接下来就上手试试吧！

先放效果图：

前期准备：

1. 项目文档：[https://docs.opencti.io/latest/](https://docs.opencti.io/latest/) 2. 项目地址：[https://github.com/OpenCTI-Platform](https://github.com/OpenCTI-Platform) 3. 用到的一个生成随机uuid的工具：[https://www.uuidgenerator.net/version4](https://www.uuidgenerator.net/version4)

先不管怎样把文档大概的过一遍，发现他有好几种安装的方式：docker、手动、云

但项目比较大，对安装的机器性能要求还是蛮高的

最少16G +300G吧

我这里是选择的腾讯云的轻量服务器搞的，后期准备实践完了装到nas上去【后期给大家出教程吧】

话不多说直接开始吧！

安装平台：

安装docker和docker-compose

直接一键脚本吧：

#!/bin/bash

# 更新系统包索引
sudo apt-get update

# 安装Docker的依赖包
sudo apt-get install -y \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

# 添加Docker的官方GPG密钥
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

# 设置稳定版Docker仓库
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# 再次更新系统包索引
sudo apt-get update

# 安装最新版本的Docker CE和Docker CE CLI，以及containerd
sudo apt-get install -y docker-ce docker-ce-cli containerd.io

# 验证Docker是否安装成功
sudo docker run hello-world

# 安装Docker Compose
# 首先，下载最新版本的Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

# 设置docker-compose的执行权限
sudo chmod +x /usr/local/bin/docker-compose

# 验证docker-compose是否安装成功
docker-compose --version

echo "Docker and Docker Compose have been installed successfully."

在运行这个脚本之前，请确保你有足够的权限（可能需要sudo权限），并且你的系统支持这些命令。此外，这个脚本没有包含卸载旧版本Docker和Docker Compose的步骤，如果需要，你可能需要手动卸载它们。

要使用这个脚本：

1. 将上述代码保存到一个文件中，例如install_docker_compose.sh。
2. 给这个文件执行权限：chmod +x install_docker_compose.sh。
3. 运行这个脚本：sudo ./install_docker_compose.sh。

请记得在运行任何脚本之前，都要仔细阅读和理解脚本中的命令，以确保它们对你的系统是安全的。

下载安装文件

把git项目下载到本地来

mkdir /home/opencti
git clone https://github.com/OpenCTI-Platform/docker.git
cd docker

由于ES对内存要求较高，因此需要调整机器内存参数

echo"vm.max_map_count=1048575">> /etc/sysctl.conf

修改配置和环境变量

 官网是这样写的

但我的配置如下：

先生成自己的uuid哈

OPENCTI_ADMIN_EMAIL=admin@opencti.io //这里一定要是邮箱，不然会报错
OPENCTI_ADMIN_PASSWORD=写你的密码啦
OPENCTI_ADMIN_TOKEN=************ //写你的密钥，用
OPENCTI_BASE_URL=http://0.0.0.0:8080
MINIO_ROOT_USER=******5-a3c5-2ebb2f7a4f56
MINIO_ROOT_PASSWORD=*********-b72e-0a6ebc8b3daa
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
ELASTIC_MEMORY_SIZE=4G
CONNECTOR_HISTORY_ID=******-926e-e01ce1a43fb1
CONNECTOR_EXPORT_FILE_STIX_ID=*********6f7-b9f6-d8d113446fe7
CONNECTOR_EXPORT_FILE_CSV_ID=***********-a61b-991a4d2929ef
CONNECTOR_IMPORT_FILE_STIX_ID=***********9eba-98252de156bc
CONNECTOR_EXPORT_FILE_TXT_ID=***********-b171-c9ec67049655
CONNECTOR_IMPORT_DOCUMENT_ID=***********cf-b05e-4a72fcc80289
CONNECTOR_ANALYSIS_ID=***********78-b754-fabfd21d5985
CONNECTOR_ALIENVAULT_ID=***********-4c2a-ad7d-f1edecc70ca3
CONNECTOR_RANSOMWARE_ID=***********4-a0ff-4fe2b1f2576a
CONNECTOR_CISAKEV_ID=***********5-8ffc-205d43209ac6
OPENCTI_HEALTHCHECK_ACCESS_KEY=***********a-4e03-b79a-39771628259d
SMTP_HOSTNAME=localhost

这里特别注意一下，

OPENCTI_HEALTHCHECK_ACCESS_KEY一定一定不能为空

不然该容器的health检测会失败，导致连接器连接不上

启动项目

docker-compose up -d

如果遇到错误了，删除容器，重新构建就可以了

docker-compose down
docker-compose up -d 

添加数据和连接器

从项目介绍里面我们看到，平台只是一个展示的作用

目前是没有数据的

所以需要引入外部数据

https://filigran.notion.site/OpenCTI-Ecosystem-868329e9fb734fca89692b2ed6087e76

https://github.com/OpenCTI-Platform/connectors/tree/master/external-import

可以直接在官网社区查看相关的连接器

其实就是爬虫探针

这里我举几个例子

services:
  redis:
    image: redis:7.4.0
    restart: always
    volumes:
      - redisdata:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 3
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.15.2
    volumes:
      - esdata:/usr/share/elasticsearch/data
    environment:
      # Comment-out the line below for a cluster of multiple nodes
      - discovery.type=single-node
      # Uncomment the line below below for a cluster of multiple nodes
      # - cluster.name=docker-cluster
      - xpack.ml.enabled=false
      - xpack.security.enabled=false
      - thread_pool.search.queue_size=5000
      - logger.org.elasticsearch.discovery="ERROR"
      - "ES_JAVA_OPTS=-Xms${ELASTIC_MEMORY_SIZE} -Xmx${ELASTIC_MEMORY_SIZE}"
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    healthcheck:
      test: curl -s http://elasticsearch:9200 >/dev/null || exit 1
      interval: 30s
      timeout: 10s
      retries: 50
  minio:
    image: minio/minio:RELEASE.2024-05-28T17-19-04Z # Use "minio/minio:RELEASE.2024-05-28T17-19-04Z-cpuv1" to troubleshoot compatibility issues with CPU
    volumes:
      - s3data:/data
    ports:
      - "9000:9000"
    environment:
      MINIO_ROOT_USER: ${MINIO_ROOT_USER}
      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}    
    command: server /data
    restart: always
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 10s
      timeout: 5s
      retries: 3
  rabbitmq:
    image: rabbitmq:3.13-management
    environment:
      - RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
      - RABBITMQ_NODENAME=rabbit01@localhost
    volumes:
      - amqpdata:/var/lib/rabbitmq
    restart: always
    healthcheck:
      test: rabbitmq-diagnostics -q ping
      interval: 30s
      timeout: 30s
      retries: 3
  opencti:
    image: opencti/platform:6.3.5
    environment:
      - NODE_OPTIONS=--max-old-space-size=8096
      - APP__PORT=8080
      - APP__BASE_URL=${OPENCTI_BASE_URL}
      - APP__ADMIN__EMAIL=${OPENCTI_ADMIN_EMAIL}
      - APP__ADMIN__PASSWORD=${OPENCTI_ADMIN_PASSWORD}
      - APP__ADMIN__TOKEN=${OPENCTI_ADMIN_TOKEN}
      - APP__APP_LOGS__LOGS_LEVEL=error
      - REDIS__HOSTNAME=redis
      - REDIS__PORT=6379
      - ELASTICSEARCH__URL=http://elasticsearch:9200
      - MINIO__ENDPOINT=minio
      - MINIO__PORT=9000
      - MINIO__USE_SSL=false
      - MINIO__ACCESS_KEY=${MINIO_ROOT_USER}
      - MINIO__SECRET_KEY=${MINIO_ROOT_PASSWORD}
      - RABBITMQ__HOSTNAME=rabbitmq
      - RABBITMQ__PORT=5672
      - RABBITMQ__PORT_MANAGEMENT=15672
      - RABBITMQ__MANAGEMENT_SSL=false
      - RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}
      - RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}
      - SMTP__HOSTNAME=${SMTP_HOSTNAME}
      - SMTP__PORT=25
      - PROVIDERS__LOCAL__STRATEGY=LocalStrategy
      - APP__HEALTH_ACCESS_KEY=${OPENCTI_HEALTHCHECK_ACCESS_KEY}
    ports:
      - "8080:8080"
    depends_on:
      redis:
        condition: service_healthy
      elasticsearch:
        condition: service_healthy
      minio:
        condition: service_healthy
      rabbitmq:
        condition: service_healthy
    restart: always
    healthcheck:
      test:  ["CMD", "wget", "-qO-", "http://xx.xx.xx.xx:8080/health?health_access_key=${OPENCTI_HEALTHCHECK_ACCESS_KEY}"]
      interval: 10s
      timeout: 5s
      retries: 20
  worker:
    image: opencti/worker:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - WORKER_LOG_LEVEL=info
    depends_on:
      opencti:
        condition: service_healthy
    deploy:
      mode: replicated
      replicas: 6
    restart: always
  connector-export-file-stix:
    image: opencti/connector-export-file-stix:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_EXPORT_FILE_STIX_ID} # Valid UUIDv4
      - CONNECTOR_TYPE=INTERNAL_EXPORT_FILE
      - CONNECTOR_NAME=ExportFileStix2
      - CONNECTOR_SCOPE=application/json
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-export-file-csv:
    image: opencti/connector-export-file-csv:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_EXPORT_FILE_CSV_ID} # Valid UUIDv4
      - CONNECTOR_TYPE=INTERNAL_EXPORT_FILE
      - CONNECTOR_NAME=ExportFileCsv
      - CONNECTOR_SCOPE=text/csv
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-export-file-txt:
    image: opencti/connector-export-file-txt:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_EXPORT_FILE_TXT_ID} # Valid UUIDv4
      - CONNECTOR_TYPE=INTERNAL_EXPORT_FILE
      - CONNECTOR_NAME=ExportFileTxt
      - CONNECTOR_SCOPE=text/plain
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-import-file-stix:
    image: opencti/connector-import-file-stix:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_IMPORT_FILE_STIX_ID} # Valid UUIDv4
      - CONNECTOR_TYPE=INTERNAL_IMPORT_FILE
      - CONNECTOR_NAME=ImportFileStix
      - CONNECTOR_VALIDATE_BEFORE_IMPORT=true # Validate any bundle before import
      - CONNECTOR_SCOPE=application/json,text/xml
      - CONNECTOR_AUTO=true # Enable/disable auto-import of file
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-import-document:
    image: opencti/connector-import-document:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_IMPORT_DOCUMENT_ID} # Valid UUIDv4
      - CONNECTOR_TYPE=INTERNAL_IMPORT_FILE
      - CONNECTOR_NAME=ImportDocument
      - CONNECTOR_VALIDATE_BEFORE_IMPORT=true # Validate any bundle before import
      - CONNECTOR_SCOPE=application/pdf,text/plain,text/html
      - CONNECTOR_AUTO=true # Enable/disable auto-import of file
      - CONNECTOR_ONLY_CONTEXTUAL=false # Only extract data related to an entity (a report, a threat actor, etc.)
      - CONNECTOR_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_LOG_LEVEL=info
      - IMPORT_DOCUMENT_CREATE_INDICATOR=true
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-analysis:
    image: opencti/connector-import-document:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_ANALYSIS_ID} # Valid UUIDv4
      - CONNECTOR_TYPE=INTERNAL_ANALYSIS
      - CONNECTOR_NAME=ImportDocumentAnalysis
      - CONNECTOR_VALIDATE_BEFORE_IMPORT=false # Validate any bundle before import
      - CONNECTOR_SCOPE=application/pdf,text/plain,text/html
      - CONNECTOR_AUTO=true # Enable/disable auto-import of file
      - CONNECTOR_ONLY_CONTEXTUAL=false # Only extract data related to an entity (a report, a threat actor, etc.)
      - CONNECTOR_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-cisa-known-exploited-vulnerabilities:
    image: opencti/connector-cisa-known-exploited-vulnerabilities:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=${CONNECTOR_CISAKEV_ID} #Valid UUIDv4 tokem
      - "CONNECTOR_NAME=CISA Known Exploited Vulnerabilities"
      - CONNECTOR_SCOPE=cisa
      - CONNECTOR_RUN_AND_TERMINATE=false
      - CONNECTOR_LOG_LEVEL=error
      - CONNECTOR_DURATION_PERIOD=P2D
      - CISA_CATALOG_URL=https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
      - CISA_CREATE_INFRASTRUCTURES=false
      - CISA_TLP=TLP:CLEAR
      - OPENCTI_JSON_LOGGING=true # Enable / disable JSON logging
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-alienvault:
    image: opencti/connector-alienvault:6.3.5 #版本号和你安装的opencti版本号一致
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_ALIENVAULT_ID}    ##自己随意生成的UUID v4
      - CONNECTOR_TYPE=EXTERNAL_IMPORT
      - CONNECTOR_NAME=AlienVault
      - CONNECTOR_SCOPE=alienvault
      - CONNECTOR_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_UPDATE_EXISTING_DATA=false
      - CONNECTOR_LOG_LEVEL=info
      - ALIENVAULT_BASE_URL=https://otx.alienvault.com
      - ALIENVAULT_API_KEY=*****62aac301394ac5c91202b0b408c            ## ====>注册alienvault之后生成的API的KEY<====
      - ALIENVAULT_CREATE_OBSERVABLES=true
      - ALIENVAULT_CREATE_INDICATORS=true
      - ALIENVAULT_PULSE_START_TIMESTAMP=2020-05-01T00:00:00                  # BEWARE! Could be a lot of pulses!
      - ALIENVAULT_REPORT_TYPE=threat-report
      - ALIENVAULT_REPORT_STATUS=New
      - ALIENVAULT_GUESS_MALWARE=false                                        # Use tags to guess malware.
      - ALIENVAULT_GUESS_CVE=false                                            # Use tags to guess CVE.
      - ALIENVAULT_EXCLUDED_PULSE_INDICATOR_TYPES=FileHash-MD5,FileHash-SHA1  # Excluded Pulse indicator types.
      - ALIENVAULT_ENABLE_RELATIONSHIPS=true                                  # Enable/Disable relationship creation between SDOs.
      - ALIENVAULT_ENABLE_ATTACK_PATTERNS_INDICATES=true                      # Enable/Disable "indicates" relationships between indicators and attack patterns
      - ALIENVAULT_INTERVAL_SEC=3600  #同步拉取数据的时间，单位为秒
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-ransomware:
    image: opencti/connector-ransomwarelive:6.3.5
    container_name: ransomware-connector
    environment:
      # Connector's definition parameters:
      - CONNECTOR_NAME=Ransomware Connector
      - CONNECTOR_SCOPE=identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report
      # Connector's generic execution parameters:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=${CONNECTOR_RANSOMWARE_ID} #Valid UUIDv4 tokem
      - CONNECTOR_CONFIDENCE_LEVEL=100 # From 0 (Unknown) to 100 (Fully trusted).
      - CONNECTOR_LOG_LEVEL=info # Log level: debug, info, warn, error
      - CONNECTOR_UPDATE_EXISTING_DATA=false
      - CONNECTOR_PULL_HISTORY=true # If true, the connector will pull the history of the data. But it is not recommended to set it to true as there will a large influx of data.
      - CONNECTOR_HISTORY_START_YEAR=2024 # Data only goes back till 2020
      - CONNECTOR_RUN_EVERY=5m # 10 minutes will be the ideal time
      # Connector's custom execution parameters:
    restart: always
    depends_on:
      opencti:
        condition: service_healthy
  connector-cve:
    image: opencti/connector-cve:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=*************448-d7274d2b99a2 #Valid UUIDv4 tokem
      - CONNECTOR_NAME=Common Vulnerabilities and Exposures
      - CONNECTOR_SCOPE=identity,vulnerability
      - CONNECTOR_RUN_AND_TERMINATE=false
      - CONNECTOR_LOG_LEVEL=error
      - CVE_BASE_URL=https://services.nvd.nist.gov/rest/json/cves/2.0
      - CVE_API_KEY=813ad80f-ec9a-40b4-a991-7377bb49fcad # Required
      - CVE_INTERVAL=2 # Required, in hours advice min 2
      - CVE_MAX_DATE_RANGE=120 # In days, max 120
      - CVE_MAINTAIN_DATA=true # Required, retrieve only updated data
      - CVE_PULL_HISTORY=false # If true, CVE_HISTORY_START_YEAR is required
      - CVE_HISTORY_START_YEAR=2019 # Required if pull_history is True, min 2019 (see documentation CVE and CVSS base score V3.1)
    restart: always
  connector-redflag-domains:
    image: opencti/connector-red-flag-domains:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=*************9-8ab7-1e7e550a9282
      - "CONNECTOR_NAME=Red Flag Domains"
      - CONNECTOR_SCOPE=red-flag-domains
      - CONNECTOR_CONFIDENCE_LEVEL=70
      - UPDATE_EXISTING_DATA=true
      - CONNECTOR_LOG_LEVEL=info
      - REDFLAGDOMAINS_URL=https://dl.red.flag.domains/daily/
    restart: always
  connector-urlscan:
    image: opencti/connector-urlscan:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=*************5b7-bcc8-7fcccfd7be8d
      - CONNECTOR_NAME=Urlscan
      - CONNECTOR_SCOPE=urlscan
      - CONNECTOR_LOG_LEVEL=error
      - CONNECTOR_CONFIDENCE_LEVEL=40 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_CREATE_INDICATORS=true
      - CONNECTOR_TLP=white
      - CONNECTOR_LABELS=Phishing,Phishfeed
      - CONNECTOR_INTERVAL=86400 # seconds, 1d
      - CONNECTOR_LOOKBACK=3 # days
      - URLSCAN_URL=https://urlscan.io/api/v1/pro/phishfeed?format=json
      - URLSCAN_API_KEY=c9f3f2c2-0330-401e-8a69-5563178dc781
      - URLSCAN_DEFAULT_X_OPENCTI_SCORE=50
    restart: always
  connector-tweetfeed:
    image: opencti/connector-tweetfeed:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=*************b417-d5608d8fb407
      - CONNECTOR_NAME=Tweetfeed
      - CONNECTOR_SCOPE=tweetfeed
      - CONNECTOR_CONFIDENCE_LEVEL=15
      - CONNECTOR_LOG_LEVEL=error
      - TWEETFEED_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
      - TWEETFEED_CREATE_INDICATORS=true
      - TWEETFEED_CREATE_OBSERVABLES=true
      - TWEETFEED_INTERVAL=1
      - TWEETFEED_UPDATE_EXISTING_DATA=true
      - "TWEETFEED_ORG_DESCRIPTION=Tweetfeed, a connector to import IOC from Twitter."
      - TWEETFEED_ORG_NAME=Tweetfeed
      - TWEETFEED_DAYS_BACK_IN_TIME=30 # Number of days to retrieve data back in time
    restart: always
  connector-vxvault:
    image: opencti/connector-vxvault:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=*************8bcd-e65b8daccd2b
      - "CONNECTOR_NAME=VX Vault URL list"
      - CONNECTOR_SCOPE=vxvault
      - CONNECTOR_LOG_LEVEL=error
      - VXVAULT_URL=https://vxvault.net/URL_List.php
      - VXVAULT_CREATE_INDICATORS=true
      - VXVAULT_INTERVAL=3 # In days, must be strictly greater than 1
      - VXVAULT_SSL_VERIFY=False
    restart: always
  connector-urlhaus-recent-payloads:
    image: opencti/connector-urlhaus-recent-payloads:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=*************a943-b27220d0e1a1
      - "CONNECTOR_NAME=URLhaus Recent Payloads"
      - CONNECTOR_CONFIDENCE_LEVEL=50 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_LOG_LEVEL=error
      - URLHAUS_RECENT_PAYLOADS_API_URL=https://urlhaus-api.abuse.ch/v1/
      - URLHAUS_RECENT_PAYLOADS_COOLDOWN_SECONDS=300 # Time to wait in seconds between subsequent requests
      - URLHAUS_RECENT_PAYLOADS_INCLUDE_FILETYPES=exe,dll,docm,docx,doc,xls,xlsx,xlsm,js,xll # (Optional) Only download files if any tag matches. (Comma separated)
      - URLHAUS_RECENT_PAYLOADS_INCLUDE_SIGNATURES= # (Optional) Only download files matching these Yara rules. (Comma separated)
      - URLHAUS_RECENT_PAYLOADS_SKIP_UNKNOWN_FILETYPES=true # Skip files with an unknown file type
      - URLHAUS_RECENT_PAYLOADS_SKIP_NULL_SIGNATURE=true # Skip files that didn't match known Yara rules
      - URLHAUS_RECENT_PAYLOADS_LABELS=urlhaus # (Optional) Labels to apply to uploaded Artifacts. (Comma separated)
      - URLHAUS_RECENT_PAYLOADS_LABELS_COLOR=#54483b
      - URLHAUS_RECENT_PAYLOADS_SIGNATURE_LABEL_COLOR=#0059f7 # Color for Yara rule match label
      - URLHAUS_RECENT_PAYLOADS_FILETYPE_LABEL_COLOR=#54483b # Color to use for filetype label
    restart: always
  connector-cyber-campaign-collection:
    image: opencti/connector-cyber-campaign-collection:6.3.5
    environment:
      - OPENCTI_URL=http://xx.xx.xx.xx:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} #generate user token
      - CONNECTOR_ID=*************87-ac9e107b772f
      - "CONNECTOR_NAME=APT & Cybercriminals Campaign Collection"
      - CONNECTOR_SCOPE=report
      - CONNECTOR_RUN_AND_TERMINATE=false
      - CONNECTOR_LOG_LEVEL=error
      - CYBER_MONITOR_GITHUB_TOKEN= # If not provided, rate limit will be very low
      - CYBER_MONITOR_FROM_YEAR=2018
      - CYBER_MONITOR_INTERVAL=4 # In days, must be strictly greater than 1
    restart: always
volumes:
  esdata:
  s3data:
  redisdata:
  amqpdata:

大家直接抄作业，然后记得修改uid和apikey

然后加完后,更新工程

docker-compose up -d