Liberty91

OpenCTI Lookup and Write.

/lookup-opencti

The OpenCTI integration skill gives your AI coding agent two-way access to your OpenCTI instance: ask whether an indicator is already in your knowledge base, pull the actors, reports and campaigns you hold on a subject, and write vetted findings back as indicators, observables, labels, TLP markings, relationships or whole STIX 2.1 bundles. It reads OPENCTI_URL and OPENCTI_TOKEN from your environment, and because it is one skill among 72, everything the rest of the pack discovers can end up in your knowledge graph.

What it does.

It connects to your OpenCTI instance through its GraphQL API in both directions. On the read side, a single lookup checks observables and indicators at once and tells you whether a value is already known; global search spans every entity type, from intrusion sets and malware to reports and campaigns; and filtered listing covers ten entity types with score, date and label filters. On the write side, it creates indicators and observables, applies labels and TLP markings, updates scores, relates entities to each other, and imports complete STIX 2.1 bundles.

When to use it.

Check OpenCTI early in any investigation to see whether your team has already worked an indicator and what context sits around it. Reach for search and list when you want the reports, campaigns or intrusion sets your platform holds on an actor or CVE. Then, when an investigation is finished and the findings are vetted, use the write commands to record them, so the next analyst who touches the same infrastructure starts from your conclusions rather than from a blank page.

What you get back.

Lookups return whether the value is known and in what form, as an observable, an indicator or both, along with the matching entities. Searches and listings return entities with their scores, labels and relationships, and single-entity reads include the first tier of connected objects so you can walk the graph. Writes confirm exactly what was created or changed. Everything needs only OPENCTI_URL and OPENCTI_TOKEN in your environment, and if either is missing the skill notes the gap and returns rather than failing mid-run.

How it fits your workflow.

Fourteen other skills in the pack chain it. The four investigation skills check OpenCTI automatically when credentials are present, the IOC enrichment workflow correlates every indicator against it and pushes confirmed findings back at the end, threat actor profiling reuses the intrusion sets and reports you already hold before rebuilding a profile from scratch, campaign tracking publishes its clusters into it, and bundles built with the STIX skill import as-is because OpenCTI is STIX 2.1-native. Your knowledge graph becomes the memory the whole pack reads from and writes to, instead of something you update by hand.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.