OpenCTI

Details
Content
Dependencies
Version History

Manages indicators from OpenCTI.

Note: Support for this Pack will be moved to the Partner on April, 21, 2025.

This pack enables you to take advantage of the cyber threat intelligence database offered by OpenCTI.
You can get lists of indicators that are linked to threats, with additional information to assist with your investigation. You can also contribute to the OpenCTI database by reporting new indicators or updating the information of existing indicators.

What does this pack do?

This pack enables you to

Get information about indicators from the OpenCTI database. Fetch indicators according to the indicator type and/or indicator score.
Report new indicators to OpenCTI.
Delete indicators from the OpenCTI database.
Update the score and description fields of indicators in the OpenCTI database. You can also add/remove marking definitions and labels of existing indicators.
Get a list of organizations from the OpenCTI database and create a new organization.

The OpenCTI Create Indicator playbook creates an OpenCTI indicator according to the information provided as the playbook inputs, for example, the indicator type, score, label, external reference name and URL, and more. All information other than the indicator type is optional.

The pack includes the OpenCTI integration and the OpenCTI Create Indicator playbook.

How does this pack work?

Create an instance of the OpenCTI integration and start fetching and ingesting incidents.

Playbook Image

Pack Contributors:

Jesús García Potes jesusgarciapotes95@gmail.com

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Note: Support for this Pack will be moved to the Partner on April, 21, 2025.

What does this pack do?

This pack enables you to

Get information about indicators from the OpenCTI database. Fetch indicators according to the indicator type and/or indicator score.
Report new indicators to OpenCTI.
Delete indicators from the OpenCTI database.
Update the score and description fields of indicators in the OpenCTI database. You can also add/remove marking definitions and labels of existing indicators.
Get a list of organizations from the OpenCTI database and create a new organization.

The pack includes the OpenCTI integration and the OpenCTI Create Indicator playbook.

How does this pack work?

Create an instance of the OpenCTI integration and start fetching and ingesting incidents.

Playbook Image

Pack Contributors:

Jesús García Potes jesusgarciapotes95@gmail.com

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Integrations

Name	Description
OpenCTI	Manages OpenCTI platform. Compatible with OpenCTI 4.X API and OpenCTI 5.X API versions.

Playbooks

Name	Description
OpenCTI Create Indicator	Create indicator at OpenCTI.

Integrations

Name	Description
OpenCTI	Manages OpenCTI platform. Compatible with OpenCTI 4.X API and OpenCTI 5.X API versions.

Playbooks

Name	Description
OpenCTI Create Indicator	Create indicator at OpenCTI.

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (2)

Pack Name	Pack By
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

2.0.6 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.0.5 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.0.4 - R5469292 (October 20, 2025)

Integrations

Metadata and documentation improvements.
Fixed an issue by reverting the Docker image to a previous version (demisto/vendors-sdk:1.0.0.110574) to resolve a regression bug.

Related pull requests:
- 39376

Download

2.0.2 - R2989425 (March 26, 2025)

OpenCTI

Started adoption process

Related pull requests:
- 38989
- 39018

Download

2.0.1 - 2572157 (February 27, 2025)

Integrations

OpenCTI

Added the argument additional_filters to the following commands:
- opencti-get-observables
- opencti-get-incidents
- opencti-get-indicators
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2432953.

Related pull requests:
- 38647
- 38789

Download

2.0.0 - R2040490 (January 22, 2025)

Integrations

OpenCTI

Deprecate the old indicator commands.
Added the following OpenCTI observable commands (former indicator commands):
- opencti-get-observables
- opencti-observable-delete
- opencti-observable-field-update
- opencti-observable-create
- opencti-observable-field-add
- opencti-observable-field-remove
Added the following OpenCTI indicator commands:
- opencti-indicator-create
- opencti-indicator-update
- opencti-indicator-field-add
- opencti-indicator-field-remove
- opencti-get-indicators
- opencti-indicator-types-list
Added the following OpenCTI incident commands:
- opencti-incident-create
- opencti-incident-delete
- opencti-incident-types-list
Added the following OpenCTI relationship commands:
- opencti-relationship-create
Updated the Docker image to: demisto/vendors-sdk:1.0.0.110574.

Playbooks

OpenCTI Create Indicator

Updated to use the new indicator commands.
NOTE: This version will break backwards compatibility as it introduces terminology alignment between OpenCTI and its integration.

Former indicator commands have been upgraded with new logic to align with OpenCTI indicators.
indicator commands are now observable commands to align with OpenCTI observables.
Make sure to update any Playbooks or Scripts that use the modified commands.

Related pull requests:
- 37811
- 37270
- 37719
- 37803
- 37719
- 37270

Download

1.0.14 - R1709192 (November 26, 2024)

Integrations

OpenCTI

Updated the Docker image to: demisto/vendors-sdk:1.0.0.115493.

Related pull requests:
- 37118
- 37114

Download

2.0.6 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.0.5 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.0.4 - R5469292 (October 20, 2025)

Integrations

OpenCTI

Metadata and documentation improvements.
Fixed an issue by reverting the Docker image to a previous version (demisto/vendors-sdk:1.0.0.110574) to resolve a regression bug.

Related pull requests:
- 39376

Download

2.0.2 - R2989425 (March 26, 2025)

OpenCTI

Started adoption process

Related pull requests:
- 38989
- 39018

Download

2.0.1 - 2572157 (February 27, 2025)

Integrations

OpenCTI

Added the argument additional_filters to the following commands:
- opencti-get-observables
- opencti-get-incidents
- opencti-get-indicators
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2432953.

Related pull requests:
- 38647
- 38789

Download

2.0.0 - R2040490 (January 22, 2025)

Integrations

OpenCTI

Deprecate the old indicator commands.
Added the following OpenCTI observable commands (former indicator commands):
- opencti-get-observables
- opencti-observable-delete
- opencti-observable-field-update
- opencti-observable-create
- opencti-observable-field-add
- opencti-observable-field-remove
Added the following OpenCTI indicator commands:
- opencti-indicator-create
- opencti-indicator-update
- opencti-indicator-field-add
- opencti-indicator-field-remove
- opencti-get-indicators
- opencti-indicator-types-list
Added the following OpenCTI incident commands:
- opencti-incident-create
- opencti-incident-delete
- opencti-incident-types-list
Added the following OpenCTI relationship commands:
- opencti-relationship-create
Updated the Docker image to: demisto/vendors-sdk:1.0.0.110574.

Playbooks

OpenCTI Create Indicator

Updated to use the new indicator commands.
NOTE: This version will break backwards compatibility as it introduces terminology alignment between OpenCTI and its integration.

Former indicator commands have been upgraded with new logic to align with OpenCTI indicators.
indicator commands are now observable commands to align with OpenCTI observables.
Make sure to update any Playbooks or Scripts that use the modified commands.

Related pull requests:
- 37811
- 37270
- 37719
- 37803
- 37719
- 37270

Download

1.0.14 - R1709192 (November 26, 2024)

Integrations

OpenCTI

Updated the Docker image to: demisto/vendors-sdk:1.0.0.115493.

Related pull requests:
- 37118
- 37114

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	March 29, 2021
Last Release	March 22, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.