Siopy/n8n-nodes-opencti

GitHub: Siopy/n8n-nodes-opencti

这是一个用于集成开源威胁情报平台 OpenCTI 的 n8n 社区节点，支持通过工作流自动化管理威胁情报实体与关联关系。

Stars: 1 | Forks: 0

# n8n-nodes-opencti 用于 [OpenCTI](https://www.opencti.io/)（一个开源网络威胁情报 (CTI) 平台）的定制 [n8n](https://n8n.io/) 社区节点。该节点通过 OpenCTI 的 GraphQL API 进行通信，可直接从您的 n8n 工作流中管理威胁情报数据。 ## 目录 - [安装](#installation) - [支持的资源](#supported-resources) - [凭证设置](#credentials-setup) - [开发](#development) - [使用示例](#usage-examples) - [资源参考](#resource-reference) ## 安装 ### 从 n8n 社区节点安装（推荐） 1. 打开您的 n8n 实例 2. 前往 **Settings > Community Nodes** 3. 点击 **Install a community node** 4. 输入 `n8n-nodes-opencti` 5. 点击 **Install** ### 从 npm 安装（手动） ``` cd ~/.n8n npm install n8n-nodes-opencti ``` 然后重启 n8n。 ## 支持的资源 | 资源 | 创建 | 获取 | 搜索 | 更新 | 删除 | |---|:---:|:---:|:---:|:---:|:---:| | **Attack Pattern** (MITRE ATT&CK) | ✅ | ✅ | ✅ | ✅ | ✅ | | **Campaign** | ✅ | ✅ | ✅ | ✅ | ✅ | | **City** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Country** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Course of Action** (MITRE Mitigation) | ✅ | ✅ | ✅ | ✅ | ✅ | | **External Reference** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Incident** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Indicator** (STIX, YARA, Sigma, Snort...) | ✅ | ✅ | ✅ | ✅ | ✅ | | **Individual** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Infrastructure** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Intrusion Set** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Kill Chain Phase** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Label** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Malware** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Marking Definition** (TLP, PAP) | ✅ | ✅ | ✅ | ✅ | ✅ | | **Note / RFI** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Observable** (STIX Cyber Observable) | ✅ | ✅ | ✅ | ✅ | ✅ | | **Observed Data** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Opinion** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Position** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Region** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Relationship** (STIX Core Relationship) | ✅ | ✅ | ✅ | - | ✅ | | **Report** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Sector** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Sighting** (STIX Sighting Relationship) | ✅ | ✅ | ✅ | ✅ | ✅ | | **System** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Task** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Threat Actor** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Tool** (STIX Tool) | ✅ | ✅ | ✅ | ✅ | ✅ | | **Vulnerability** (CVSS, EPSS, CISA KEV) | ✅ | ✅ | ✅ | ✅ | ✅ | ### 支持的 Observable 类型 IPv4, IPv6, Domain Name, URL, Email Address, Hostname, File, MAC Address, User Account, Software, Process, Network Traffic, Windows Registry Key, X509 Certificate, Autonomous System, Cryptocurrency Wallet, Cryptographic Key, Phone Number, Bank Account, Credential, Tracking Number, Text, User Agent, Media Content, Mutex. ### 支持的关系类型 | 类型 | 描述 | |---|---| | `object` | 将对象添加到容器（Report、Note 等）中 | | `related-to` | 两个实体之间的通用关系 | | `uses` | 攻击者/恶意软件使用了工具/技术 | | `targets` | 针对某个实体（行业、国家、组织）的攻击 | | `indicates` | Indicator 指示了某种威胁 | | `attributed-to` | 将活动归因于某个攻击者 | | `exploits` | 利用某个漏洞 | | `mitigates` | 缓解措施 | | `delivers` / `drops` | 恶意软件投递/放置 | | `communicates-with` | 网络通信 | | `based-on` / `derived-from` | 派生关系 | | `located-at` | 地理位置 | | `variant-of` / `part-of` | 结构关系 | ## 凭证设置 1. 在浏览器中打开 n8n（例如：`http://localhost:5678`） 2. 前往 **Credentials > New Credential** 3. 搜索 **OpenCTI API** 4. 填写字段： | 字段 | 描述 | 示例 | |---|---|---| | **API URL** | 您的 OpenCTI 实例的基础 URL（末尾不带 `/`） | `https://opencti.example.com` | | **API Key** | API 密钥（OpenCTI > Profile > API access） | `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` | 5. 点击 **Test** 验证连接 6. 保存 ## 开发 ### 项目结构 ``` n8n-nodes-opencti/ ├── .github/workflows/ │ ├── ci.yml # GitHub Actions CI (lint + build) │ └── publish.yml # Publish to npm with provenance ├── .vscode/ │ └── launch.json # VSCode debugger config ├── credentials/ │ └── OpenCtiApi.credentials.ts # Credentials (auth + connection test) ├── nodes/OpenCti/ │ ├── OpenCti.node.ts # Main node with execute() │ ├── OpenCti.node.json # Codex metadata │ ├── opencti.svg # Official OpenCTI icon │ ├── GenericFunctions.ts # Helpers: GraphQL requests, filters, dates │ └── descriptions/ # UI descriptions per resource │ ├── AttackPatternDescription.ts │ ├── CampaignDescription.ts │ ├── CityDescription.ts │ ├── CountryDescription.ts │ ├── CourseOfActionDescription.ts │ ├── ExternalReferenceDescription.ts │ ├── IncidentDescription.ts │ ├── IndicatorDescription.ts │ ├── IndividualDescription.ts │ ├── InfrastructureDescription.ts │ ├── IntrusionSetDescription.ts │ ├── KillChainPhaseDescription.ts │ ├── LabelDescription.ts │ ├── MalwareDescription.ts │ ├── MarkingDefinitionDescription.ts │ ├── NoteDescription.ts │ ├── ObservableDescription.ts │ ├── ObservedDataDescription.ts │ ├── OpinionDescription.ts │ ├── PositionDescription.ts │ ├── RegionDescription.ts │ ├── RelationshipDescription.ts │ ├── ReportDescription.ts │ ├── SectorDescription.ts │ ├── SightingDescription.ts │ ├── SystemDescription.ts │ ├── TaskDescription.ts │ ├── ThreatActorDescription.ts │ ├── ToolDescription.ts │ ├── VulnerabilityDescription.ts │ └── index.ts ├── .prettierrc.js # Prettier config ├── eslint.config.mjs # ESLint config ├── package.json ├── tsconfig.json ├── CHANGELOG.md ├── LICENSE └── README.md ``` ## 使用示例 ### 创建一个 observable 并将其添加到报告中 ``` 1. OpenCTI > Observable > Create - Type: IPv4 Address - Value: 192.168.1.1 - Score: 80 - Labels: 2. OpenCTI > Relationship > Create - Type: Object (Add to Container) - From: - To: ``` ### 搜索威胁参与者及其技术 ``` 1. OpenCTI > Threat Actor > Search - Search Term: APT28 2. OpenCTI > Relationship > Search - From Entity ID: - Relationship Type: uses ``` ### 自动化告警富化工作流 ``` 1. Webhook Trigger (receive SIEM alert) 2. OpenCTI > Incident > Create (from alert data) 3. OpenCTI > Observable > Create (extracted IOCs) 4. OpenCTI > Relationship > Create (link Incident <-> Observable) 5. OpenCTI > Indicator > Create (detection pattern) 6. OpenCTI > Observable > Search (CTI enrichment) ``` ### 创建包含关联对象的报告 ``` 1. OpenCTI > Report > Create - Name: "Phishing Campaign Q1 2026" - Published: 2026-03-15 - Report Type: threat-report - Objects: ``` ## 资源参考 ### Attack Pattern MITRE ATT&CK 技术或子技术。 | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `x_mitre_id`, `x_mitre_platforms`, `x_mitre_detection`, `killChainPhases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `x_mitre_id`, `x_mitre_platforms` | | Delete | `id` | - | ### Campaign | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `first_seen`, `last_seen`, `objective`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `first_seen`, `last_seen`, `objective` | | Delete | `id` | - | ### City | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `latitude`, `longitude`, `x_opencti_aliases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `latitude`, `longitude` | | Delete | `id` | - | ### Country | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `latitude`, `longitude`, `x_opencti_aliases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `latitude`, `longitude` | | Delete | `id` | - | ### Course of Action MITRE ATT&CK 缓解措施。 | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `x_mitre_id`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description` | | Delete | `id` | - | ### External Reference | 操作 | 必填 | 可选 | |---|---|---| | Create | `source_name` | `description`, `url`, `external_id`, `hash` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `source_name`, `description`, `url`, `external_id` | | Delete | `id` | - | ### Incident | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `first_seen`, `last_seen`, `incident_type`, `severity`, `source`, `objective`, `confidence`, `createdBy`, `objectMarking`, `objectLabel` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `first_seen`, `last_seen`, `severity` | | Delete | `id` | - | ### Indicator | 操作 | 必填 | 可选 | |---|---|---| | Create | `name`, `pattern`, `pattern_type` | `description`, `indicator_types`, `valid_from`, `valid_until`, `score`, `detection`, `main_observable_type`, `createObservables`, `confidence`, `createdBy`, `objectMarking`, `objectLabel` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `pattern`, `score`, `detection`, `valid_from`, `valid_until`, `confidence` | | Delete | `id` | - | ### Individual | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `x_opencti_firstname`, `x_opencti_lastname`, `x_opencti_reliability`, `contact_information`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `x_opencti_firstname`, `x_opencti_lastname`, `contact_information` | | Delete | `id` | - | ### Infrastructure | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `infrastructure_types`, `first_seen`, `last_seen`, `killChainPhases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `first_seen`, `last_seen` | | Delete | `id` | - | ### Intrusion Set | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `first_seen`, `last_seen`, `goals`, `resource_level`, `primary_motivation`, `secondary_motivations`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `first_seen`, `last_seen`, `primary_motivation` | | Delete | `id` | | ### Kill Chain Phase | 操作 | 必填 | 可选 | |---|---|---| | Create | `kill_chain_name`, `phase_name` | `x_opencti_order` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `kill_chain_name`, `phase_name`, `x_opencti_order` | | Delete | `id` | - | ### Label | 操作 | 必填 | 可选 | |---|---|---| | Create | `value` | `color` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `value`, `color` | | Delete | `id` | - | ### Malware | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `malware_types`, `is_family`, `first_seen`, `last_seen`, `confidence`, `createdBy`, `objectMarking`, `objectLabel` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `is_family`, `first_seen`, `last_seen` | | Delete | `id` | - | ### Marking Definition TLP、PAP 或自定义标记定义。 | 操作 | 必填 | 可选 | |---|---|---| | Create | `definition_type`, `definition`, `x_opencti_order` | `x_opencti_color` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `definition`, `x_opencti_color`, `x_opencti_order` | | Delete | `id` | - | ### Note (RFI) | 操作 | 必填 | 可选 | |---|---|---| | Create | `content` | `abstract`, `authors`, `confidence`, `likelihood`, `note_types`, `createdBy`, `objectMarking`, `objectLabel`, `objects` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `abstract`, `content`, `likelihood` | | Delete | `id` | - | ### Observable STIX Cyber Observable 对象（IP 地址、域名、URL、文件哈希等）。 | 操作 | 必填 | 可选 | |---|---|---| | Create | `type`, `value` | `score`, `description`, `createdBy`, `createIndicator`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `observableTypes`, `limit`, `filterValue`, `orderBy` | | Update | `id` | `description`, `score` | | Delete | `id` | - | ### Observed Data | 操作 | 必填 | 可选 | |---|---|---| | Create | `first_observed`, `last_observed`, `number_observed` | `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences`, `objects` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `first_observed`, `last_observed`, `number_observed` | | Delete | `id` | - | ### Opinion | 操作 | 必填 | 可选 | |---|---|---| | Create | `opinion` | `explanation`, `authors`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences`, `objects` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `opinion`, `explanation` | | Delete | `id` | - | ### Position | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `latitude`, `longitude`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `latitude`, `longitude` | | Delete | `id` | - | ### Region | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `x_opencti_aliases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description` | | Delete | `id` | - | ### Relationship | 操作 | 必填 | 可选 | |---|---|---| | Create | `relationship_type`, `fromId`, `toId` | `description`, `confidence`, `start_time`, `stop_time`, `createdBy`, `objectMarking`, `objectLabel` | | Get | `id` | - | | Search | - | `searchTerm`, `fromOrToId`, `fromId`, `toId`, `relationship_type`, `limit` | | Delete | `id` | - | ### Report | 操作 | 必填 | 可选 | |---|---|---| | Create | `name`, `published` | `description`, `content`, `confidence`, `reliability`, `report_types`, `createdBy`, `objectMarking`, `objectLabel`, `objects`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit`, `orderBy`, `reportType` | | Update | `id` | `name`, `description`, `content`, `confidence`, `published` | | Delete | `id` | - | ### Sector | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `contact_information`, `x_opencti_aliases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `contact_information` | | Delete | `id` | - | ### Sighting STIX Sighting Relationship —— 表示认为某个实体（indicator、malware 等）在特定上下文中被观察到的信念。 | 操作 | 必填 | 可选 | |---|---|---| | Create | `fromId`, `toId`, `attribute_count` | `description`, `first_seen`, `last_seen`, `confidence`, `x_opencti_negative`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `fromOrToId`, `fromId`, `toId`, `fromTypes`, `toTypes`, `limit` | | Update | `id` | `description`, `first_seen`, `last_seen`, `attribute_count`, `confidence`, `x_opencti_negative` | | Delete | `id` | - | ### System | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `contact_information`, `x_opencti_aliases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `contact_information` | | Delete | `id` | - | ### Task | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `due_date`, `assignees`, `createdBy`, `objectMarking`, `objectLabel`, `objects` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `due_date` | | Delete | `id` | - | ### Threat Actor | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `threat_actor_types`, `first_seen`, `last_seen`, `sophistication`, `resource_level`, `primary_motivation`, `roles`, `goals`, `confidence`, `createdBy`, `objectMarking`, `objectLabel` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `aliases`, `first_seen`, `last_seen`, `primary_motivation`, `sophistication` | | Delete | `id` | - | ### Tool STIX Tool 对象。 | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `aliases`, `tool_types`, `tool_version`, `killChainPhases`, `confidence`, `createdBy`, `objectMarking`, `objectLabel`, `externalReferences` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `tool_version` | | Delete | `id` | - | ### Vulnerability | 操作 | 必填 | 可选 | |---|---|---| | Create | `name` | `description`, `cvss_base_score`, `cvss_base_severity`, `cvss_vector_string`, `cwe`, `cisa_kev`, `epss_score`, `epss_percentile`, `confidence`, `createdBy`, `objectMarking`, `objectLabel` | | Get | `id` | - | | Search | - | `searchTerm`, `limit` | | Update | `id` | `name`, `description`, `cvss_base_score`, `cvss_base_severity` | | Delete | `id` | - | ## License [MIT](./LICENSE)

标签：API, Cloudflare, GraphQL, MITM代理, MITRE ATT&CK, n8n, OpenCTI, Shodan, STIX, YARA, 云资产可视化, 入侵集, 可观测对象, 威胁情报管理, 工作流自动化, 恶意软件, 指标, 社区节点, 缓解措施, 网络威胁情报, 网络安全, 自动化攻击, 隐私保护, 集成工具