In this example we'll use the Malware Bazaar recently added items.
version: '3'
services:
connector-malware-bazaar-recent-additions:
image: opencti/connector-malwarebazaar-recent-additions:5.2.4
environment:
- OPENCTI_URL=http://opencti:8080
- OPENCTI_TOKEN=ChangeMe
- CONNECTOR_ID=ChangeMe
- CONNECTOR_TYPE=EXTERNAL_IMPORT
- "CONNECTOR_NAME=MalwareBazaar Recent Additions"
- CONNECTOR_CONFIDENCE_LEVEL=50 # From 0 (Unknown) to 100 (Fully trusted)
- CONNECTOR_UPDATE_EXISTING_DATA=true
- CONNECTOR_LOG_LEVEL=info
- MALWAREBAZAAR_RECENT_ADDITIONS_API_URL=https://mb-api.abuse.ch/api/v1/
- MALWAREBAZAAR_RECENT_ADDITIONS_COOLDOWN_SECONDS=300 # Time to wait in seconds between subsequent requests
- MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_TAGS=exe,dll,docm,docx,doc,xls,xlsx,xlsm,js # (Optional) Only download files if any tag matches. (Comma separated)
- MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_REPORTERS= # (Optional) Only download files uploaded by these reporters. (Comma separated)
- MALWAREBAZAAR_RECENT_ADDITIONS_LABELS=malware-bazar # (Optional) Labels to apply to uploaded Artifacts. (Comma separated)
- MALWAREBAZAAR_RECENT_ADDITIONS_LABELS_COLOR=#54483b # Color to use for labels
restart: always
Replace OPENCTI_URL with your static IP (or hostname), for example
OPENCTI_URL=http://172.18.0.8:8080
You'll want the IP address of the OpenCTI container to be accessible from the container created for this connector. To do this, append the following to the bottom of the above example;
networks:
default:
external:
name: opencti_default (replace this with your default network's name)
Go back to Portainer. Stack. Add Stack. Name: Malware-Bazaar-feed. Same process as before, paste the above contents into web editor (with the appropriately changed values of course). Deploy the stack. Give it 1-2 minutes, and then go back to Portainer > Containers and make sure the container is running, it's healthy, and it is joined to the correct network.
