From 474f06a5f107f53d7f773837a128534ad3663453 Mon Sep 17 00:00:00 2001
From: Samuel Hassine <samuel.hassine@filigran.io>
Date: Tue, 16 Sep 2025 09:27:55 +0200
Subject: [PATCH 1/4] [ti_opencti] Add filters

---
 .../indicator/agent/stream/cel.yml.hbs        | 128 +++++++++++++++---
 .../elasticsearch/ingest_pipeline/default.yml |  96 +++++++++++++
 .../data_stream/indicator/manifest.yml        | 114 ++++++++++++++++
 packages/ti_opencti/docs/README.md            |  92 +++++++++++++
 packages/ti_opencti/img/opencti-logo.svg      | 122 ++---------------
 packages/ti_opencti/manifest.yml              |   4 +-
 6 files changed, 424 insertions(+), 132 deletions(-)

diff --git a/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs b/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs
index 13c211c0418..ee8d630c53c 100644
--- a/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs
+++ b/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs
@@ -37,25 +37,96 @@ fields:
     url: {{url}}
 program: |
   request(
-    "POST",
-    state.url.trim_suffix("graphql").trim_suffix("/") + "/graphql"
-  ).with({
-    "Header": ({
-      "Content-Type": ["application/json"]
-    }).with(
-      has(state.api_key) && size(state.api_key) > 0 ?
-        { "Authorization": ["Bearer " + state.api_key] }
-      :
-        {}
-    )
-  }).with({
-    "Body": {
-      "query": state.query,
-      "variables": {
+        "POST",
+        state.url.trim_suffix("graphql").trim_suffix("/") + "/graphql"
+      ).with({
+        "Header": ({
+          "Content-Type": ["application/json"]
+        }).with(
+          has(state.api_key) && size(state.api_key) > 0 ?
+            { "Authorization": ["Bearer " + state.api_key] }
+          :
+            {}
+        )
+      }).with({
+        "Body": {
+          "query": state.query,
+          "variables": {
         "after": has(state.cursor) && has(state.cursor.value) ? state.cursor.value : null,
         "first": state.page_size,
         "orderBy": "modified",
         "orderMode": "asc",
+        "filters": (
+          // Build the FilterGroup object
+          (
+            (has(state.pattern_types) && size(state.pattern_types) > 0) ||
+            (has(state.indicator_types) && size(state.indicator_types) > 0) ||
+            (has(state.revoked) && state.revoked != null) ||
+            (has(state.valid_from_start) && state.valid_from_start != null) ||
+            (has(state.valid_until_end) && state.valid_until_end != null) ||
+            (has(state.label_ids) && size(state.label_ids) > 0) ||
+            (has(state.confidence_min) && state.confidence_min != null) ||
+            (has(state.author_ids) && size(state.author_ids) > 0) ||
+            (has(state.creator_ids) && size(state.creator_ids) > 0) ||
+            (has(state.created_after) && state.created_after != null) ||
+            (has(state.modified_after) && state.modified_after != null) ||
+            (has(state.last_modified) && state.last_modified != null) ||
+            (has(state.marking_ids) && size(state.marking_ids) > 0)
+          ) ?
+          {
+            "mode": "and",
+            "filters": (
+              // Always filter for Indicator entity type
+              [{"key": "entity_type", "values": ["Indicator"], "operator": "eq"}] +
+              (has(state.pattern_types) && size(state.pattern_types) > 0 ? 
+                [{"key": "pattern_type", "values": state.pattern_types, "operator": "eq", "mode": "or"}] : []
+              ) +
+              (has(state.indicator_types) && size(state.indicator_types) > 0 ? 
+                [{"key": "indicator_types", "values": state.indicator_types, "operator": "eq", "mode": "or"}] : []
+              ) +
+              (has(state.revoked) && state.revoked != null ? 
+                [{"key": "revoked", "values": [state.revoked == "true"], "operator": "eq"}] : []
+              ) +
+              (has(state.valid_from_start) && state.valid_from_start != null ? 
+                [{"key": "valid_from", "values": [state.valid_from_start], "operator": "gte"}] : []
+              ) +
+              (has(state.valid_until_end) && state.valid_until_end != null ? 
+                [{"key": "valid_until", "values": [state.valid_until_end], "operator": "lte"}] : []
+              ) +
+              (has(state.label_ids) && size(state.label_ids) > 0 ? 
+                [{"key": "objectLabel", "values": state.label_ids, "operator": "eq", "mode": "or"}] : []
+              ) +
+              (has(state.confidence_min) && state.confidence_min != null ? 
+                [{"key": "confidence", "values": [string(state.confidence_min)], "operator": "gte"}] : []
+              ) +
+              (has(state.author_ids) && size(state.author_ids) > 0 ? 
+                [{"key": "createdBy", "values": state.author_ids, "operator": "eq", "mode": "or"}] : []
+              ) +
+              (has(state.creator_ids) && size(state.creator_ids) > 0 ? 
+                [{"key": "creator_id", "values": state.creator_ids, "operator": "eq", "mode": "or"}] : []
+              ) +
+              (has(state.created_after) && state.created_after != null ? 
+                [{"key": "created", "values": [state.created_after], "operator": "gt"}] : []
+              ) +
+              (has(state.last_modified) && state.last_modified != null ? 
+                [{"key": "updated_at", "values": [state.last_modified], "operator": "gt"}] : 
+                (has(state.modified_after) && state.modified_after != null ? 
+                  [{"key": "updated_at", "values": [state.modified_after], "operator": "gt"}] : []
+                )
+              ) +
+              (has(state.marking_ids) && size(state.marking_ids) > 0 ? 
+                [{"key": "objectMarking", "values": state.marking_ids, "operator": "eq", "mode": "or"}] : []
+              )
+            ),
+            "filterGroups": []
+          } : 
+          // Default filter: always filter for Indicator entity type
+          {
+            "mode": "and",
+            "filters": [{"key": "entity_type", "values": ["Indicator"], "operator": "eq"}],
+            "filterGroups": []
+          }
+        )
       }
     }.encode_json()
   }).do_request().as(resp,
@@ -65,7 +136,8 @@ program: |
           "events": [{
             "error": { "message": body.errors.map(e, e.message) },
             "event": { "original": body.encode_json() }
-          }]
+          }],
+          "last_modified": state.?last_modified.orValue(null)
         })
       :
         state.with({
@@ -77,23 +149,44 @@ program: |
           )),
           "want_more": body.data.indicators.pageInfo.hasNextPage,
           "cursor": { "value": body.data.indicators.pageInfo.endCursor },
+          "last_modified": has(body.data.indicators.edges) && body.data.indicators.edges.size() > 0 ? 
+            body.data.indicators.edges.map(e, e.node.modified).max() 
+          : 
+            state.?last_modified.orValue(null)
         })
+      )
     )
-  )
 redact:
   fields:
     - api_key
 state:
+  url: {{url}}
   api_key: {{api_key}}
   page_size: {{page_size}}
   preserve_original_event: {{preserve_original_event}}
   want_more: false
+  # Track last modified timestamp to avoid re-fetching
+  last_modified: null
+  # Filter configuration
+  pattern_types: {{#if pattern_types}}{{pattern_types}}{{else}}[]{{/if}}
+  indicator_types: {{#if indicator_types}}{{indicator_types}}{{else}}[]{{/if}}
+  revoked: {{#if revoked}}"{{revoked}}"{{else}}null{{/if}}
+  valid_from_start: {{#if valid_from_start}}"{{valid_from_start}}"{{else}}null{{/if}}
+  valid_until_end: {{#if valid_until_end}}"{{valid_until_end}}"{{else}}null{{/if}}
+  label_ids: {{#if label_ids}}{{label_ids}}{{else}}[]{{/if}}
+  confidence_min: {{#if confidence_min}}{{confidence_min}}{{else}}null{{/if}}
+  author_ids: {{#if author_ids}}{{author_ids}}{{else}}[]{{/if}}
+  creator_ids: {{#if creator_ids}}{{creator_ids}}{{else}}[]{{/if}}
+  created_after: {{#if created_after}}"{{created_after}}"{{else}}null{{/if}}
+  modified_after: {{#if modified_after}}"{{modified_after}}"{{else}}null{{/if}}
+  marking_ids: {{#if marking_ids}}{{marking_ids}}{{else}}[]{{/if}}
   # How to work with this API: https://docs.opencti.io/latest/deployment/integrations/#graphql-api
   # Relevant schema source: https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-platform/opencti-graphql/config/schema/opencti.graphql
   query: |
 
     query IndicatorsLinesPaginationQuery(
       $search: String
+      $filters: FilterGroup
       $first: Int!
       $after: ID
       $orderBy: IndicatorsOrdering
@@ -101,6 +194,7 @@ state:
     ) {
       indicators(
         search: $search
+        filters: $filters
         first: $first
         after: $after
         orderBy: $orderBy
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
index 3e72aa8354c..43c27a5ef43 100644
--- a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
@@ -34,6 +34,22 @@ processors:
       field: id
       target_field: event.id
 
+  ###################################
+  # Deduplication using fingerprint  #
+  ###################################
+  
+  # Generate a deterministic ID based on the standard_id
+  # This ensures the same indicator always gets the same document ID
+  - fingerprint:
+      tag: generate_document_id_for_deduplication
+      fields: 
+        - standard_id
+      target_field: _id
+      method: SHA-256
+      if: ctx.standard_id != null && ctx.standard_id != ''
+      description: Generate deterministic document ID from standard_id for deduplication
+      ignore_failure: false
+
   ######################
   # Threat feed fields #
   ######################
@@ -868,6 +884,86 @@ processors:
           ctx.threat.indicator.x509 = mergeListOfMaps(ctx.threat.indicator.x509);
         }
 
+  ###################################
+  # Fingerprint for deduplication   #
+  ###################################
+  
+  # Generate a consistent document ID based on the indicator's unique STIX ID
+  # This prevents duplicates when multiple agents fetch the same data
+  - fingerprint:
+      fields:
+        - opencti.indicator.standard_id  # STIX ID is globally unique and consistent
+      target_field: "_id"
+      ignore_missing: false
+      description: Generate consistent document ID for deduplication across multiple agents
+
+  ###########################################################
+  # Tag indicators suitable for Security rule creation     #
+  ###########################################################
+  
+  - set:
+      field: opencti.indicator.rule_compatible
+      value: true
+      if: |
+        ctx.opencti?.indicator?.pattern_type != null && (
+          ctx.opencti.indicator.pattern_type == 'kql' ||
+          ctx.opencti.indicator.pattern_type == 'lucene' ||
+          ctx.opencti.indicator.pattern_type == 'eql' ||
+          ctx.opencti.indicator.pattern_type == 'esql'
+        ) && ctx.opencti?.indicator?.revoked != true
+      description: Mark indicators that can be converted to detection rules
+  
+  - append:
+      field: tags
+      value: detection-rule-candidate
+      if: ctx.opencti?.indicator?.rule_compatible == true
+      allow_duplicates: false
+  
+  - set:
+      field: opencti.indicator.detection_rule.type
+      value: query
+      if: ctx.opencti?.indicator?.pattern_type == 'kql' || ctx.opencti?.indicator?.pattern_type == 'lucene'
+  
+  - set:
+      field: opencti.indicator.detection_rule.type
+      value: eql
+      if: ctx.opencti?.indicator?.pattern_type == 'eql'
+  
+  - set:
+      field: opencti.indicator.detection_rule.type
+      value: esql
+      if: ctx.opencti?.indicator?.pattern_type == 'esql'
+  
+  - set:
+      field: opencti.indicator.detection_rule.query
+      copy_from: opencti.indicator.pattern
+      if: ctx.opencti?.indicator?.rule_compatible == true
+  
+  - script:
+      description: Set detection rule severity based on confidence
+      lang: painless
+      if: ctx.opencti?.indicator?.rule_compatible == true
+      source: |
+        if (ctx.opencti?.indicator?.score != null) {
+          int score = ctx.opencti.indicator.score;
+          if (score >= 80) {
+            ctx.opencti.indicator.detection_rule.severity = 'critical';
+            ctx.opencti.indicator.detection_rule.risk_score = 90;
+          } else if (score >= 60) {
+            ctx.opencti.indicator.detection_rule.severity = 'high';
+            ctx.opencti.indicator.detection_rule.risk_score = 70;
+          } else if (score >= 40) {
+            ctx.opencti.indicator.detection_rule.severity = 'medium';
+            ctx.opencti.indicator.detection_rule.risk_score = 50;
+          } else {
+            ctx.opencti.indicator.detection_rule.severity = 'low';
+            ctx.opencti.indicator.detection_rule.risk_score = 30;
+          }
+        } else {
+          ctx.opencti.indicator.detection_rule.severity = 'medium';
+          ctx.opencti.indicator.detection_rule.risk_score = 50;
+        }
+
   #######################################################
   # Tag to show if ECS indicator details were populated #
   #######################################################
diff --git a/packages/ti_opencti/data_stream/indicator/manifest.yml b/packages/ti_opencti/data_stream/indicator/manifest.yml
index 53152551470..e5b951fb24c 100644
--- a/packages/ti_opencti/data_stream/indicator/manifest.yml
+++ b/packages/ti_opencti/data_stream/indicator/manifest.yml
@@ -55,6 +55,120 @@ streams:
         multi: false
         required: true
         show_user: false
+      - name: pattern_types
+        type: text
+        title: Pattern Types
+        description: >-
+          Filter by pattern type. Most of the time only stix is supported.
+        placeholder: "stix"
+        multi: true
+        required: false
+        show_user: true
+      - name: indicator_types
+        type: text
+        title: Indicator Types
+        description: >-
+          Customizable in OpenCTI. Common: malicious-activity, attribution, benign, anomalous-activity, compromised, unknown.
+        placeholder: "malicious-activity"
+        multi: true
+        required: false
+        show_user: true
+      - name: revoked
+        type: select
+        title: Revoked Status
+        description: Filter by revoked status.
+        options:
+          - text: "All Indicators (No Filter)"
+            value: ""
+          - text: "Active Only (Not Revoked)"
+            value: "false"
+          - text: "Revoked Only"
+            value: "true"
+        default: ""
+        multi: false
+        required: false
+        show_user: true
+      - name: valid_from_start
+        type: text
+        title: Valid From (Start Date)
+        description: >-
+          ISO 8601 (2024-01-01T00:00:00Z) or relative (now-30d).
+        placeholder: "now-30d"
+        multi: false
+        required: false
+        show_user: true
+      - name: valid_until_end
+        type: text
+        title: Valid Until (End Date)
+        description: >-
+          ISO 8601 (2024-12-31T23:59:59Z) or relative (now+30d).
+        placeholder: "now+30d"
+        multi: false
+        required: false
+        show_user: true
+      - name: label_ids
+        type: text
+        title: Label IDs (UUIDs)
+        description: >-
+          Must be UUIDs. Find in OpenCTI: Settings → Taxonomies → Labels.
+        placeholder: "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+        multi: true
+        required: false
+        show_user: true
+      - name: confidence_min
+        type: integer
+        title: Minimum Confidence Level  
+        description: >-
+          Range: 0-100.
+        default:
+        multi: false
+        required: false
+        show_user: true
+      - name: author_ids
+        type: text
+        title: Author IDs (UUIDs)
+        description: >-
+          Must be UUIDs. Find by clicking on any author entity in OpenCTI.
+        placeholder: "identity--a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+        multi: true
+        required: false
+        show_user: true
+      - name: creator_ids
+        type: text
+        title: Creator User IDs (UUIDs)
+        description: >-
+          Must be user UUIDs. Find in Settings → Security → Users.
+        placeholder: "user--a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+        multi: true
+        required: false
+        show_user: true
+      - name: created_after
+        type: text
+        title: Created After
+        description: >-
+          ISO 8601 (2024-01-01T00:00:00Z) or relative (now-7d).
+        placeholder: "now-7d"
+        multi: false
+        required: false
+        show_user: true
+      - name: modified_after
+        type: text
+        title: Modified After
+        description: >-
+          ISO 8601 (2024-01-01T00:00:00Z) or relative (now-24h).
+        placeholder: "now-24h"
+        multi: false
+        required: false
+        show_user: true
+      - name: marking_ids
+        type: text
+        title: Marking Definition IDs (UUIDs)
+        description: >-
+          Filter by marking definitions (e.g., TLP levels). Must be UUIDs. Common markings: TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:RED.
+        placeholder: "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
+        multi: true
+        required: false
+        show_user: true
       - name: enable_request_tracer
         type: bool
         title: Enable request tracing
diff --git a/packages/ti_opencti/docs/README.md b/packages/ti_opencti/docs/README.md
index 9ea75d02f94..b53ebe8cc3b 100644
--- a/packages/ti_opencti/docs/README.md
+++ b/packages/ti_opencti/docs/README.md
@@ -25,6 +25,98 @@ When adding the OpenCTI integration, you will need to provide a base URL for the
 
 The simplest authentication method to use is an API key (bearer token). You can find a value for the API key on your profile page in the OpenCTI user interface. Advanced integration settings can be used to configure various OAuth2-based authentication arrangements, and to enter SSL settings for mTLS authentication and for other purposes. For information on setting up the OpenCTI side of an authentication strategy, please refer to [OpenCTI's authentication documentation](https://docs.opencti.io/latest/deployment/authentication/).
 
+### Filtering
+
+The OpenCTI integration supports advanced filtering capabilities to help you control which indicators are ingested. This allows you to focus on specific types of indicators, confidence levels, authors, or time ranges that are most relevant to your security operations.
+
+#### Available Filters
+
+The following filters can be configured when setting up the integration (Note: The integration automatically filters for entity type 'Indicator' only):
+
+- **Pattern Types**: Filter indicators by pattern type (e.g., 'stix'). The values are customizable in OpenCTI, and any custom pattern types defined in your OpenCTI instance are supported (if an observable is associated).
+
+- **Indicator Types**: Filter indicators by type. Values are customizable in OpenCTI. Common defaults include: 'malicious-activity', 'attribution', 'benign', 'anomalous-activity', 'compromised', 'unknown'. Custom types defined in your OpenCTI instance are also supported.
+
+- **Revoked Status**: Filter by revoked status. Set to 'true' to get only revoked indicators, 'false' for only active (non-revoked) indicators, or leave empty to get all indicators regardless of revoked status.
+
+- **Valid From (Start Date)**: Filter indicators with valid_from date after this date. Use ISO 8601 format (e.g., '2024-01-01T00:00:00Z') or relative date expressions (e.g., 'now-30d', 'now-7d').
+
+- **Valid Until (End Date)**: Filter indicators with valid_until date before this date. Use ISO 8601 format (e.g., '2024-12-31T23:59:59Z') or relative date expressions (e.g., 'now+30d', 'now+7d').
+
+- **Label IDs**: Filter by label IDs. Enter the UUIDs of the labels to filter indicators that have these labels applied. **Important: You must use label IDs (UUIDs), not label names.** You can find label IDs in the OpenCTI interface by navigating to Settings > Taxonomies > Labels, or via the API.
+
+- **Minimum Confidence Level**: Filter indicators with confidence level greater than or equal to a specified value (0-100).
+
+- **Author IDs**: Filter by author IDs (createdBy relationship). Enter the UUIDs of the authors to filter indicators created by them. **Important: You must use author IDs (UUIDs), not author names.** You can find author IDs in the OpenCTI interface by clicking on an entity and checking its details, or via the API.
+
+- **Creator IDs**: Filter by technical creator IDs. Enter the UUIDs of the internal users who created the indicators in OpenCTI.
+
+- **Created After**: Filter indicators created after a specific date. Use ISO 8601 format (e.g., '2024-01-01T00:00:00Z') or relative date expressions (e.g., 'now-30d', 'now-7d', 'now-24h').
+
+- **Modified After**: Filter indicators modified after a specific date. Use ISO 8601 format (e.g., '2024-01-01T00:00:00Z') or relative date expressions (e.g., 'now-30d', 'now-7d', 'now-24h').
+
+- **Marking Definition IDs**: Filter by marking definitions (e.g., TLP levels). Enter the UUIDs of the marking definitions. **Important: You must use marking definition IDs (UUIDs), not names.** Common TLP marking IDs:
+  - TLP:CLEAR (TLP:WHITE): `marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da`
+  - TLP:GREEN: `marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb`
+  - TLP:AMBER: `marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421`
+  - TLP:RED: `marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1`
+
+#### Filter Examples
+
+Here are some practical examples of filter configurations:
+
+1. **High-confidence indicators only**: Set `Minimum Confidence Level` to 75 to ingest only indicators with high confidence.
+
+2. **Active threat indicators**: Set `Indicator Types` to ['malicious-activity', 'compromised'] and `Revoked Status` to 'false' to focus on active, non-revoked threats.
+
+3. **Currently valid indicators**: Set `Valid From (Start Date)` to 'now-365d' and `Valid Until (End Date)` to 'now+30d' to get indicators that are currently within their validity period.
+
+4. **Recent indicators**: Set `Created After` to 'now-7d' to collect only indicators created in the last 7 days.
+
+5. **Specific pattern types**: Set `Pattern Types` to ['stix'] to collect only STIX pattern indicators, or include your custom pattern types defined in OpenCTI.
+
+6. **Specific campaign tracking**: Use `Label IDs` filter with specific campaign label UUIDs (e.g., ['550e8400-e29b-41d4-a716-446655440000']) to track indicators related to particular threat campaigns.
+
+7. **Indicators from specific sources**: Use `Author IDs` with the UUIDs of specific threat intelligence sources (e.g., ['123e4567-e89b-12d3-a456-426655440000']) to filter indicators from trusted sources.
+
+8. **Recently modified high-value indicators**: Combine `Modified After` set to 'now-24h', `Minimum Confidence Level` to 80, and `Revoked Status` to 'false' to get recently updated, high-confidence active indicators.
+
+9. **TLP-restricted indicators**: Use `Marking Definition IDs` with TLP:CLEAR and TLP:GREEN UUIDs to only ingest indicators that are safe to share broadly: ['marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da', 'marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb'].
+
+All filters work together using AND logic at the top level. Within each multi-value filter (like pattern types or label IDs), OR logic is applied between values.
+
+#### High Availability and Deduplication
+
+The OpenCTI integration supports running on multiple Elastic Agents for high availability. When multiple agents fetch the same indicators:
+
+- **Automatic Deduplication**: The integration uses a fingerprint-based document ID to prevent duplicates. Each indicator gets a consistent ID based on its `standard_id` and `modified` timestamp.
+- **No Manual Configuration Needed**: Deduplication works automatically - just deploy the integration to multiple agents.
+- **Update Handling**: When an indicator is updated in OpenCTI, the new version replaces the old one in Elasticsearch.
+
+#### Best Practices for HA Setup
+
+1. **Stagger Execution Times**: To avoid all agents hitting OpenCTI simultaneously, consider offsetting their schedules slightly (e.g., Agent 1 at :00, Agent 2 at :02).
+2. **Use the Same Configuration**: Ensure all agents use identical filter settings to fetch the same dataset.
+3. **Monitor Performance**: Check OpenCTI server load when multiple agents are polling.
+
+### Finding IDs in OpenCTI
+
+Since several filters require UUIDs rather than names, here are ways to find these IDs:
+
+1. **Label IDs**: 
+   - In OpenCTI UI: Navigate to Settings → Taxonomies → Labels. Click on a label to see its ID in the URL or details.
+   - Via API: Query the `labels` endpoint to list all labels with their IDs.
+
+2. **Author IDs**:
+   - In OpenCTI UI: Click on any entity that has an author, then click on the author name to see its details including the ID.
+   - Via API: Query the `identities` endpoint to list all identities (organizations, individuals) with their IDs.
+
+3. **Creator IDs**:
+   - In OpenCTI UI: Navigate to Settings → Security → Users to see user IDs.
+   - Via API: Query the `users` endpoint (requires appropriate permissions).
+
+For more information about OpenCTI's filtering system, refer to the [OpenCTI filters documentation](https://docs.opencti.io/latest/reference/filters/).
+
 ## Logs
 
 ### Indicator
diff --git a/packages/ti_opencti/img/opencti-logo.svg b/packages/ti_opencti/img/opencti-logo.svg
index df9223ec990..1c412bbdf3e 100644
--- a/packages/ti_opencti/img/opencti-logo.svg
+++ b/packages/ti_opencti/img/opencti-logo.svg
@@ -1,114 +1,10 @@
-<?xml version="1.0" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN"
- "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
-<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
- width="1200.000000pt" height="1200.000000pt" viewBox="0 0 1200.000000 1200.000000"
- preserveAspectRatio="xMidYMid meet">
-
-<g transform="translate(0.000000,1200.000000) scale(0.100000,-0.100000)"
-fill="#0082d1" stroke="none">
-<path d="M1042 8758 l3 -3243 43 -214 c105 -519 220 -895 404 -1326 535 -1253
-1481 -2410 2567 -3141 l130 -87 104 109 c220 233 362 386 365 394 2 5 -36 35
--85 66 -665 428 -1286 1034 -1789 1744 -152 214 -193 283 -204 335 -17 86 -23
-467 -11 655 15 231 34 353 82 539 222 860 809 1573 1764 2143 161 96 322 181
-568 298 120 57 220 107 223 112 13 20 -98 -9 -346 -92 -1032 -343 -1667 -674
--2104 -1100 -199 -194 -337 -377 -448 -595 -143 -283 -206 -525 -224 -864 l-7
--135 -24 55 c-95 212 -231 678 -291 994 l-26 140 -3 2888 -3 2887 3613 0 3614
-0 6 113 c4 61 7 214 7 340 l0 227 -3965 0 -3965 0 2 -3242z"/>
-<path d="M6550 11104 c-251 -148 -544 -400 -728 -626 -236 -291 -401 -659
--466 -1043 -87 -517 -3 -1150 256 -1920 74 -222 225 -627 237 -635 9 -6 221
--524 221 -541 0 -6 29 -77 65 -159 67 -151 116 -282 110 -289 -4 -4 -146 71
--371 195 -83 46 -157 84 -164 84 -7 0 -65 30 -129 67 -152 89 -212 112 -283
-113 -52 0 -60 -3 -92 -35 -80 -79 -68 -198 28 -280 22 -20 46 -39 51 -44 13
--9 514 -281 902 -489 160 -87 294 -164 297 -172 3 -8 41 -118 85 -245 44 -126
-79 -231 77 -232 -2 -3 -782 417 -1330 716 -214 117 -396 214 -405 216 -9 2
--45 20 -81 40 -133 76 -262 136 -303 141 -56 7 -123 -27 -149 -76 -24 -44 -20
--152 7 -193 27 -42 188 -143 465 -292 218 -117 1932 -1046 1936 -1049 3 -2 64
--429 62 -431 -4 -3 -521 276 -2118 1143 -217 118 -424 228 -460 245 -36 16
--99 49 -140 72 -104 60 -195 90 -242 81 -77 -14 -139 -111 -123 -189 17 -80
-69 -134 185 -192 30 -15 64 -35 75 -45 11 -9 54 -35 95 -57 148 -80 1596 -866
-1640 -890 148 -82 935 -511 1013 -552 l68 -36 -6 -43 c-4 -24 -21 -102 -39
--175 -24 -98 -36 -131 -47 -129 -15 4 -1208 649 -2258 1221 -354 193 -647 351
--652 351 -4 0 -42 16 -84 37 -135 64 -217 52 -262 -37 -29 -56 -29 -114 0
--170 22 -44 36 -56 217 -171 19 -12 141 -79 270 -149 129 -70 255 -139 280
--152 25 -14 126 -69 225 -123 99 -54 281 -153 405 -220 512 -279 928 -504
-1310 -710 223 -120 407 -219 409 -221 5 -4 -140 -219 -176 -261 l-28 -32 -115
-63 c-63 35 -347 188 -630 341 -592 320 -1671 907 -1840 1003 -120 68 -156 80
--255 88 -48 4 -66 1 -91 -14 -41 -26 -65 -81 -65 -147 0 -92 37 -137 173 -209
-40 -21 82 -47 93 -57 16 -14 1128 -621 2060 -1124 110 -59 244 -133 297 -163
-l98 -55 -58 -61 c-31 -34 -235 -248 -453 -476 -400 -419 -457 -480 -444 -480
-25 0 993 583 1130 680 302 215 566 487 732 753 122 197 231 473 282 710 133
-619 13 1384 -379 2424 -91 239 -287 719 -310 758 -21 35 -225 518 -245 579 -7
-23 -43 113 -80 201 -91 218 -179 448 -201 520 -31 109 -126 409 -139 445 -17
-46 -79 366 -99 510 -50 366 -44 530 29 794 25 92 50 177 55 191 5 14 7 25 4
-25 -3 0 27 62 66 138 100 193 330 490 536 692 133 130 166 190 165 300 0 54
--6 84 -27 130 -15 33 -32 64 -39 70 -8 7 -39 -7 -105 -46z"/>
-</g>
-
-<g transform="translate(0.000000,1200.000000) scale(0.100000,-0.100000)"
-fill="#00b1ff" stroke="none">
-<path d="M9594 11963 c3 -21 35 -148 71 -283 36 -135 70 -271 76 -302 l12 -58
-258 0 258 0 3 -777 c3 -832 -1 -975 -32 -1160 -71 -416 -284 -906 -563 -1298
--295 -414 -700 -818 -1162 -1160 -302 -224 -488 -344 -832 -538 -230 -129
--306 -177 -284 -177 7 0 104 38 217 85 1107 461 1755 834 2279 1312 103 94
-267 270 339 363 l31 41 3 -1178 c2 -1279 3 -1249 -54 -1547 -111 -576 -376
--1248 -722 -1826 -427 -713 -981 -1343 -1617 -1836 -294 -228 -558 -396 -880
--559 -242 -123 -413 -194 -690 -287 -197 -67 -216 -71 -300 -72 -87 0 -98 3
--330 81 -132 45 -254 87 -272 94 -29 12 -37 11 -75 -11 -101 -56 -658 -391
--658 -396 0 -11 325 -164 471 -221 317 -125 698 -239 834 -250 62 -4 93 1 265
-45 825 213 1615 645 2350 1286 153 133 474 450 614 606 477 532 838 1067 1157
-1715 145 296 238 523 339 822 102 305 132 424 213 828 l42 210 3 3243 2 3242
--686 0 -687 0 7 -37z"/>
-<path d="M9347 11314 c-3 -6 -13 -314 -22 -684 -8 -370 -16 -675 -18 -677 -2
--2 -78 19 -168 46 -90 27 -524 156 -964 286 -440 130 -955 283 -1145 340 -190
-57 -353 105 -362 107 -16 3 -220 -191 -276 -262 l-22 -28 32 -11 c48 -15 700
--210 1168 -349 916 -273 1667 -495 1703 -505 20 -5 37 -12 37 -16 -1 -26 -50
--324 -54 -329 -10 -9 -131 17 -254 55 -64 20 -205 62 -312 93 -719 212 -2013
-596 -2259 670 -161 50 -297 87 -302 85 -21 -13 -177 -311 -167 -320 9 -8 324
--105 613 -190 182 -53 418 -122 525 -155 211 -63 1374 -408 1768 -523 133 -39
-242 -74 242 -77 0 -12 -102 -182 -146 -243 -43 -60 -48 -65 -73 -57 -14 5
--174 52 -356 105 -181 53 -721 213 -1200 355 -1062 315 -1452 430 -1464 430
--18 0 -32 -121 -31 -280 0 -46 2 -85 3 -87 3 -3 2588 -770 2714 -806 l72 -20
--109 -87 c-60 -47 -141 -108 -179 -134 -64 -43 -73 -46 -103 -38 -18 5 -197
-59 -398 120 -201 61 -655 196 -1010 301 -355 105 -710 210 -790 235 -128 39
--146 42 -151 27 -4 -9 -3 -21 2 -26 4 -6 10 -31 12 -55 3 -25 8 -53 12 -63 4
--10 5 -21 1 -24 -3 -3 -1 -12 5 -19 6 -8 9 -20 6 -29 -4 -8 -2 -17 4 -21 5 -3
-9 -13 8 -22 -1 -10 0 -24 4 -32 3 -8 11 -35 19 -59 l13 -44 120 -32 c66 -18
-174 -49 239 -69 117 -37 563 -169 1171 -347 171 -50 314 -95 319 -99 9 -9
--150 -91 -347 -180 l-117 -53 -218 66 c-119 37 -363 110 -542 162 -179 53
--361 107 -404 121 -81 25 -118 26 -98 1 15 -18 83 -207 74 -207 -4 0 -2 -4 4
--8 12 -8 65 -137 67 -164 1 -13 14 -22 42 -29 22 -6 119 -35 215 -65 96 -30
-208 -62 247 -72 40 -9 73 -20 73 -23 0 -9 -164 -84 -298 -135 -64 -25 -118
--47 -120 -49 -2 -2 15 -47 37 -102 22 -54 42 -105 43 -113 2 -8 6 -17 9 -20 7
--6 97 -218 101 -240 2 -8 6 -17 9 -20 4 -3 13 -19 20 -36 l14 -32 375 162
-c433 187 542 237 774 353 538 269 926 535 1239 848 205 206 344 398 462 640
-174 356 248 735 224 1148 -16 266 -58 488 -194 1017 -40 157 -86 341 -103 410
--33 139 -55 200 -65 184z"/>
-<path d="M5690 6816 c-779 -341 -1309 -664 -1681 -1024 -237 -229 -388 -429
--515 -678 -68 -135 -149 -369 -183 -527 -77 -355 -66 -751 31 -1190 l22 -99
-45 7 c58 8 109 24 138 42 31 20 78 95 104 162 27 72 30 88 16 88 -19 0 -147
-74 -147 85 0 5 -5 6 -10 3 -6 -3 -13 1 -16 9 -3 9 -10 14 -14 11 -8 -5 -59 49
--61 66 -1 5 -2 13 -3 18 0 5 -4 13 -8 17 -5 4 -8 28 -8 54 0 47 36 134 55 133
-6 0 15 7 21 15 14 20 101 27 139 11 17 -6 38 -13 47 -14 19 -2 17 -13 46 227
-l17 146 -32 18 c-18 9 -33 20 -33 24 0 4 -6 7 -13 7 -17 0 -97 53 -97 65 0 5
--4 7 -9 3 -15 -8 -58 55 -71 104 -16 59 2 131 42 171 16 17 34 28 39 24 5 -3
-9 0 9 6 0 7 7 10 15 7 8 -4 17 -2 21 4 10 17 83 0 161 -37 39 -19 74 -34 77
--34 2 0 24 35 47 78 23 42 64 109 90 149 l48 72 -75 41 c-83 46 -154 110 -173
-156 -19 48 -6 164 19 164 4 0 10 8 12 18 3 11 27 29 52 42 47 22 48 22 112 5
-36 -10 71 -23 78 -31 8 -7 16 -10 20 -7 3 4 6 1 6 -6 0 -7 5 -9 10 -6 6 3 10
-2 10 -3 0 -5 6 -9 13 -9 6 0 45 -19 84 -42 44 -26 77 -39 85 -35 7 5 75 60
-151 123 l138 114 -53 30 c-95 54 -153 114 -144 149 2 10 0 21 -5 24 -12 7 -12
-71 1 79 5 3 7 12 3 20 -3 8 0 15 6 15 6 0 10 3 9 8 -3 10 23 55 29 49 2 -3 13
-3 24 14 22 22 124 30 139 10 3 -3 14 -7 25 -9 26 -5 168 -81 177 -95 4 -7 8
--8 8 -4 0 9 71 -31 81 -46 3 -5 8 -8 10 -6 2 1 14 -1 27 -5 17 -6 65 16 210
-93 103 56 182 101 176 101 -20 0 -95 72 -113 109 -35 69 -21 187 24 205 9 3
-14 10 11 15 -5 8 16 23 36 25 3 1 10 4 14 9 9 9 78 9 87 0 4 -3 19 -8 34 -9
-14 -2 30 -9 34 -16 5 -7 9 -10 9 -5 0 7 80 -30 90 -42 3 -3 11 -7 18 -9 13 -2
-93 -50 102 -61 3 -3 10 -7 15 -8 6 -1 24 -8 41 -14 30 -12 42 -8 205 65 96 43
-175 79 177 81 2 1 -8 28 -22 59 -14 32 -27 65 -28 74 -2 9 -6 19 -10 22 -3 3
--8 14 -10 25 -1 11 -6 22 -10 25 -3 3 -8 14 -10 25 -1 11 -5 22 -8 25 -7 6
--79 180 -82 200 -2 8 -6 17 -10 20 -3 3 -8 14 -10 25 -3 18 -21 45 -30 45 -2
-0 -68 -29 -148 -64z"/>
-</g>
-
+<svg width="260" height="260" viewBox="0 0 260 260" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<rect width="260" height="260" fill="#001BDA"/>
+<rect x="40" y="40" width="180" height="180" fill="url(#pattern0)"/>
+<defs>
+<pattern id="pattern0" patternContentUnits="objectBoundingBox" width="1" height="1">
+<use xlink:href="#image0_113_2" transform="translate(0 -0.00540541) scale(0.00540541)"/>
+</pattern>
+<image id="image0_113_2" width="185" height="187" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALkAAAC7CAYAAAA5ZT9XAAAACXBIWXMAABYlAAAWJQFJUiTwAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAfDSURBVHgB7d3tkRtFFIXhayLYEDYEQoAMCMEhkIE6A0IAInEIJoMhA5zBQSqr7Za8Ws1M9+2P6fetUvkH1PTZ7QcteBcwI5o5SS/n16fz62frtPO21+vGV6NinT+fp8vLOu7i8nr3L7anK/DP+tp/PUK/Al+uG5eeoY/whhG7Ao91Cf0K/L/rxs+bod8BV4/Q74CrZ+gjvGHE7oB3Cf0OuDZDfwC8K+gPgHcJXQO8YcQeAO8K+gPg66HrfeBdXNAT4LHLH3+1xmmAN4yY3gceawpd7wOPPYaudcCbXpDWAY9d/rxXa5QGeMNItp60vibQtQ547Efo2gY8VvWCtA14bFED6BrgDSPZetL2qkLXNuCx79C1D3isygVpH/DYoorQNcAbRrL1pP1Vga59wGNfoWd+oFKFC9LX33rLaVEF6BrgDSPZelJ+v5hjygMe+zM+7C/l5XpBynsnjy1yhK484LFaXxlPyi+YYyoD/PbvzQX03H0lLuVSMMc0K/Dk4UDP25d7OcEc0+zAk0OAnrdv7yUFc0wA/+EwoOft23pZwRwTwB8eCvS8fWsvLZhjAvjTw4Get+/Z5QVzTABfPQLoefseXWIwxwTwzWOAnrfv/jKDOSaA7x4F9Lx98VKDOSaAZ48Det6+8pdy+/yT8gvmmHoGnowEeocJ4MXHAr2jBHC30UDvIAHcNwG9aQJ4nQT0JgngdRPQqyaAt0lAr5IA3jYB3TUBvI8EdK/dJ+UXzDHNADwmoJfee1J+wRzTTMBjAnqpnSflF8wxzQg8JqDn7jspv2COaWbgMQF9766T8gvmmAD+PQF9656T8gvmmAD+YwL62h0n5RfMMQH8cQL6s/NPyi+YYwL48wT0R+eelF8wxwTw9Qno9+edlF8wxwTw7Qno8ZyT8gvmmAC+P00OXQCfI00KXQCfK00GXQCfM80D/Q/lF8wxAdwvzQE9t2COCeD+CejvFcwxAbxeAvpbBXNMAK+fgJ4WzDEBvF0C+qVgjgng7dPc0IM5JoD3k+aEHswxAby/NBf0YI4J4P2mOaAHc0wA7z8dG3owxwTwcdIxoQdzTAAfLx0LejDHBPBx0zGgB3NMAB8/jQ09mGMC+HHSmNCDOSaAHy+NBT2YYwL4cdMY0H83xwTw46fOoXsG8ImaETrAJ2wm6ACfuBmgA5wODR3g9K0jQgc4/dCRoAOcHnYE6ACnp40MHeC0uhGhA5w2NxJ0gNPuRoAOcMquZ+gAp2L1CB3gVLyeoAOc3OoBOsDJvZbQAU7VagEd4FS9mtABTs2qAR3g1DxP6ACnbvKADnDqrpLQAU7dVgj6RwGceq4A9NwATv41hA5wqlcD6ACn+lWEDnBql/yhA5za5wgd4NRPDtABTv1VEDrAqc/09TuZJfrFiHpLZb5VH2v+X+oiuqkwcKBTXzkBBzr1kTNwoFPbKgEHOrWpMnCgU90aAQd6Rj8Zre4K7NP5lfONmi+2v8u5n4BOLqngv7Kmif+HutRpJYEnzwQ69ZEH8OTZQKe2eQJPzgA6takG8OQsoFPdagJPzgQ61akF8ORsoJNvLYEnG4BOPvUAPNkCdCpbT8CTTUCnMvUIPNkGdMqrZ+DJRqDTvkYAnmwFOm1rJODJZqDTukYEnmwHOr3fyMCTjwHo9HZHAJ58LECn244EPAZ0+tYRgceATocGHgP6xM0APAb0CZsJeAzoEzUj8BjQJ2hm4DGgH7gRgF83Xs54NccE9OOlcYDHjYuATmvTeMBji4BOz9K4wGOLgE6P0vjAY4uATvfpOMBji4BOMR0PeGwR0EnHBR5bBPR50/GBxxYBfb40D/DYIqDPk+YDHlsE9OOneYHHFgH9uAngsUVAP14C+H2LgH6cBPBHLQL6+Angz1oE9HETwNe2COjjpXmAf74+Z1Fei4A+TpoL+Mv1ea8C+hxpQuDJc4F+9DQx8OT5QD9qAnh6DtCPlgD+1nlAP0oC+HvnAn30BPA15wN91ATwLTuAPloC+J49QB8lATxnF9B7TwAvsQ/ovSaAl9wJ9N4SwD32Ar2XBHC3BPT2CeDuCejtEsCrJaDXTwCvnoBeLwG8WQK6fwJ48wR019EA7yQB3WUswDtLQC86EuCdJqAXGQfwzhPQs0YBfJAE9F1jAF5m48v59UkV/uFJQN80AuBlNr5cz5Aq/S6BgL7qcICX2ZgCjwH9dmd96AJ4qY1vAY8B/XZnPegCeKmN7wGPAf12pz90AbzUxjXAY0C/3ekHXQAvtXEL8BjQb3eWhy6Al9q4B3gM6Lc7y0EXwEttzAEeA3qSCkH/6fysyyc15/L/Ob9+/fDhwxfza4SNr9dXTpeP8Tdz7vx5+Pf8y6/n17+2vxfLu5OnnXd+PP/yt+3v++fzrP2j9lXt2+CDbMz9ihOsYtr/jl7lK06yc+87erh/0FZE1X/OY5CNe6EHa5C2Q68KPNm5FXp49KC1iJr9INMgG7dCD9YwrYfeBHiycy308OxBzxA1/0m9QTauhR6sg/QcelPgyc5n0MPaB33sFU9skI3PoAfrKD2G3gXw2DvQw5bnvIWoGzyxQTY+gh6sw96A3hXw2BvQg+0pQdQdntggG++hB+u4BHqXwGMJ9GA5nR/wW694YoNsjNCDDdAVerfAY5e7N+qn3v9CPGr/A1gk8lFvh8BhAAAAAElFTkSuQmCC"/>
+</defs>
 </svg>
diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml
index 47c6fb850b0..1fe99f44485 100644
--- a/packages/ti_opencti/manifest.yml
+++ b/packages/ti_opencti/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.4.0"
 name: ti_opencti
 title: OpenCTI
-version: "2.8.0"
+version: "2.9.1"
 description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent."
 type: integration
 source:
@@ -55,7 +55,7 @@ policy_templates:
             title: API Key
             description: API key from your profile page in OpenCTI, for bearer authentication.
             multi: false
-            required: false
+            required: true
             show_user: true
             secret: true
           - name: oauth2

From 6483f458b1356a813c3300e50e6f230f2b203866 Mon Sep 17 00:00:00 2001
From: Samuel Hassine <samuel.hassine@filigran.io>
Date: Tue, 16 Sep 2025 09:30:33 +0200
Subject: [PATCH 2/4] [ti_opencti] Add filters

---
 packages/ti_opencti/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml
index 1fe99f44485..c0e0053c718 100644
--- a/packages/ti_opencti/manifest.yml
+++ b/packages/ti_opencti/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.4.0"
 name: ti_opencti
 title: OpenCTI
-version: "2.9.1"
+version: "2.9.0"
 description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent."
 type: integration
 source:

From 984e5509241babb19bdd918adf767539d9ff9dee Mon Sep 17 00:00:00 2001
From: Samuel Hassine <samuel.hassine@filigran.io>
Date: Tue, 16 Sep 2025 09:35:28 +0200
Subject: [PATCH 3/4] [ti_opencti] Add filters

---
 packages/ti_opencti/changelog.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml
index e98a6b62f11..0047575c82d 100644
--- a/packages/ti_opencti/changelog.yml
+++ b/packages/ti_opencti/changelog.yml
@@ -1,4 +1,18 @@
 # newer versions go on top
+- version: "2.9.0"
+  changes:
+    - description: Add comprehensive filtering support for indicators including pattern types, confidence levels, labels, dates, authors, creators, and marking definitions.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15332
+    - description: Implement deduplication mechanism using fingerprint processor to prevent duplicate indicators when running multiple agents.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15332
+    - description: Add state management to track last modified timestamp and prevent re-fetching already processed indicators.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15332
+    - description: Update OpenCTI logos for better visual consistency.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15332
 - version: "2.8.0"
   changes:
     - description: Add script processor to drop all nulls / empty strings.

From ae856380d7d243d8e4180d6ae9b27e11212ecacb Mon Sep 17 00:00:00 2001
From: Samuel Hassine <samuel.hassine@filigran.io>
Date: Tue, 16 Sep 2025 09:38:43 +0200
Subject: [PATCH 4/4] [ti_opencti] Add filters

---
 packages/ti_opencti/docs/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/ti_opencti/docs/README.md b/packages/ti_opencti/docs/README.md
index b53ebe8cc3b..c3d0f66e5c8 100644
--- a/packages/ti_opencti/docs/README.md
+++ b/packages/ti_opencti/docs/README.md
@@ -15,7 +15,7 @@ Each event in the log data stream collected by the OpenCTI integration is an ind
 
 This integration requires Filebeat version 8.9.0, or later.
 
-It has been updated for OpenCTI version 5.12.24 and requires that version or later.
+It has been updated for OpenCTI version 6.1.0 and requires that version or later.
 
 ## Setup