Wazuh SIEM — OpenCTI Threat Intel Integration

Intro

Wazuh manager integration with OpenCTI for Threat Intel.

Wazuh manager will consume data stored in OpenCTI via its GraphQL API endpoint.

GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. The API query needs to be authenticated via an Auth HTTP header and the JSON body includes a query, values and search parameters.

Requirements.

• OpenCTI instance up and running.
• OpenCTI API Token
• Root CA used to sign OpenCTI’s digital certificate (if HTTPS enabled).

Wazuh capability.

Custom integration.

Event types / Rule groups to trigger OpenCTI API calls.

Event Types to be analyzed in threat intel

Wazuh Manager — Custom Integration

More info here

OpenCTI Labels Import

Observables or Indicators in OpenCTI enriched with labels providing context will get their labels imported and displayed as part of the Wazuh alert. The integration will add an array with all the labels included as part of the API response.

OpenCTI — IoC Labels

Threat Intel Events and Alerts

Positive matches in OpenCTI trigger high level alert including:

• Security Feed/OpenCTI connector.
• IoC type.
• Score
• Labels providing context to each indicator.

OpenCTI — Threat Intel Summary

IoC Labels

OpenCTI — Labels Imported into the Alerts

OpenCTI — Alerts Threat Intel Details

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html