Wazuh SIEM — OpenCTI Threat Intel Integration
Wazuh manager integration with OpenCTI for Threat Intel.
Wazuh manager will consume data stored in OpenCTI via its GraphQL API endpoint.
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. The API query needs to be authenticated via an Auth HTTP header and the JSON body includes a query, values and search parameters.
- OpenCTI instance up and running.
- OpenCTI API Token
- Root CA used to sign OpenCTI’s digital certificate (if HTTPS enabled).
Event types / Rule groups to trigger OpenCTI API calls.
Wazuh Manager — Custom Integration
More info here
OpenCTI Labels Import
Observables or Indicators in OpenCTI enriched with labels providing context will get their labels imported and displayed as part of the Wazuh alert. The integration will add an array with all the labels included as part of the API response.
Threat Intel Events and Alerts
Positive matches in OpenCTI trigger high level alert including:
- Security Feed/OpenCTI connector.
- IoC type.
- Labels providing context to each indicator.
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Platform Demo: https://www.socfortress.co/demo_access.html