search

OpenCTI-Platform / connectors

OpenCTI Connectors
https://www.opencti.io
Apache License 2.0
380 stars 412 forks source link

Enrichment to SIEMs #779

Open SamuelHassine opened 2 years ago

SamuelHassine commented 2 years ago

Use case

Enrichment to SIEMs

ReadyElbow commented 2 years ago

To add, this is regarding a bidirectional implementation where OpenCTI can fetch sub-sections of logs for example IPs, and other IOCs.

These can then be stored into OpenCTI and when new Threat Intelligence is ingested, this can be checked against the ingested IOCs if a new piece of Threat Intelligence regarding a bad actor has been seen in your SIEM's logs allowing for coverage against past user activity.

The ability to alert on such sightings should be sent using the Subscriptions manager with a date and time of the log.

SamuelHassine commented 4 days ago

@romain-filigran First implementation is the Splunk Hunting connector right? Do we have an epic for those kind of connectors (hunting / enrichment from SIEM).

romain-filigran commented 4 days ago

Yes @SamuelHassine . Splunk will be the first one, I'm waiting for an update of "stix-shifter" library to finish it. We can create an EPIC to group such connectors/integrations