ReadyElbow
commented
2 years ago To add, this is regarding a bidirectional implementation where OpenCTI can fetch sub-sections of logs for example IPs, and other IOCs.
These can then be stored into OpenCTI and when new Threat Intelligence is ingested, this can be checked against the ingested IOCs if a new piece of Threat Intelligence regarding a bad actor has been seen in your SIEM's logs allowing for coverage against past user activity.
The ability to alert on such sightings should be sent using the Subscriptions manager with a date and time of the log.
Use case
Enrichment to SIEMs