In this blog I am going to use the previously built OpenCTI platform and add two connectors to ingest Threat Intelligence data. Connectors come in 5 different types.
- External-import
- Internal-enrichment
- Internal-export-file
- Internal-import-file
- Stream
For this demo I am going to configure two open-source External-import connectors, MITRE ATT&CK and AbuseIPDB. OpenCTI connector information can be found HERE.
The MITRE attack connector settings can be pulled from the OpenCTI github HERE. Copy the mitre docker-compose.yml from line 3 to 15 inclusive and add this to your own docker-compose.yml below the last connector and before the ‘volumes’ line. Ensure to tab the connector-mitre line so it lines up with the previous connector.
Change OPENCTI_URL to your own URL, change OPENCTI_TOKEN to the ${OPENCTI_ADMIN_TOKEN} variable and download a new UUIDv4 value for the CONNECTOR_ID from HERE.
# add these lines to the end of the connector setting to wait for opencti platform to start before the connector attempts to start.
depends_on:
opencti:
condition: service_healthy
Save your changes to docker-compose.yml and bring your instance back up with docker compose up -d. When it restarts it should only pull the mitre connector image as this is the only change. When everything is established and healthy log back into your instance and navigate to Data -> Ingestion -> Connectors and you should now see the Mitre connector pulling data into the platform.
Navigating to Techniques -> Attack patterns you should now see Mitre Attack Techniques.
Drilling down into individual techniques you have descriptions, detection info, kill chain phase info and links to external resources.
The second connector is with abuseIPDB, and it requires an API key once you have signed up HERE. The connector github page to download the docker-compose.yml is HERE.
As before copy lines 3 to 17 inclusive and add them into your own docker-compose.yml. Change lines 6, 7, 8 as before and add in the API key into line 13.
When finished you docker-compose.yml should look like this.
Restart your instance with docker compose up -d. You should see the new AbuseIPDB connector, and see that it is pulling in data.
Navigating to Observations -> Observables will show malicious IP data populating.
In this blog I have shown how to configure external-import connectors for Mitre Attack and Malicious IP Threat Intelligence feeds. In future blogs I will look at stream and internal-enrichment connectors and connecting OpenCTI to your Elastic SIEM.