09. Integrating OpenCTI with Wazuh for Threat Intelligence Enrichment

FPT Metrodata IndonesiaFPT Metrodata Indonesia
4 min read

In today’s cybersecurity landscape, timely and accurate threat intelligence is key to staying ahead of potential threats. By combining OpenCTI, a robust threat intelligence platform, with Wazuh, an open-source security monitoring solution, you can enrich Wazuh alerts with actionable threat data. This integration empowers security teams to detect and respond to incidents more effectively. In this guide, I’ll walk you through the process of setting up this integration step-by-step.

What Are OpenCTI?

  • OpenCTI: A platform for managing, analyzing, and sharing threat intelligence data in the STIX format. It helps organizations aggregate and operationalize threat data.

Integrating the two allows Wazuh alerts to be cross-referenced with OpenCTI’s threat intelligence, adding context like Indicators of Compromise (IoCs) to your security events.

OpenCTI | Open Source Threat Intelligence Platform by Filigran

Prerequisites

Before diving in, ensure you have:

  • An OpenCTI instance running version 5.12.24 or higher. Older versions may work but might require tweaks to the integration script (check the GitHub repo for details).

  • A read-only OpenCTI API token with permissions for knowledge access and exploration.

  • A Wazuh Manager installed and operational. Familiarity with Wazuh configuration is assumed.

Installation

To get started, you’ll need to place the integration scripts in the right directory on your Wazuh Manager.

  1. Download the scripts:

  2. Copy the files:

    • For standard Wazuh installations, move them to /var/ossec/integrations.

    • For Docker users, place them in the root directory of the wazuh_integrations volume.

Configuration

Next, configure Wazuh to use the integration by editing its configuration file.

  1. Locate the config file:

    • Standard installs: /var/ossec/etc/ossec.conf

    • Docker: config/wazuh_cluster/wazuh_manager.conf

  2. **Add integration settings:**Add the following block within an <ossec_config> section:

     <integration>
   <name>custom-opencti</name>
   <group>sysmon_eid1_detections,sysmon_eid3_detections,sysmon_eid7_detections,sysmon_eid22_detections,syscheck_file,osquery_file,ids,sysmon_process-anomalies,audit_command</group>
   <alert_format>json</alert_format>
   <api_key>YOUR_OPENCTI_API_TOKEN</api_key>
   <hook_url>https://your.opencti.url/graphql</hook_url>
 </integration>

    • Replace YOUR_OPENCTI_API_TOKEN with your OpenCTI API token.

    • Update https://your.opencti.url/graphql with your OpenCTI GraphQL endpoint.

  3. Understand the <group> setting:

    • The <group> tag defines which alert groups trigger the integration. The example above targets Sysmon, Syscheck, and other event types. Customize this to match your environment’s needs.

    • You can use <rule_id> instead of <group> to target specific rules, but you can’t mix both in one block.

Setting Up Wazuh Rules

To generate alerts when IoCs are detected, add custom rules to Wazuh.

Add this rule set to your Wazuh rules configuration (e.g., /var/ossec/etc/rules/local_rules.xml):

<group name="threat_intel,">
  <rule id="100210" level="10">
    <field name="integration">opencti</field>
    <description>OpenCTI</description>
    <group>opencti,</group>
  </rule>

  <rule id="100211" level="5">
    <if_sid>100210</if_sid>
    <field name="opencti.error">\.+</field>
    <description>OpenCTI: Failed to connect to API</description>
    <options>no_full_log</options>
    <group>opencti,opencti_error,</group>
  </rule>

  <rule id="100212" level="12">
    <if_sid>100210</if_sid>
    <field name="opencti.event_type">indicator_pattern_match</field>
    <description>OpenCTI: IoC found in threat intel: $(opencti.indicator.name)</description>
    <options>no_full_log</options>
    <group>opencti,opencti_alert,</group>
  </rule>

  <rule id="100213" level="12">
    <if_sid>100210</if_sid>
    <field name="opencti.event_type">observable_with_indicator</field>
    <description>OpenCTI: IoC found in threat intel: $(opencti.observable_value)</description>
    <options>no_full_log</options>
    <group>opencti,opencti_alert,</group>
  </rule>

  <rule id="100214" level="10">
    <if_sid>100210</if_sid>
    <field name="opencti.event_type">observable_with_related_indicator</field>
    <description>OpenCTI: IoC possibly found in threat intel (related): $(opencti.related.indicator.name)</description>
    <options>no_full_log</options>
    <group>opencti,opencti_alert,</group>
  </rule>

  <rule id="100215" level="10">
    <if_sid>100210</if_sid>
    <field name="opencti.event_type">indicator_partial_pattern_match</field>
    <description>OpenCTI: IoC possibly found in threat intel: $(opencti.indicator.name)</description>
    <options>no_full_log</options>
    <group>opencti,opencti_alert,</group>
  </rule>
</group>

  • Adjust rule IDs to avoid conflicts with existing rules.

  • These rules cover connection errors (100211), exact IoC matches (100212, 100213), and partial/related matches (100214, 100215).

Event Types Explained

The integration generates different event types based on how alerts match OpenCTI data:

  • indicator_pattern_match: An exact match with an indicator pattern (e.g., a specific IP or hash).

  • observable_with_indicator: An observable (e.g., a domain) matches with a linked indicator.

  • observable_with_related_indicator: An observable relates to another with an indicator (e.g., a domain resolving to a flagged IP).

  • indicator_partial_pattern_match: A partial match with an indicator pattern.

These distinctions help prioritize alerts based on match confidence.

Debugging the Integration

If something goes wrong, enable debug mode:

  1. Enable debug output:

    • Standard installs: Add integrator.debug=1 to /var/ossec/etc/local_internal_options.conf.

    • Docker: Add it to local_internal_options.conf in the wazuh_etc volume.

  2. Check logs:

    • View logs at /var/ossec/logs/integrations.log.

    • For Docker: docker-compose exec wazuh.manager tail -f /var/ossec/logs/integrations.log.

Testing the Setup

To confirm everything works:

  1. Add a test observable in OpenCTI:

    • Create an observable (e.g., a SHA256 hash, IPv4) and link it to an indicator.

  2. Trigger an alert:

    • Place a file with the matching hash in a Wazuh-monitored directory (e.g., via Syscheck).

    • Try to access malicious IP from Wazuh-Agent.

  3. Verify alerts:

    • Check Wazuh discover for alerts like “OpenCTI: IoC found in threat intel.”

Conclusion

Integrating OpenCTI with Wazuh bridges real-time monitoring with rich threat intelligence, boosting your ability to detect and respond to threats. Try it out, tweak it to fit your environment, and share your experiences with the community. Together, we can strengthen our collective defenses!

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

SecurityMonitoring Syscheck cybersecuritythreat intelligencewazuhopencti#OpenSourceSecurity

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.