The article explains how to integrate Wazuh with OpenCTI so alerts can be enriched in real time with threat intelligence and IOCs such as IPs, domains, and file hashes. It walks through connector setup, custom Wazuh rules, and validation scenarios that improve alert prioritization and speed up incident response. #Wazuh #OpenCTI #VirusTotal #RansomwareLive #MalwareBazaar #ThreatFox
Keypoints
- Wazuh and OpenCTI are integrated to correlate security events with threat intelligence in real time.
- OpenCTI connectors are enabled to ingest IP addresses, domains, file hashes, campaigns, and threat actor data.
- The post uses VirusTotal, RansomwareLive, MalwareBazaar, and ThreatFox as threat intelligence sources.
- A custom Wazuh integration script queries OpenCTI to enrich alerts with matching IOCs.
- Custom Wazuh rules classify OpenCTI matches by type and confidence score, including high-confidence detections.
- The setup includes Windows Sysmon and FIM monitoring to generate events for malware and suspicious network activity testing.
- The integration reduces false positives, improves alert prioritization, and accelerates incident response.
MITRE Techniques
- [T1071] Application Layer Protocol β Used in rules for malicious IOC matches and referenced as a technique relevant to network-based communication patterns (βmalicious $(opencti.ioc_type) β¦β).
- [T1105] Ingress Tool Transfer β Used in rules for malicious IOC matches and referenced as a technique relevant to delivering or retrieving malicious content (βmalicious $(opencti.ioc_type) β¦β).
Indicators of Compromise
- [IP address] malicious/suspicious network activity and IOC enrichment β 141.105.71.82
- [Domain name] DNS simulation and OpenCTI lookup β www.southwire.com
- [File hash] threat intelligence enrichment via connectors and IOC matching β file hashes, and other 2 items
- [File name / script] Wazuh integration components deployed on the server β custom-opencti.py, custom-opencti
- [URL] OpenCTI and connector endpoints used for ingestion and enrichment β https://mb-api.abuse.ch/api/v1/, https://threatfox.abuse.ch/export/csv/recent/
Read more: https://wazuh.com/blog/real-time-threat-correlation-with-wazuh-and-opencti/