Elastic SIEM & OpenCTI Integration

Elastic Security
1

Priority : High
I’m currently working on integrating OpenCTI with Elastic SIEM. But when I look for documents, I get different guidance from OpenCTI and Elsatic(Providing both links below). I'm confused and stuck due to, which is the right way to integrate it exactly. I've applied the configurations, but yet not pulling data into SIEM. Anyone suggest the exact way to integrate the OpenCTI with Elastic SIEM? :disappointed_face:

Specifically, I’m looking to:

  • Pull IOCs (e.g., IPs, domains, hashes) from OpenCTI.
  • Ingest these into Elastic SIEM as enrichment data.
  • Correlate them with logs/events ingested from various sources in the SIEM.
  • Generate alerts when matches are found.

If anyone has experience with this setup or could point me toward best practices for enabling this integration, it would be greatly appreciated.

Thanks in advance for your support!

OpenCTI document link: connectors/stream/elastic/README.md at master · OpenCTI-Platform/connectors · GitHub
Elastic document link: OpenCTI | Elastic integrations

1 Like
2

I'm not the author of the integration, but from a quick glance over both links the OpenCTI document is quite old.

The Elastic OpenCTI integration is newer and currently supported. Which version of the stack are you using?

3

Hi Lesio,

Thanks for the response, I'm using the stack version 8.18.0 and OpenCTI version of 6.6.14. Could you help out please.!?

4

Hello Community,

Just checking in to see if anyone might have insights on this issue. I’m still facing challenges with the OpenCTI and Elastic SIEM integration.

If anyone has experience or suggestions, your support would be greatly appreciated!

Thanks in advance :folded_hands:

5

Hi Vishag,

I'm not the right person to guide you about it, as I don't have the knowledge. I thought that appropriate team will pick up this thread. I just forwarded link to private channels :crossed_fingers:

6

Hey Lesio,

Thank you for the response and for forwarding the link to the relevant channels — really appreciate your help! :folded_hands:

I'm now in a state where,

I've installed OpenCTI connector agent in the host machine.
The agent looks healthy and receiving agent logs(Attached Screenshot).
But not ingesting any IOCs by the agent,
Is there anything specifically I should configure in Elastic for this ? Like Configuring index for enrichment, as such any ? If so, what are the criteria I need do consider ?

Untitled-2
Untitled-21918×944 189 KB

7

Hi Vishag,

Regarding this:

I've installed OpenCTI connector agent in the host machine.

I don't think this is necessary, the OpenCTI integration makes requests to the GraphQL API directly.

Is there anything specifically I should configure in Elastic for this ? Like Configuring index for enrichment, as such any ? If so, what are the criteria I need do consider ?

No, there is no extra configuration needed.

If the OpenCTI integration looks healthy and you cannot see any ingested data into Elastic, I would start by checking everything around the integration and the agent itself.

  • Config parameters such as the URL and the credentials.

  • Enable the option Enable request tracing in the integration config, and after the integration runs for a while, generate an agent diagnostics. In that diagnostics, you can check the interesting logs in the logs/elastic-agent/cel folder, where it should be a trace with every API request and response and it is very helpful to check if the API is sending valid data to the integration.

  • I'd also check the agent logs in that diagnostics, looking for any error related to the integration.