Priority : High
I’m currently working on integrating OpenCTI with Elastic SIEM. But when I look for documents, I get different guidance from OpenCTI and Elsatic(Providing both links below). I'm confused and stuck due to, which is the right way to integrate it exactly. I've applied the configurations, but yet not pulling data into SIEM. Anyone suggest the exact way to integrate the OpenCTI with Elastic SIEM?
Specifically, I’m looking to:
Pull IOCs (e.g., IPs, domains, hashes) from OpenCTI.
Ingest these into Elastic SIEM as enrichment data.
Correlate them with logs/events ingested from various sources in the SIEM.
Generate alerts when matches are found.
If anyone has experience with this setup or could point me toward best practices for enabling this integration, it would be greatly appreciated.
I'm not the right person to guide you about it, as I don't have the knowledge. I thought that appropriate team will pick up this thread. I just forwarded link to private channels
Thank you for the response and for forwarding the link to the relevant channels — really appreciate your help!
I'm now in a state where,
I've installed OpenCTI connector agent in the host machine.
The agent looks healthy and receiving agent logs(Attached Screenshot).
But not ingesting any IOCs by the agent,
Is there anything specifically I should configure in Elastic for this ? Like Configuring index for enrichment, as such any ? If so, what are the criteria I need do consider ?
I've installed OpenCTI connector agent in the host machine.
I don't think this is necessary, the OpenCTI integration makes requests to the GraphQL API directly.
Is there anything specifically I should configure in Elastic for this ? Like Configuring index for enrichment, as such any ? If so, what are the criteria I need do consider ?
No, there is no extra configuration needed.
If the OpenCTI integration looks healthy and you cannot see any ingested data into Elastic, I would start by checking everything around the integration and the agent itself.
Config parameters such as the URL and the credentials.
Enable the option Enable request tracing in the integration config, and after the integration runs for a while, generate an agent diagnostics. In that diagnostics, you can check the interesting logs in the logs/elastic-agent/cel folder, where it should be a trace with every API request and response and it is very helpful to check if the API is sending valid data to the integration.
I'd also check the agent logs in that diagnostics, looking for any error related to the integration.
While troubleshooting, I noticed that the GraphQL endpoint (https://opencti-********.com/public/graphql) was temporarily inaccessible but returned to normal after some time (screenshot attached). The connector agent is also experiencing instability in elastic SIEM, occasionally switching to an unhealthy state. Kindly revert back if having any insights on this matter.
The screenshot from Elastic SIEM & OpenCTI Integration - #8 by Vishag_Learning indicates that there is timeout reaching opencti graphql endpoint.
Can you run a curl from your agent 172-31-*-* onto that opencti graphql endpoint and check if you get a response? If there is no response, its likely an network issue that agent is unable to connect to internet.
If you do get successful response, does it take you a long enough time? If so, I suggest increasing HTTP Client Timeout setting in the Advanced Options.
I noticed that the GraphQL endpoint (https://opencti-********.com/public/graphql) was temporarily inaccessible but returned to normal after some time (screenshot attached).
I don't see that endpoint has returned to being accessible (successful response) from your screenshots. I suggest you select Enable request tracing option and collect agent diagnostics Common problems | Elastic Docs which now contains API request and response logs inside logs/elastic-agent*/cel folder. You can check if the response is successful (200 status) from there and also if it sends any data.
@Vishag_Learning, please redact any sensitive content before posting from trace logs. Your API request has Auth Key, so I deleted your comment for now.
So, based on your API response, the error is:
It looks like the Elastic Agent is trying to connect to your openci endpoint, but is either failing to establish connection or waiting for more than 30 seconds before failing.
To verify if it isn't a network issue, were you able to check if your server/instance where you installed Elastic Agent is able to connect to opencti endpoint? Can you check if you get a successful API response using curl?
Thanks for the support. And No, Weren't getting response on curl. The issue was related to the network configuration of the EC2 instance where OpenCTI was deployed. It was initially using a NAT gateway for security , which restricted outbound connectivity.
After switching the network type to Internet Gateway, the integration started working as expected, and the IOCs are now being pulled into Elastic SIEM.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
