Hi Team,
I am currently working on the deployment of OpenCTI (On-Prem) and its integration with Elastic SIEM (hosted on AWS Cloud) to enable alerting based on IOC matches. To optimize storage consumption on AWS, I am considering ingesting only the necessary IOCs—For example: specifically, those IOCs with a score of 50 or above.
Could anyone suggest a solution to achieve this? Would leveraging a elasticsearch data ingestion pipeline between OpenCTI and Elastic SIEM be a viable option to handle this filtration more efficiently?
Looking forward to your insights.
Howdy,
Disclaimer: I'm not an OpenCTI or Elastic guru, but I have dealt with OpenCTI stream connectors a bit.
I'm assuming you're using the OpenCTI stream connector for Elastic.
Ref: connectors/stream/elastic at master · OpenCTI-Platform/connectors · GitHub
When you setup or update Elastic's stream, enter the criteria you wish to filter on, including the desired score thresholds. This will limit what is sent to the stream and Elastic.
Ref: Connectors - OpenCTI Documentation
The only caveat for this would be if an IOC falls below the threshold, you may not get "score updated" activity in the stream.
Hope this helps,
Darren