blog.filigran.io Open in urlscan Pro
162.159.153.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in




OPENCTI & HARFANGLAB : A CONNECTOR TO ENRICH CTI DATA AND OPTIMIZE INCIDENT
RESPONSE

Frédéric Basler

·

Follow

Published in

Filigran Blog

·
10 min read
·
Apr 15, 2024

1



Listen

Share




PRESENTATION OF THE HARFANGLAB CONNECTOR : A TECHNICAL APPROACH FOR ENHANCED
CYBERSECURITY

In the demanding universe of cybersecurity, every moment counts. This implies
not only the need to react swiftly in the face of evolving threats, but also to
have effective tools that streamline investigations and response efforts.

Explore how integrating a connector between HarfangLab and OpenCTI speeds up
threat detection, promotes collaboration among teams, and strengthens data
protection while improving the correlation of sensitive information.


BENEFITS OF THE OPENCTI X HARFANGLAB STREAM CONNECTOR

The new connector HarfangLab x OpenCTI automates the flow of data between
OpenCTI and HarfangLab, enhancing efficiency and reducing the need for manual
intervention.

Here are four benefits:

 * Enhanced Detection Capabilities : The connector strengthens HarfangLab’s
   threat detection by leveraging an extensive repository of high-quality
   indicators from OpenCTI. This collaboration ensures access to a comprehensive
   and varied set of indicators, enhancing the accuracy of threat identification
   and reducing the risk of false positives.
 * Speed and Automation : The HarfangLab EDR connector facilitates the automatic
   and real-time transmission of indicators from OpenCTI. This streamlines the
   detection process, ensuring that critical threat intelligence is rapidly
   communicated and acted upon.
 * Intelligence-Led Response : Alerts triggered in OpenCTI leverage the complete
   threat knowledge base of OpenCTI, providing analysts with the necessary
   context to effectively evaluate threats. Analysts also have access to the
   full spectrum of OpenCTI functionalities, including case management and
   automation rules, which aids in efficient incident response.
 * Practicality and Integration : This integration offers a seamless experience
   for data exchange between OpenCTI and HarfangLab, significantly reducing the
   manual workload for analysts. This collaboration frees up valuable time for
   security experts to focus on more critical tasks.

In summary, the creation of an OpenCTI x HarfangLab Stream connector enhances
the organization’s security posture by enabling faster and more precise threat
detection, effective collaboration between teams, and process automation for a
more efficient response to security incidents.




DECRYPTION OF THE OPENCTI X HARFANGLAB STREAM CONNECTOR


WHAT IS A STREAM CONNECTOR ?

Connectors are the cornerstone of the OpenCTI platform. There are 5 different
types ofthem but we will focus on the Stream connector, designed to facilitate
real-time data transfer between OpenCTI and other systems or platforms.

Connectors are developed in Python due to Python’s popularity and simplicity,
making them particularly accessible for community uptake, especially among
cybersecurity analysts.

A Stream Connector integrates into the platform’s data flow, where it operates
continuously to process incoming events. This dynamic and filterable Stream
allows real-time consumption of relevant data from OpenCTI, such as indicators
of compromise (IoCs) and detection rules in YARA, SIGMA, and STIX formats. This
information is then routed to third-party platforms such as SIEMs, XDRs, or
EDRs, enhancing their ability to detect and respond to emerging threats.


HOW DOES THE OPENCTI X HARFANGLAB STREAM CONNECTOR WORK ?



In this section, we will explore in detail the different capabilities offered by
this connector. Each point details an essential functionality that will help
better understand how the HarfangLab Stream connector works.

 * Creation of a Custom Stream: Configuring a custom Stream on OpenCTI allows
   listening to the platform's "general" Stream while applying specific filters
   to more precisely target the relevant data to be processed.
 * Connector Configuration: The connector is configured with environment
   variables available to the user, offering an optimal experience between
   HarfangLab and OpenCTI. Refer to the README file for more details: here.
 * Event and Enrichment: Once the custom Stream is created and the connector is
   launched, it monitors all events related to the Stream and directly enriches
   the HarfangLab platform based on Indicators of Compromise defined by the
   filters.
 * Data Collection: When the "import_security_events_as_incidents" variable is
   set to "true," the connector starts collecting essential data generated by
   HarfangLab, such as security alerts, incident events, and information on
   detected threats.
 * Data Transformation: The collected data is then transformed and prepared for
   transmission to OpenCTI. This includes converting the data to the STIX 2.1
   serialization format, filtering out irrelevant information, and enriching the
   data with additional metadata as needed, as well as any related relationships
   between different entities.
 * Real-time Transfer: The prepared data is transmitted in real-time to OpenCTI
   via the Stream connector, ensuring that the information is available for
   analysis and correlation as soon as it is generated by HarfangLab.
 * Receipt and Processing by OpenCTI: Once the data is received, OpenCTI
   integrates it into its system and processes it according to pre-established
   management rules, which involves creating incidents for each alert identified
   by HarfangLab as well as responding to incidents. The user will always have
   the option to correlate with other threat data or enrich with additional
   intelligence.
 * Usage Limitation:
   - Filters are recommended at the custom Stream level in OpenCTI, including
   criteria such as entity type, detection, revocation, and pattern type (Yara /
   Sigma / Stix).
   - The user must not make manual modifications to the indicators or
   observables listed in the from_OpenCTI lists.
   -It should be noted that some sigma rules may be incompatible with the
   HarfangLab API, resulting in a "Deserialization errors" (invalid field)
   error.
   - For Yara and Sigma rules, other options are automatically handled by
   HarfangLab via the rules themselves, such as operating system, MITRE tactics,
   and MITRE techniques.
   - Regarding IoCs, HarfangLab only supports certain types, including: domain
   name, hostname, ipv4-addr, ipv6-addr, URL, hash (SHA256, MD5, SHA-1,
   SHA-512), and artifact.

In summary, the OpenCTI x HarfangLab Stream connector facilitates continuous and
bidirectional data exchange between HarfangLab and OpenCTI, allowing for
hierarchical organization of information for effective analysis and agile
response to security threats.




USE CASE STUDY : INFORMATION FLOW BETWEEN OPENCTI AND HARFANGLAB

This use case study will reveal how data flows between OpenCTI and HarfangLab,
forming an effective core in information exchange.


PREREQUISITES :

Before presenting this use case, a few prerequisites are necessary:

Installing the HarfangLab Agent:

 * The user must follow the documentation provided by HarfangLab to install and
   configure the agent correctly on the target hosts.
 * Without the agent, importing alerts and threats into OpenCTI will not be
   functional because without detection in HarfangLab, there will be no creation
   on the OpenCTI side.

Creation and Configuration of a Custom Data Stream:

In OpenCTI - Data / Data sharing / Live streams:

 * Create a new live stream using the "+" button.
 * Define the name and add these filters:
   - Revoked = No (this filter ensures that only active indicators are
   considered).
   - Is detected = Yes (if you want to control the indicators sent to
   HarfangLab, by default when creating an indicator, the detection is set to
   false).
   - Entity type = Indicator (only events on indicators are considered).
   - Pattern type = stix or sigma or yara (it is important to specify these 3
   types of patterns).
 * Once the live stream is created and configured, you will have a unique
   identifier for the connector.
 * You will need to place this unique identifier in the environment variable
   named "LIVE_STREAM_ID". This procedure is crucial to properly link the
   connector to the custom Stream with the correct filters.
 * Then, you just have to start it and have the status "started".



Configuration of Environment Variables :

opencti:
  url: 'http://localhost:8080'
  token: 'ChangeMe'

connector:
  id: 'ChangeMe'
  type: 'STREAM'
  live_stream_id: 'ChangeMe' # ID of the live stream created in the OpenCTI UI
  live_stream_listen_delete: true
  live_stream_no_dependencies: false # Necessary to detect observables in the stream
  name: 'HarfangLab'
  scope: 'harfanglab' # Reserved:
  confidence_level: 80 # From 0 (Unknown) to 100 (Fully trusted)
  log_level: 'info'

harfanglab:
  url: 'ChangeMe' # The URL of the Harfang Lab Server
  ssl_verify: true
  token: 'ChangeMe' # Token for bearer auth (if set, will ignore basic auth params)
  login: 'ChangeMe' # Login for basic auth
  password: 'ChangeMe' # Password for basic auth
  source_list_name: 'from_OpenCTI'
  remove_indicator: true
  rule_maturity: 'stable' # Available : stable or testing
 import_security_events_as_incidents: true
 import_threats_as_case_incidents: true # If true then "import_security_events_as_incidents" must be true
 import_security_events_filters_by_status: 'new, investigating' # Filters available : new, investigating, false_positive, closed
 import_filters_by_alert_type: 'yara, sigma, ioc' # Filters available : yara, sigma, ioc
 default_markings: 'TLP:CLEAR' # Markings available : TLP:CLEAR - TLP:GREEN - TLP:AMBER - TLP:RED
 default_score: 50

For more information on individual environment variables, I invite you to
consult the corresponding README here.

Additional Resources:

 * HarfangLab Connector GitHub Link: HarfangLab Connector
 * How to Deploy Connectors: OpenCTI Documentation
 * What is Data Streaming: OpenCTI Reference


USE CASE STEPS:

 1. Sending Yara, Sigma Rules, and IOCs from OpenCTI to HarfangLab :

 * Once the stream is configured, OpenCTI regularly sends YARA rules, Sigma
   rules, and Indicators of Compromise (IOCs) to HarfangLab via the custom data
   stream.
 * One detail, however, for IOC of type stix, the connector will send the
   transformed data to match HarfangLab’s data format.
 * Let’s take an example:

Let’s create a new URL with a Stix pattern, and for the pattern:

[url:value = 'https://threatexample.com']

Here’s what happens on the previously configured stream, and here are the
different types of events that exist, when creating, updating, deleting an
indicator :

— Event “CREATE” :



— Event “UPDATE” :



— Event “DELETE” :


 * As you can see, it is thanks to these events triggered on the stream and the
   information retrieved that we can, with the connector, process the
   information and transfer it to HarfangLab, whether for creation, update, or
   deletion.
 * Also note the importance of properly configuring the stream filters, as the
   connector will not process all types of patterns existing on the OpenCTI
   platform, only valid pattern types at HarfangLab will be processed (Yara /
   Sigma / STIX — (for IOC)).
 * If you do not want to completely remove the IOCs at the HarfangLab level, the
   “remove_indicator” environment variable set to False allows you to disable
   the IOC instead of deleting it.

2. Once the Connector is Successfully Started:

 * At the launch of the connector, it will automatically create a “from_OpenCTI”
   list at HarfangLab in the “Threat Intelligence” section for Yara rules, Sigma
   rules, and IOCs, and if these lists already exist, then the connector will
   automatically retrieve the identifiers of these lists and ingest the data
   into them :



3. Receiving Data by the HarfangLab EDR Platform:

 * Rules and Stix indicators from OpenCTI are integrated into the HarfangLab EDR
   platform:


 * It is strongly discouraged to directly create, modify, delete directly in the
   “from_OpenCTI” lists, as this may generate errors that can cause, in the
   worst case, the connector to stop.
 * It should also be noted that the connector can handle Stix indicators, but
   also observables related to this indicator. To do this, in the “comment”
   section, we have indispensable metadata to find the information of the main
   indicator (given that in HarfangLab it is not possible to differentiate an
   indicator from an observable), however, if you decide to delete the main
   indicator, all observables related to it will also be correctly deleted at
   the HarfangLab level.
 * There is also a small particularity, indeed, the connector will also handle
   “complex” Stix indicators with AND and OR. However, there will be no
   differentiation possible at the HarfangLab level, they will be created as
   IOCs.
 * Example Stix Indicator with AND and OR :

[url:value = 'http://threatexample1.com' OR url:value = 'http://threatexample2.com' AND url:value = 'http://threatexample3.com']

 * At the OpenCTI level :


 * At the HarfangLab level:
   -We have the three IOCs created, and in the “comment” section, we find the
   OpenCTI STIX standard identifier as indicator_ID.



4. Security Event Detection and Threat Detection :

When the HarfangLab agent detects suspicious activity matching the rules and
IOCs, it generates a “Security event” for each of these detections, and also
automatically raises a threat for its detections.

Incident Creation on OpenCTI :

 * The connector will automatically generate incidents on the OpenCTI platform
   for each “Security event” detected by HarfangLab.
 * Additionally, it will assign a unique external reference to each “Security
   event”.


 * Each time the connector creates a new indicator on OpenCTI, a sighting will
   be automatically generated, indicating the number of occurrences linked to
   the number of detected “Security events”.



Incident Response Creation on OpenCTI :

 * For each identified threat, incident responses are automatically generated on
   OpenCTI. These incident responses gather all relevant information about the
   detected threat, including details about the host concerned as well as all
   associated “Security events”.
 * Here is an example of incident responses:


 * We can also benefit from a more intuitive visual representation at the
   knowledge level.





ABOUT HARFANGLAB

harfanglab.io


HARFANGLAB EDR, ADVANCED PROTECTION AGAINST CYBER ATTACKS



HarfangLab EDR (Endpoint Detection and Response) stands out as an advanced
solution in the field of cybersecurity, offering proactive and reactive
protection against cyberattacks targeting computers and servers. This platform
is CSPN certified by ANSSI (National Cybersecurity Agency of France), thus
attesting to its reliability and compliance with the highest security standards.

HarfangLab EDR offers various complementary detection engines: by signature,
IOC, behavioral, or even an engine specifically developed to counter ransomware,
as well as an AI-powered engine. This combination of technologies, installed
directly in deployed agents, allows for effective detection close to threats
while minimizing false positives.

In addition to its performance in detection and response, and its
ultra-lightweight agents, HarfangLab EDR offers features for isomorphic
operation in public, private, and hybrid cloud environments, for all operating
systems.

Let us know what you think of it in our Community Slack channel !





SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Access the best member-only stories.

Support independent authors.

Listen to audio narrations.

Read offline.

Join the Partner Program and earn for your writing.


Try for 5 $/month
Cybersecurity
Threat Intelligence
Cti
Open Source


1

1



Follow



WRITTEN BY FRÉDÉRIC BASLER

2 Followers
·Writer for

Filigran Blog


Follow




MORE FROM FRÉDÉRIC BASLER AND FILIGRAN BLOG

Julien Richard

in

Filigran Blog


OPENCTI (6.0.10+) IN AIR GAP/DIODE ENVIRONMENTS


CYBER THREAT INTELLIGENCE IS MADE TO BE USED EVERYWHERE, AND THIS WORD NOT ONLY
MEANS “IN EVERY COUNTRY IN THE WORLD”. IT ALSO MEANS IN…

4 min read·Apr 22, 2024

24





Julien Richard

in

Filigran Blog


OPENCTI DATA SHARING


IN THIS BLOG POST, WE WOULD LIKE TO EXPLAIN A LITTLE BIT HOW USERS AND
DEVELOPERS ARE ABLE TO EXTRACT DATA FROM OPENCTI.

10 min read·Oct 29, 2021

33

2




Marie Flores

in

Filigran Blog


SHARE PUBLIC DASHBOARD IN OPENCTI 6.1


OPENCTI OFFERS FULLY CUSTOMIZABLE DASHBOARD FUNCTIONALITY. THE FLEXIBILITY OF
OPENCTI’S DASHBOARD ENSURES TAILORED AND INFORMATIVE DATA…

4 min read·May 13, 2024

2





Samuel Hassine

in

Filigran Blog


NEW OCTI DASHBOARDS: THE FIRST GRAPH DASHBOARDING ENGINE FOR THE STIX MODEL


WHEN WE’VE STARTED WORKING ON KEY PERFORMANCE INDICATORS (KPI), TRENDS
MODELIZATION AND GRAPHICAL REPRESENTATION OF THE CYBER THREAT…

10 min read·Jan 15, 2023

11




See all from Frédéric Basler
See all from Filigran Blog



RECOMMENDED FROM MEDIUM

Dylan


UTILIZING GENERATIVE AI AND LLMS TO AUTOMATE DETECTION WRITING


IN SECURITY OPERATIONS, WE ARE PRIMARILY RESPONSIBLE FOR TWO THINGS: DETECTION &
RESPONSE. WRITING DETECTIONS CAN BE A VERY LABORIOUS AND…

20 min read·May 10, 2024

60





SealTeamSecs


INSTALLING OPENCTI


WHAT IS OPENCTI?

4 min read·Mar 5, 2024




LISTS


TECH & TOOLS

16 stories·241 saves


DATA SCIENCE AND AI

40 stories·169 saves


ICON DESIGN

36 stories·315 saves


NATURAL LANGUAGE PROCESSING

1476 stories·988 saves


"CyberGuard: Malware and Vulnerabilities Analysis"


THREAT INTELLIGENCE FOR SOC


LEARN HOW TO UTILISE THREAT INTELLIGENCE TO IMPROVE THE SECURITY OPERATIONS
PIPELINE.

16 min read·May 12, 2024

61

1




jcm3


MISP | TRYHACKME — WALKTHROUGH


HEY ALL, THIS IS THE ELEVENTH INSTALLMENT IN MY WALKTHROUGH SERIES ON
TRYHACKME’S SOC LEVEL 1 PATH AND THE FIFTH AND FINAL ROOM IN THIS…

12 min read·Feb 18, 2024



Promise Jeremiah


ENHANCING NETWORK SECURITY: INTEGRATING SURICATA WITH WAZUH


TODAY I AM GOING TO WRITE ABOUT HOW YOU CAN ENHANCE YOUR NETWORK SECURITY BY
INTEGRATING SURICATA AS THE (IDS) INTRUSION DETECTION SYSTEM…

6 min read·Mar 12, 2024

53





Hasitha Upekshitha


STREAMLINING INCIDENT RESPONSE: WAZUH INTEGRATION WITH PAGERDUTY


IN THE FAST-PACED WORLD OF IT SECURITY, RESPONDING SWIFTLY TO INCIDENTS IS
CRITICAL FOR MAINTAINING A ROBUST CYBERSECURITY POSTURE…

2 min read·Feb 28, 2024

4




See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams


To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.