OpenCTI-Platform
[Hygiene] Data Sync between 2 OpenCTI
Prerequisites
- [X] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
- [X] I went through old GitHub issues and couldn't find anything relevant
- [X] I googled the issue and didn't find anything relevant
Description
I have installed the Hygiene connector on my OpenCTI platform, which is used to ingest data. The platform sends all the data to a second OpenCTI platform, and we have configured synchronization between the two platforms to send all data except for data tagged by Hygiene. Unfortunately, the tagged data is still being sent to the second platform because the connector does not have enough time to tag the data.
How is it possible to not synchronize data that is tagged by Hygiene?
I really don’t want the data tagged by Hygiene to end up on the second platform. Because it is connected to my Splunk which automatically create alerts. And I don’t want to be alerted by false positives. Like 127.0.0.1
Environment
- OpenCTI 5.7.2 (x2)
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Install hygiène on OpenCTI 1
- Create a live stream on OpenCTI 1
- Configure ingestion on OpenCTI 2
- Add 127.0.0.1 indicator on OpenCTI 1
- See if 127.0.0.1 is present on OpenCTI 2
Additional information
Hello,
This will be possible using automation in the platform (5.11.0). Scenario would be:
- New observable / indicator => Hygiene => If not hygiene => Add label "stream"
Leverage the label "stream" in the OpenCTI stream.
Kind regards, Samuel
For the moment, the recommendation is to have a better control of the incoming data.