connectors icon indicating copy to clipboard operation
connectors copied to clipboard
verified publisher icon OpenCTI-Platform

[IntelMQ] Create the connector

Open 8ear opened this issue 4 years ago • 3 comments

Problem to Solve

OpenCTI should be the new main IoC storage application, therefore a I think it should be a must have to get an IntelMQ connector. So that all parser and ingestor from IntelMQ can be used in OpenCTI with only one connector.

Current Workaround

Proposed Solution

Create a Connector for IntelMQ. So that we can ingest IntelMQ data to OpenCTI.

Additional Information

Link: https://github.com/certtools/intelmq https://intelmq.readthedocs.io/en/latest/user/ecosystem.html At the moment the following output bots exists: Output Bots AMQP Topic Blackhole Elasticsearch Output Bot File Files McAfee Enterprise Security Manager MISP Feed MISP API MongoDB Redis Request Tracker REST API SMTP Output Bot SQL STOMP TCP Touch UDP

Perhaps there is a way to use one of them directly. Without a huge effort.

8ear avatar Mar 28 '21 19:03 8ear

OpenCTI Stream Import Connectors look interesting for this purpose, as IntelMQ is stream-based. When you need to query something stateful, we could use a database as intermediate (https://intelmq.readthedocs.io/en/latest/user/eventdb.html)

ghost avatar Jun 28 '21 08:06 ghost

In my opinion using the EventDB might even be the better (more performant) approach than pushing all IOCs with no or little context into OpenCTI. In the end you could end up with a lot of IOCs in OpenCTI which slow everything down.

To still be able to correlate observables with the data from IntelMQ it would only an Internal Enrichment Connector do a simple correlation. Any other thoughts @SamuelHassine ? Or would simply pushing everything into OpenCTI create no performance impacts at all?

nor3th avatar Jul 01 '21 19:07 nor3th

The approaches serve different use-cases.

When pushing data directly from IntelMQ to OpenCTI, the user profits of IntelMQ's various possibilities of fetching (low-volume, high-quality) data feeds. That extends OpenCTI's native connectors' possibilities, probably also meaning that less coding-work needs to be done here for OpenCTI, as the user can always use IntelMQ for more complex data-fetching operations.

Using a database as an intermediate broker allows to store much more data without the need to ingest it directly into OpenCTI. The data just waits to be correlated. For the technology part, IntelMQ can currently push to some databases, the most popular ones are Elasticsearch and PostgreSQL, see https://intelmq.readthedocs.io/en/latest/user/bots.html (section "Outputs")

We can invest some time into this topic (coding, testing, documentation), but not in the next few months.

ghost avatar Jul 02 '21 13:07 ghost