Threat intel guide - V1D1AN/S1EM Wiki

Threat intel

With S1EM, you have two tools to do Threat Intel which are MISP and OpenCTI.

MISP

When you have change the default password in MISP, you have this interface:

Misp2

Now you need to enable feeds to get information from open sources, go to Sync Actions and List feeds:

Misp3

Select all feeds (1) and click on Enable Selected (2):

Misp4

Click on Yes for Enable Feed(s) and click on Fetch and store all feed data (3).

Go to Administration and Jobs for verify the synchronization:

Misp5

You must see the jobs starting:

Misp_jobs

Now, you must have events in MISP:

Misp_events

With S1EM, you have already rules for matching your log with IOC from MISP:

Detection Ioc

You can add your own feeds for having others Indicators of compromise.

Alienvault OTX is a good feeds of informations. You have only the basic with S1EM.

OpenCTI

After you are logging on OpenCTI, you arrive to homepage:

OpenCTI

Just after the deploy of S1EM, OpenCTI pull informations from MITRE:

OpenCTI_connector_mitre

When OpenCTI finish with MITRE, OpenCTI will get informations from your MISP configured, with S1EM, MISP and OpenCTI are interconnected:

OpenCTI_connector_misp

After Opencti get all informations, you can use Cortex for search observables into OpenCTI.

With S1EM, you have the basic of connector, you can add several connectors. For this, you go on https://github.com/OpenCTI-Platform/connectors