diff --git a/packages/ti_custom/_dev/build/docs/README.md b/packages/ti_custom/_dev/build/docs/README.md index d6e21aca81b..eb66bf7c20c 100644 --- a/packages/ti_custom/_dev/build/docs/README.md +++ b/packages/ti_custom/_dev/build/docs/README.md @@ -46,6 +46,26 @@ However, for APIs that don't follow a specific communication protocol. The corre By default the integration only supports STIX 2.1 indicators. This means that to process IOCs in other formats, the `Restrict STIX 2.1 format` option must be disabled, and a custom pipeline added to map the indicators correctly. +### Collecting Threat Intelligence from ISAC Feeds + +The Custom Threat Intelligence integration allows you to connect to and pull threat indicators from any server supporting the TAXII protocol. This makes this integration the perfect fit for retrieving structured threat intelligence from Information Sharing and Analysis Centers (ISACs), such as MS-ISAC, FS-ISAC, H-ISAC, and others. These ISACs provide STIX-formatted threat data through TAXII servers. + +To configure the integration to pull threat intelligence from an ISAC feed, follow these steps: + +1. Ensure ISAC Membership: Confirm that you are a member of the desired ISAC (e.g., MS-ISAC, FS-ISAC) and have access to its TAXII server credentials. Some ISACs require registration and approval before providing TAXII feed access. + +2. Obtain the following information from your ISAC: + - Server URL: The endpoint for the ISAC’s TAXII server (e.g. https://example-isac.org/taxii/). + - Collection Name: The specific collection containing the threat intelligence you want to retrieve. + - Authentication Credentials: Username, password, API Key, or client certificate, as required by the ISAC. + +3. Set up the integration: + - The server URL and collection name should be used to build the URL as follows: `https://{base_url}/{api-root}/collections/{name}/objects/` + - Provide the username/password, API Key or upload a client certificate, depending on the ISAC’s requirements. + - Set how often the integration should pull updates (e.g. every hour). You can also set the time range to search for indicators when the agent runs for the first time with the Initial Interval. + +Once the integration is running and pulling data, it automatically maps threat indicator fields from STIX to ECS. Verify that the imported indicators (e.g. IPs, domains, hashes) align with your detection rules. + ### Expiration of Indicators of Compromise (IOCs) The Custom Threat Intelligence integration supports IOC expiration. The ingested IOCs expire after certain duration. Based on the [STIX 2.1 reference](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html), the following options are available to determine the expiration of indicators: diff --git a/packages/ti_custom/changelog.yml b/packages/ti_custom/changelog.yml index 2ebe541f8d1..38fcb3c41f1 100644 --- a/packages/ti_custom/changelog.yml +++ b/packages/ti_custom/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.0" + changes: + - description: Improve documentation on how to proceed with ISAC feeds. + type: enhancement + link: https://github.com/elastic/integrations/pull/12098 - version: "0.4.0" changes: - description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error". diff --git a/packages/ti_custom/docs/README.md b/packages/ti_custom/docs/README.md index 08e1760a3b7..a7a8bd094ba 100644 --- a/packages/ti_custom/docs/README.md +++ b/packages/ti_custom/docs/README.md @@ -46,6 +46,26 @@ However, for APIs that don't follow a specific communication protocol. The corre By default the integration only supports STIX 2.1 indicators. This means that to process IOCs in other formats, the `Restrict STIX 2.1 format` option must be disabled, and a custom pipeline added to map the indicators correctly. +### Collecting Threat Intelligence from ISAC Feeds + +The Custom Threat Intelligence integration allows you to connect to and pull threat indicators from any server supporting the TAXII protocol. This makes this integration the perfect fit for retrieving structured threat intelligence from Information Sharing and Analysis Centers (ISACs), such as MS-ISAC, FS-ISAC, H-ISAC, and others. These ISACs provide STIX-formatted threat data through TAXII servers. + +To configure the integration to pull threat intelligence from an ISAC feed, follow these steps: + +1. Ensure ISAC Membership: Confirm that you are a member of the desired ISAC (e.g., MS-ISAC, FS-ISAC) and have access to its TAXII server credentials. Some ISACs require registration and approval before providing TAXII feed access. + +2. Obtain the following information from your ISAC: + - Server URL: The endpoint for the ISAC’s TAXII server (e.g. https://example-isac.org/taxii/). + - Collection Name: The specific collection containing the threat intelligence you want to retrieve. + - Authentication Credentials: Username, password, API Key, or client certificate, as required by the ISAC. + +3. Set up the integration: + - The server URL and collection name should be used to build the URL as follows: `https://{base_url}/{api-root}/collections/{name}/objects/` + - Provide the username/password, API Key or upload a client certificate, depending on the ISAC’s requirements. + - Set how often the integration should pull updates (e.g. every hour). You can also set the time range to search for indicators when the agent runs for the first time with the Initial Interval. + +Once the integration is running and pulling data, it automatically maps threat indicator fields from STIX to ECS. Verify that the imported indicators (e.g. IPs, domains, hashes) align with your detection rules. + ### Expiration of Indicators of Compromise (IOCs) The Custom Threat Intelligence integration supports IOC expiration. The ingested IOCs expire after certain duration. Based on the [STIX 2.1 reference](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html), the following options are available to determine the expiration of indicators: diff --git a/packages/ti_custom/manifest.yml b/packages/ti_custom/manifest.yml index 23a2d527b09..13d247f1069 100644 --- a/packages/ti_custom/manifest.yml +++ b/packages/ti_custom/manifest.yml @@ -3,7 +3,7 @@ name: ti_custom title: Custom Threat Intelligence description: Ingest threat intelligence data in STIX 2.1 format with Elastic Agent type: integration -version: 0.4.0 +version: 0.5.0 categories: - custom - security