From 98fca4e2f06fd6710986b41bd1808bcce0a67971 Mon Sep 17 00:00:00 2001 From: Men-hau <101662967+Men-hau@users.noreply.github.com> Date: Wed, 18 Oct 2023 16:43:20 +0200 Subject: [PATCH] Update thehive.md --- .../integrations/thehive.md | 95 ++++++++++++------- 1 file changed, 63 insertions(+), 32 deletions(-) diff --git a/_shared_content/intelligence_center/integrations/thehive.md b/_shared_content/intelligence_center/integrations/thehive.md index 658d961e78..12482bd589 100644 --- a/_shared_content/intelligence_center/integrations/thehive.md +++ b/_shared_content/intelligence_center/integrations/thehive.md @@ -1,6 +1,6 @@ # External Integrations: Cortex Analyzer -Sekoia.io is providing a [Cortex analyzer](https://github.com/TheHive-Project/Cortex-Analyzers/tree/master/analyzers/SEKOIAIntelligenceCenter) to enrich data in [TheHive](https://thehive-project.org/) ecosystem. +Sekoia.io is providing its intelligence to enrich data in [Cortex](https://thehive-project.org/). ## Objective @@ -11,11 +11,11 @@ Collect Sekoia.io CTI feed in an existing Cortex instance self-managed, for any - An operational Cortex instance with administrator privileges - An active Sekoia.io licence with access to the CTI - An access to Sekoia.io User Center with the permissions to create an API key with [CTI permissions](https://docs.sekoia.io/getting_started/Permissions/#cti-permissions) + +## 1. Connect to Cortex !!!note - Sekoia Intelligence feed will be available upon Cortex setup - -## 1. Connect to Cortex + Cortex instance must be activated on your server 1- In a Web browser, type the following _http://server_ip:cortex_port_ @@ -38,6 +38,7 @@ Collect Sekoia.io CTI feed in an existing Cortex instance self-managed, for any #### 2- Enable and Setup the Analyzer The configuration setup in the previous section will provide 3 Analyzers to enable and setup : + - SEKOIAIntelligenceCenter_Context_1_0 - SEKOIAIntelligenceCenter_Indicators_1_0 - SEKOIAIntelligenceCenter_Observables_1_0 @@ -53,7 +54,9 @@ Here is below one example of setup to be done for the 3 analyzers: ## 3. Sekoia intelligence in TheHive Cortex -Here is an example on how to retrieve Sekoia feed on the 3 analyzers (and the match on Sekoia intelligence) +### 1. Matching of Sekoia intelligence + +**Here is a summary of the information:** |Analyzers|Cortex|Sekoia.io| |--|--|--| @@ -61,60 +64,88 @@ Here is an example on how to retrieve Sekoia feed on the 3 analyzers (and the ma |SEKOIAIntelligenceCenter_Indicators_1_0 |indicators|Indicators under objects tab (details)| |SEKOIAIntelligenceCenter_Observables_1_0|known observables|Observable under observable tab| -*Steps* +**Where to find information on Sekoia.io ?** -1- Go to Sekoia connector _Analyzers > SEKOIAIntelligenceCenter_ (any) and click on button Run +- SEKOIAIntelligenceCenter_Context_1_0 + + +- SEKOIAIntelligenceCenter_Indicators_1_0 + + +- SEKOIAIntelligenceCenter_Observables_1_0 + -![TheHive_Sekoia_connector1](/assets/intelligence_center/search_SekoiaCTI-1.png){: style="width: 100%; max-width: 100%"} +### 2. Steps to retrieve and search Sekoia intelligence -2- Fill the information (depending on which elements you would like to retrieve) +**- Search existing Sekoia intelligence in Cortex** -- Indicator -![TheHive_Sekoia_connector2a](/assets/intelligence_center/search_SekoiaCTI-2_indicators.png){: style="width: 100%; max-width: 100%"} +![TheHive_Sekoia_connector1](/assets/intelligence_center/searchExisting_SekoiaCTI.png){: style="width: 100%; max-width: 100%"} -- Indicator side details -![TheHive_Sekoia_connector2b](/assets/intelligence_center/search_SekoiaCTI-2_context.png){: style="width: 100%; max-width: 100%"} +**- Import Sekoia intelligence** -- Observable -![TheHive_Sekoia_connector2c](/assets/intelligence_center/search_SekoiaCTI-2_observables.png){: style="width: 100%; max-width: 100%"} +- Indicators + +1- Go to Sekoia connector _Analyzers > SEKOIAIntelligenceCenter_ and click on button Run +![TheHive_Sekoia_connector1](/assets/intelligence_center/search_SekoiaCTI-1_indicators.png){: style="width: 100%; max-width: 100%"} +2- Fill the information +![TheHive_Sekoia_connector2a](/assets/intelligence_center/search_SekoiaCTI-2_indicators.png){: style="width: 100%; max-width: 100%"} 3- Check the observable in Jobs History -![TheHive_Sekoia_job](/assets/intelligence_center/search_SekoiaCTI-3.png){: style="width: 100%; max-width: 100%"} +![TheHive_Sekoia_job](/assets/intelligence_center/search_SekoiaCTI-3_indicators.png){: style="width: 100%; max-width: 100%"} -4- Check the Sekoia feed +4- Check the Sekoia observable +![TheHive_Sekoia_feed1](/assets/intelligence_center/search_SekoiaCTI-4_Observable.png){: style="width: 100%; max-width: 100%"} -- Observable -![TheHive_Sekoia_feed1](/assets/intelligence_center/search_SekoiaCTI-4_Object.png){: style="width: 100%; max-width: 100%"} +5- In Sekoia.io +![TheHive_Sekoia_objects](/assets/intelligence_center/searchCTI_Sekoia_objects.png){: style="width: 100%; max-width: 100%"} -- Object context -![TheHive_Sekoia_feed2](/assets/intelligence_center/search_SekoiaCTI-4_Object_context.png){: style="width: 100%; max-width: 100%"} +------ -- Object -![TheHive_Sekoia_feed3](/assets/intelligence_center/search_SekoiaCTI-4_Observable.png){: style="width: 100%; max-width: 100%"} +- Context +1- Go to Sekoia connector _Analyzers > SEKOIAIntelligenceCenter_ and click on button Run +![TheHive_Sekoia_connector1](/assets/intelligence_center/search_SekoiaCTI-1_context.png){: style="width: 100%; max-width: 100%"} -*To only search existing Sekoia Intelligence feed* -![TheHive_Sekoia_connector1](/assets/intelligence_center/searchExisting_SekoiaCTI.png){: style="width: 100%; max-width: 100%"} +2- Fill the information +![TheHive_Sekoia_connector2b](/assets/intelligence_center/search_SekoiaCTI-2_context.png){: style="width: 100%; max-width: 100%"} -## 4. Where to find Sekoia intelligence feed ? +3- Check the observable in Jobs History +![TheHive_Sekoia_job](/assets/intelligence_center/search_SekoiaCTI-3_context.png){: style="width: 100%; max-width: 100%"} -Search in Sekoia Intelligence page +4- Check the Sekoia observable +![TheHive_Sekoia_feed1](/assets/intelligence_center/search_SekoiaCTI-4_Object_context.png){: style="width: 100%; max-width: 100%"} -- Observable +5- In Sekoia.io ![TheHive_Sekoia_Observable](/assets/intelligence_center/searchCTI_Sekoia_observables.png){: style="width: 50%; max-width: 50%"} -- Indicators -![TheHive_Sekoia_objects](/assets/intelligence_center/searchCTI_Sekoia_objects.png){: style="width: 100%; max-width: 100%"} +------ + +- Observables + +1- Go to Sekoia connector _Analyzers > SEKOIAIntelligenceCenter_ (any) and click on button Run +![TheHive_Sekoia_connector1](/assets/intelligence_center/search_SekoiaCTI-1_observables.png){: style="width: 100%; max-width: 100%"} + +2- Fill the information +![TheHive_Sekoia_connector2c](/assets/intelligence_center/search_SekoiaCTI-2_observables.png){: style="width: 100%; max-width: 100%"} + +3- Check the observable in Jobs History +![TheHive_Sekoia_job](/assets/intelligence_center/search_SekoiaCTI-3_observables.png){: style="width: 100%; max-width: 100%"} + +4- Check the Sekoia observable +![TheHive_Sekoia_feed1](/assets/intelligence_center/search_SekoiaCTI-4_Object.png){: style="width: 100%; max-width: 100%"} + +5- In Sekoia.io +![TheHive_Sekoia_Observable](/assets/intelligence_center/searchCTI_Sekoia_observables.png){: style="width: 50%; max-width: 50%"} -## 5. Troubleshoot +## 4. Troubleshoot 1- Go to _Analyzers_ tab > Run an analyzer 2- Check the jobs in _Jobs History_ tab -## 6. Other resources +## 5. Other resources - **The Cortex official documentation**