2.1.8. Active CTI engine

2.1.8.1. CTI module overview

The CTI module uses Indicators Of Compromise (IOC) to generate alerts.
The CTI module is composed of:
  • A database of Indicators Of Compromise named Gatewatcher CTI

  • The Active CTI engine: it generates Sigflow rules on the basis of the database of Indicators Of Compromise in order to raise alerts

  • The Retro hunt engine: it searches the Indicators Of Compromise (defined in the database) in metadata (corresponding of the network flow captured by Sigflow)

Note

An additional license is required to activate this module. It is therefore not automatically activated in the solution.


2.1.8.2. Introduction

2.1.8.2.1. For what types of threats is this engine designed?

The active CTI engine is designed to detect:

  • Malicious URLs

  • Malicious domain names


2.1.8.2.2. How does this particular engine detect threats?

The Active CTI engine generates specific Sigflow rules based on the compromise indices of the Gatewatcher CTI platform.
These rules configure the Sigflow engine to raise alerts if it finds malicious URLs/ domain names in the network feed it monitors.

2.1.8.2.3. How does Active CTI work in the GCenter?

The GCenter regularly receives evidence of compromise from the Gatewatcher CTI platform.
Based on this information, the Active CTI engine produces new Sigflow rules daily.
These rules are grouped in a new source named 'Active_CTI' and can therefore be included in a ruleset with other rule sources.
This ruleset is then integrated into the GCap Profile sent to the Sigflow engine to configure it.
These rules allow it to raise alerts when these rules correspond to the flow.
When an alert is raised, it is displayed in the various dashboards: NDR and Kibana.

2.1.8.3. Events generated

Events generated by the engine are alerts of the Sigflow type.
They will therefore be available in the ACTIVE CTI dashboards.
These are displayed:
  • In the main interface named WebUI of the GCenter in the `Alerts` screen
    The main interface named WebUI is described in Overview of the WEB UI.
  • In the interface named Kibana UI:
    • In the main interface WebUI, click on the `Hunting` icon.
      The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI).
    • Click on the `Active CTI` category of the `Alerts` section then the `Overview` or `Messages` tab.
  • To consult information about a specific alert:

    • Click on the toggle icon (1) on the left of the Alert.
      The expanded document (2) is displayed.
      ../../_images/GCE103_CTI_ALERT_02.PNG
      The detailed information of this alert can be viewed in table or json format (see the Active CTI logs data structure).
      The displayed counters are given in the Engine log data structure appendix.
      Active CTI alerts are alerts that can be filtered by searching for the term event.module: active_cti in the Kibana search bar.

    Note

    The Kibana UI can also be accessed without any filters via the `Hunting` icon on the left side menu bar in the WebUI.


2.1.8.3.1. Example of an Active CTI alert in Kibana

../../_images/GCE103_CTI_ALERT_01.png
The presentation of the `Alert details` window is given in the `Alert details` window.
The counters are given in the Engine log data structure appendix.

2.1.8.3.2. Active CTI logs data structure

The logs are composed of different parts:

  • The header part

  • The source part defined by "_source"

  • The field part defined by "_fields

This information is displayed in the `Expanded document` screen of Kibana.


2.1.8.3.2.1. The header part of Active CTI logs

The header section contains:

"_index": "engines_alerts-2025.02.04-000001",
"_id": "odx80JQB3WGd7COqasTr",
"_version": 1,
"_score": 0,

The detailed information is given in the table (Counters of the header part of logs).


2.1.8.3.2.2. The source part of Active CTI logs

The source part is defined by "_source" in the logs.

Note

The data displayed on the WebUI (alerts details window) is a part of the data displayed on the `Extended document` screen on the Kibana interface.
All data can be exported to a SIEM via syslog (an example of an exported alert is shown).
The detailed information is given in the table (Counters of the header part of logs).

The example given here is a Kibana example.

"@version": "1",
"source": {
  "ip": "x.y.z.a",
  "port": 53,
  "mac": "00:11:22:33:44:55"
},
"network": {
  "protocol": "dns",
  "tx_id": 193630,
  "flow_id": 2201432362562192,
  "transport": "udp",
  "timestamp": "2025-02-04T10:22:36.248783+0000"
},
"destination": {
  "ip": "8.8.8.8",
  "port": 53,
  "mac": "00:55:44:33:22:11"
},
"@timestamp": "2025-02-04T10:22:36.248Z",
"event": {
  "dataset": "alert",
  "created": "2025-02-04T10:22:36.248783+0000",
  "kind": "alert",
  "severity": 1,
  "module": "active_cti",
  "category": [
    "network",
    "intrusion_detection"
  ],
  "id": "d79bff72-01b6-4639-979c-efcb5e6faf23"
},
"sigflow": {
  "payload": "3+YBAAABAAAAAAAADjkyNzU4LWNvaW5iYXNlA2NvbQAAAQAB",
  "signature_id": 1300000773,
  "metadata": {
    "risk": [
      "highly suspicious"
    ],
    "signature_severity": [
      "2"
    ],
    "ioc": [
      "fffc7e75-cb75-4210-a244-669cba3cae06"
    ],
    "updated_at:": [
      "2025_02_04"
    ],
    "created_at:": [
      "2025_02_04"
    ]
  },
  "gid": 1,
  "action": "allowed",
  "rev": 0,
  "stream": 0,
  "payload_printable": ".............92758-coinbase.com.....",
  "signature": "Active CTI - Host - Unknown/Unknown - Unknown family - Unknown threat actor - fffc7e75-cb75-4210-a244-669cba3cae06",
  "category": "Active CTI"
},
"flow": {
  "bytes_toclient": 10843280,
  "pkts_toclient": 96815,
  "bytes_toserver": 7551648,
  "pkts_toserver": 96816,
  "start": "2025-02-04T10:20:39.242320+0000"
},
"ecs": {
  "version": "8.6.0"
},
"dns": {
  "query": [
    {
      "rrname": "92758-coinbase.com",
      "rrtype": "A",
      "tx_id": 193630,
      "opcode": 0,
      "type": "query",
      "id": 57318
    }
  ]
},
"observer": {
  "product": "gcenter",
  "vendor": "gatewatcher",
  "gcap": {
    "hostname": "gcap.gatewatcher.fr",
    "ingress": {
      "interface": {
        "name": "monvirt"
      }
    },
    "version": "2.5.x"
  },
  "hostname": "gcenter.gatewatcher.fr",
  "uuid": "72cbafc7-96d2-203a730252a8",
  "version": "2.5.x",
  "log_format_version": "1.0.0"

2.1.8.3.2.3. List of counters of the alert

Note

The alert counters are visible:

  • In the `Alert details` screen of the WebUI

  • In the `Expanded document` screen of Kibana

  • In the export to the SIEM

The detailed information is given in the table (Counters of the source part of logs).


2.1.8.4. Management of the engine

2.1.8.4.1. Viewing the engine status

The current engine status is displayed in the `Health checks` screen.


2.1.8.4.2. CTI update

2.1.8.4.2.1. The database of indicators of compromise

If a malicious file was not detected as such by Malcore during its analysis, because it was too recent for the Malcore antivirus database for example, then if one of the indices matches the hash of the file in question in the metadata, an alert will be raised.

Note

The correlation of indices and metadata will depend on the data retention time configured on the GCenter.

Match analysis between indices and metadata is triggered when updating the index database.
It is therefore only possible to trigger the match analysis manually by updating the database of indicators of compromise manually.
This database of indicators of compromise is included in the CTI.gwp file.
There are three different ways to update this database:
  • Manual update with cti.gwp package

  • Online update: the download is performed periodically based on the package posted by Gatewatcher

  • Local update: the download is performed periodically based on the package in the local repository.

The update frequency depends on the threat db update parameters.

Note

In order to optimize the implementation of the update of the database in Local mode, it is necessary that the local repository retrieves the package cti.gwp every hour.
Otherwise the update as well as the match search will only be performed according to the recovery frequency of the package on the local deposit.

2.1.8.4.2.2. The Active CTI engine update

The engine is updated with each new version of the GCenter.


2.1.8.4.3. Active CTI engine configuration

The configuration interface is used:

  • To active the Active CTI engine

  • To modify the engine parameters

The management interface is described in the `Active CTI` screen.
The procedure is described in the Setting up the Active CTI engine.

2.1.8.5. Alert Analysis

The alerts are displayed on a specific screen described in the WebUI `Alerts` screen.
The general procedure for analyzing alerts is described in Using of NDR dashboards.
The specific procedure for analyzing Active CTI alerts is described in the Analyzing the Active CTI alerts.