Important settings
After having configured the required settings, you should at minimum read up on and adjust the following settings:
TLS verification
Whether the OpenSearch TLS certificate should be verified.
Searching
Maximum number of alerts to return from a search.
Number of alert matches (reported by OpenSearch, not the number of results returned) that should abort further processing. This limit helps preventing flooding OpenCTI with events from bad searches. See also
bundle_abort_limit.
There are many more settings that affect searches. See the configuration reference on alert searching and OpenSearch.
Event creation
Create sightings for observables that do not have indicators based on them
require_indicator_for_incidents
By default, incidents (and incident response cases) will only be created if observables have indicators based on them. These additional settings are used to adjust the indicator requirements:
A list of alert rule IDs that should not create incidents. Depending on your use of OpenCTI, your connectors and the type and quality of IoCs in your database, you may need to exclude some events from your searches. For instance, in order to reduce a lot of noise, excluding SSH login attempts and web server access attempts may be necessary. The default list excludes a number of these kinds of alerts. Sightingis will still be created.
vulnerability_incident_cvss3_score_threshold
Only create incidents for sightings of vulnerabilities if the vulnerability CVSS3 score is above or equals this threshold. By default, this threshold is unset, meaning no incidents are created for sightings of vulnerabilities.
vulnerability_incident_active_only
Only create incidents for vulnerabilities that are still active (i.e. software has since been patched or removed).
Which entites to create as alert context for incidents. By default, all supported entities are enabled, which may be noisy (depending on the alerts matched).
There are more settings that affect sighting and incident creation. See the configuration reference for details.
When to run
The CONNECTOR_AUTO setting can be either true (auto) or false (manual). Auto is most likely the most preferred choice. However, it is possible to use playbooks to run enrichments if you have an OpenCTI enterprise licence. In the example below, the opencti-wazuh-connector is configured as manual, and called through a playbook. The first block is set to filter on author, so that the connector will only look up entities from high-quality data sources:
See this Filigran blog post for an introduction on playbooks.