Enhancing Cyber Threat Intelligence: Automating IOC Ingestion into IDS-SIEM Systems
In my latest project to strengthen an organization’s cybersecurity posture, I’ve been focusing on optimizing the collection, process, and integration of threat intelligence. The goal? Automating the ingestion of Indicators of Compromise – Attack (IOC/A) from leading Cyber Threat Intelligence (CTI) platforms OpenCTI, MISP, and TAXII, with Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) solutions.
Manually curating threat intelligence is both time-consuming and prone to gaps. Attackers constantly evolve, and stale IOCs lose relevance over time. By automating the entire pipeline, we ensure real-time ingestion of new threats while enforcing a 90-day lifecycle this removes outdated IOCs so our defences stay lean and effective. This not only reduces false positives but also ensures that security teams focus on relevant, high-fidelity threat data.
This project was also an opportunity to leverage Docker to streamline deployment. With containerized instances of OpenCTI, MISP, and TAXII, achieving a modular and scalable architecture that simplifies updates, maintenance, and integrations. By containerizing the workflow, ensuring that each component operates efficiently while remaining flexible enough to adapt to evolving threat intelligence needs.
By automating and modernizing how threat intelligence is handled, we’ve built a scalable, intelligence-driven defence that continuously adapts to the latest threats—maximizing security impact with minimal manual overhead.
MISP Malware Information Sharing Platform
Setup Guide
Recommended setup is on the latest Ubuntu release, the links to the information for the install are provided below.
- Sudo apt update
- Sudo apt install git
- Sudo apt install vim
- Sudo apt install python3
- Sudo apt install python3-setuptools
- Install docker https://docs.docker.com/engine/install/ubuntu/
- clone misp docker repo not as sudo preferably https://github.com/MISP/misp-docker clone: https://github.com/MISP/misp-docker.git
- Cd into directory for msip
- Sudo vim template.env / baseusrl https://IpOfMachine edit the .env file
- Sudo cp template.env .env copy env file removing template
- Sudo apt install docker-compose (docker compose) this might not be needed as the – is deprechiated now
- Sudo docker compose pull
- Sudo docker compose up
Useful Docker Commands
Docker by default is set to restart upon virtual machine reboot, but not all of the containers do, the below commands allow you to identify the container names, with the last command adding auto restart to the config file for the specified container, This ensures the platform will come backup.
- docker ps – To show the running containers
- docker ps -a To show all containers
- docker inspect <container name>
- docker update –restart always
If for any reason you do need to restart manually
- cd into misp-docker directory
- sudo docker compose pull
- sudo docker compose up
MISP Use and Settings
OpenCTI – Cyber Threat Intel
Setup Guide
Recommended setup is on the latest Ubuntu release, the links to the information for the install are provided below.
Useful Docker Commands
Docker by default is set to restart upon virtual machine reboot, but not all of the containers do, the below commands allow you to identify the container names, with the last command adding auto restart to the config file for the specified container, This ensures the platform will come backup.
- docker ps – To show the running containers
- docker ps -a To show all containers
- docker inspect <container name>
- docker update –restart always
If for any reason you do need to restart manually
- cd into misp-docker directory
- sudo docker compose pull
- sudo docker compose up