Intel backend support

[dcode]

I don't know if this is reasonable, but it'd be really helpful if the intel portion could reach into a backend like CRITS via API. SCOT is a great start as an IR platform, but for larger uses, it's ideal to ingest a bunch of data into a better suited system like CRITS. I don't know how the current logic works, per se, but CRITS has a pretty extensive API. It also uses standard CybOX models for indicators.

Value to CRITS user: Allows integration with higher fidelity intel and integrate incident response team with threat intelligence team

How affects non-CRITS users: Doesn't affect at all. Existing simple intel function remains as-is.

[toddbruner]

We are currently preparing the next version of SCOT to be more flexible and modular. I agree that the ability to work with other systems like CRITS would be a win for all. Threat intel will become our primary focus after the release, and we welcome your input/help if you would like to contribute. Please feel free to send an e-mail to [email protected] if you would like to discuss further, otherwise I will update this issue when we start working towards this integration.

[toddbruner]

This didn't make it into 3.5.2, but integration with other threat intel systems are planned. CRITS, STIX/TAXI, etc. are all being looked at.

[toddbruner]

Hey Internet, trying to prioritize a integrations with other threat intel systems. Please post the threat intel system you are using, and if you would be willing to provide sample data to assist in our development efforts.

In the case of CRITs above, some kind of retrieval from CRITs to SCOT should be possible, but I lack a populated CRITs DB that I can test against. Anyone willing to provide sample JSON dumps from API queries against CRITs? The use case I'm envisioning, is that CRITs data could be queried on demand when an entity is examined. Another use case is that upon entity creation, the CRITs system could be queried and the results would enrich the entity record.