Partnership

Combining Sekoia.io Threat Intelligence and OpenCTI

Jun 4, 2024 3 min read

The Filigran x Sekoia.io partnership announcement is an opportunity to put the spotlight back on the benefits of the integration between OpenCTI and Sekoia Threat Intelligence.

The existing Sekoia connector for OpenCTI has been released in 2021 and is freely available on the OpenCTI Github repositoryThis connector is regularly updated and maintained by Filigran.


What is Sekoia.io?

Sekoia.io is a European cybersecurity SaaS technology vendor created in France which provides modern technologies, proven in the field, to enable its customers (large accounts, MSSP, public entities etc.) to neutralize cyber threats before they have consequences.

Sekoia.io’s solutions are based on the knowledge of attackers, their tactics, operating methods, tools and infrastructures. All of this intelligence is produced by one of the largest private cyber threat intelligence teams in Europe. Sekoia.io Threat Intelligence is used by a variety of experienced teams in CTI : SOC, CERT/CSIRT, national agencies etc.

Sekoia.io provides 2 solutions :

  • CTI (Sekoia Intelligence) : A highly structured, contextualized and actionable CTI produced by Sekoia.io’s skilled analysts, the Threat Detection & Research (TDR) team.
  • SOC platform / XDR (Sekoia Defend) : A vendor-agnostic Open XDR SaaS platform that leverages CTI and other detection capabilities to combine anticipation with automated incident response (SOAR capabilities embedded).

To make anticipation real, the platform goes beyond the average approach in attacker modeling and makes this intelligence available both for its detection engine and for its partners as CTI feeds.

What kind of threat intelligence Sekoia.io provides?

Sekoia Threat Intelligence is produced in line with 5 main drivers: freshness, confidence, exclusiveness, coverage, and actionability. The result is a native STIX 2.1 CTI with valuable information and context.

Sekoia.io indicators displayed on OpenCTI
  • For freshness, half of the intelligence is created when a hot topic becomes real, the other half provides intelligence to the customers before the attacker uses it.
  • For confidence, data is processed through a pipeline designed to verify, qualify, enrich and contextualize each object.
  • For exclusiveness, a lot of trackers are implemented to observe new attacker moves and transform it into valuable indicators that will be used for future attacks.
  • For coverage, the platform transforms every OSINT content (from blog post/ threat lists..) into contextualized objects, allowing the consolidation in a single view on what is said every day.
  • For actionability, Sekoia.io provides courses of action associated with campaign or malware.
Report coming from the Sekoia threat intelligence

Therefore, the Sekoia.io Threat Intelligence embeds indicators, TTPs, campaigns, reports, malwares, locations/sectors, infrastructures and all other STIX objects that are relationship based.

Today (May 2024) the Sekoia Threat Intelligence graph database roughly embeds 7 Million of indicators.

How does the integration works?

The Integration between OpenCTI and Sekoia.io is a data import connector. This connector leverages the ingestion of new intelligence from Sekoia.io into an OpenCTI instance with a 100% preservation of source data based on a native STIX 2.1 support on both sides.

Overview of the Sekoia.io connector in OpenCTI

You can have a look in details to the Sekoia CTI connector configuration here.

Filigran and Sekoia.io will continue their common effort in the future to enhance the existing integration between their solutions and will address new use cases. Stay tuned !

If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.