8dad79d · CTI Detection Automation

.env.example +9 -0

		@@ -0,0 +1,9 @@
	+	CTI_CONFIG=config.yaml
	+	CTI_APPROVAL_SECRET=generate-with-openssl-rand-hex-32
	+
	+	THREATFOX_AUTH_KEY=
	+	OTX_API_KEY=
	+	CTI_LEAKS_TOKEN=
	+
	+	CTI_SMTP_USER=
	+	CTI_SMTP_PASSWORD=

Dockerfile +25 -0

		@@ -0,0 +1,25 @@
	+	FROM python:3.11-slim
	+
	+	ENV PYTHONDONTWRITEBYTECODE=1 \
	+	PYTHONUNBUFFERED=1 \
	+	PYTHONPATH=/app/src
	+
	+	WORKDIR /app
	+
	+	RUN useradd --create-home --uid 10001 cti
	+
	+	COPY requirements.txt .
	+	RUN pip install --no-cache-dir -r requirements.txt
	+
	+	COPY src/ src/
	+	COPY templates/ templates/
	+	COPY fixtures/ fixtures/
	+	COPY config.example.yaml .
	+
	+	RUN mkdir -p output && chown -R cti:cti /app
	+
	+	USER cti
	+
	+	EXPOSE 8080
	+
	+	ENTRYPOINT ["gunicorn", "--bind", "0.0.0.0:8080", "--workers", "2", "cti.web:app"]

config.example.yaml +39 -0

		@@ -0,0 +1,39 @@
	+	min_confidence: 65
	+	output_dir: output
	+	fixtures_dir: fixtures
	+	use_fixtures: false
	+
	+	wazuh_etc_dir: /var/ossec/etc
	+
	+	feeds:
	+	threatfox:
	+	enabled: true
	+	days: 1
	+	feodo:
	+	enabled: true
	+	urlhaus:
	+	enabled: true
	+	otx:
	+	enabled: true
	+	openphish:
	+	enabled: true
	+	leaks:
	+	enabled: false
	+	endpoint: ""
	+	watch_domains:
	+	- example.com
	+
	+	rules:
	+	base_id: 100300
	+
	+	approval:
	+	base_url: https://cti.lab.local
	+	token_ttl: 86400
	+	analyst_email: soc-analyst@example.com
	+
	+	email:
	+	backend: smtp
	+	from_addr: cti-pipeline@lab.local
	+	smtp_host: smtp.lab.local
	+	smtp_port: 587
	+	use_tls: true

deploy/cti-pipeline.service +12 -0

		@@ -0,0 +1,12 @@
	+	[Unit]
	+	Description=CTI detection automation - generate candidate rule bundle
	+	After=network-online.target
	+	Wants=network-online.target
	+
	+	[Service]
	+	Type=oneshot
	+	User=cti
	+	WorkingDirectory=/opt/cti-detection-automation
	+	EnvironmentFile=/opt/cti-detection-automation/.env
	+	Environment=PYTHONPATH=/opt/cti-detection-automation/src
	+	ExecStart=/opt/cti-detection-automation/.venv/bin/python -m cti.cli run -c /opt/cti-detection-automation/config.yaml

deploy/cti-pipeline.timer +10 -0

		@@ -0,0 +1,10 @@
	+	[Unit]
	+	Description=Run the CTI detection pipeline hourly
	+
	+	[Timer]
	+	OnCalendar=hourly
	+	Persistent=true
	+	RandomizedDelaySec=300
	+
	+	[Install]
	+	WantedBy=timers.target

docker-compose.yml +34 -0

		@@ -0,0 +1,34 @@
	+	name: cti-detection-automation
	+
	+	services:
	+	cti-web:
	+	build: .
	+	restart: unless-stopped
	+	ports:
	+	- "8080:8080"
	+	environment:
	+	- CTI_CONFIG=/app/config.yaml
	+	- CTI_APPROVAL_SECRET=${CTI_APPROVAL_SECRET}
	+	- CTI_SMTP_USER=${CTI_SMTP_USER:-}
	+	- CTI_SMTP_PASSWORD=${CTI_SMTP_PASSWORD:-}
	+	volumes:
	+	- ./config.yaml:/app/config.yaml:ro
	+	- cti-output:/app/output
	+
	+	cti-pipeline:
	+	build: .
	+	profiles: ["run"]
	+	entrypoint: ["python", "-m", "cti.cli", "run", "-c", "/app/config.yaml"]
	+	environment:
	+	- CTI_CONFIG=/app/config.yaml
	+	- CTI_APPROVAL_SECRET=${CTI_APPROVAL_SECRET}
	+	- THREATFOX_AUTH_KEY=${THREATFOX_AUTH_KEY:-}
	+	- OTX_API_KEY=${OTX_API_KEY:-}
	+	- CTI_SMTP_USER=${CTI_SMTP_USER:-}
	+	- CTI_SMTP_PASSWORD=${CTI_SMTP_PASSWORD:-}
	+	volumes:
	+	- ./config.yaml:/app/config.yaml:ro
	+	- cti-output:/app/output
	+
	+	volumes:
	+	cti-output:

dockerfile, compose and systemd timer for scheduled runs