feat(intel): cross-reference threat intel tool (CentinelaCI bridge)#1
Open
kmazara89 wants to merge 2 commits into
Open
feat(intel): cross-reference threat intel tool (CentinelaCI bridge)#1kmazara89 wants to merge 2 commits into
kmazara89 wants to merge 2 commits into
Conversation
…at intel Pull live threat intelligence (prioritised CVEs and IOCs) from the CentinelaCI REST API and ground it in the user's Elasticsearch data: each indicator is checked against the relevant ECS fields via ES|QL so the model can answer "have these threats been seen in my environment". - centinela-client: lazy JWT login with token caching and one-shot 401 re-auth; tolerant snake_case/camelCase parsing for /iocs and /vulns/top. - cross-reference-intel tool: degrades gracefully when intel isn't configured, maps IOC types to ECS fields, and treats ES|QL failures as "not seen here" rather than erroring. - Configured via CENTINELA_API_URL / CENTINELA_API_PASSWORD (optional CENTINELA_API_USERNAME); unset leaves the tool registered but inert. - Unit tests for both files plus integration-test coverage of registration. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The README claimed "six tools" and features.md omitted the new headless threat-intel bridge. Note it as a seventh, headless (model-only) tool and add a full features.md section covering intel pull, IOC-to-ECS matching, graceful degradation, and the CENTINELA_* configuration. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a seventh tool, cross-reference-intel, that bridges live CentinelaCI threat intelligence into the user's own Elasticsearch data — answering "have these threats been seen in my environment?".
centinela-client: lazy JWT login with token caching and one-shot 401 re-auth; tolerant snake_case/camelCase parsing for/iocsand/vulns/top.cross-reference-inteltool: pulls prioritised CVEs (context) + IOCs, then checks each indicator against the relevant ECS fields via ES|QL. Degrades gracefully — unconfigured intel returns a clear instruction, ES|QL failures are treated as "not seen here" rather than errors, CVE-type indicators are skipped.CENTINELA_API_URL/CENTINELA_API_PASSWORD(optionalCENTINELA_API_USERNAME). Unset leaves the tool registered but inert.docs/features.mdupdated to cover the new headless (model-only) tool;.env.exampledocuments the config.Test plan
npx tsc --noEmit— cleaneslinton intel files — cleancentinela-client,cross-reference-intel) passing🤖 Generated with Claude Code