Alert on events based on MISP data

Hey!
I am looking forward to 7.5, and was wondering how I could utilize the data added from the Filebeat MISP module.
Could I use Watcher to look at my index with security logs and make an alert if a field in a document matches with information added from the MISP module?

Or could I correlate the MISP data with incoming logs in some way?

Mostly just looking for suggestions :slight_smile:

Thanks in advance!

I have no knowledge of the MISP dataset, but I can answer the watcher question: you should be able to do that, depending on how the data looks. But I would also suggest looking into the SIEM app and the new Elastic Endpoint Protection. There is more to come that field.

1 Like