We are building a rule "Sucessful Connection to Blacklisted IP". We are doing this using translate filter.
We are taking the Blacklisted IPs from SANS or other security websites. Is their any way to automatically update the list on a daily basis or is their any way where the ELK can connect to the SANS Database/Website and auto update the blacklisted IP sheet on a daily basis.
Help would be appreciated.
If you're already using a translate filter it sounds like you just need a cronjob that pulls fresh data from the sources and stores in the YAML file. Building such functionality into Logstash seems highly unnecessary.
I know that.
But the customer here is looking for building SOC (Security operation center) using ELK as a SIEM, which can be a little cumbersome.
Okay, but I don't see how that answers the question of why a cronjob wouldn't solve the problem.
we have a similar case. Our blacklists are based on network's and not single ip's. We work also with the translate filter. We would like to use the cidr filter to check if a specific IP matchs a network, but how you can combine cidr filter with lookup datas (from translate)?
I remember that if you update the YAML-file using in the translate filter, the update should be automatically, so normally it is enough update the source file for example trough a cron job.