Batch Searches for Threat Data - Indicators Of Compromise

Hi,

We're making use of ELK to do daily Operational Searches in Kibana and it is proving extremely useful.

Is there a way to Automate searches, say once or twice a day against our Indices with a script if we had a structured subset of data to search?

We have a number of Indicators of Compromise that come in each day, IPs, URLs etc. It would be great if we could harness Elastic in some way to do batch searches with this data to see if we find any hits in our environment, we could then pivot on this data etc.

APologies if this subject has been broached before, but i couldnt find anything relevant.

Thank you
Gordon

Hi,

You may want to look at watcher which allows you to create watches to trigger an alert when a certain query matches:

https://www.elastic.co/guide/en/watcher/current/introduction.html

Thank you. That looks like it could be pretty useful. :slight_smile: