I have elastic SIEM 7.15 and have enabled threat intel filebeat module; it works very well however wondering if I can use my own threat intel gathered and stored in plain txt file? This comprises of IP Addresses, domains, URLs, hashes?
I'd recommend reviewing the fields that are added with the threat intel module and adding the fields to your source data as needed. I've done this in my lab as follows -
Using the CINSscore threat intel feed, I ingest it through filebeat and use ingest pipelines to add the following fields:
I then rename the message field which only contains the IP to "threatintel.indicator.ip"
I'm also hashing the IP to generate a unique value for the _id field so I don't get duplicate intel records.
This works because the threatintel rules are running the following indicator matches -
(source.ip MATCHES threatintel.indicator.ip) OR (destination.ip MATCHES threatintel.indicator.ip)
and querying the following indicator index-
event.module:threatintel and (threatintel.indicator.ip:*)
I haven't looked into adding this into the filebeat module, but I am able to use filebeat to work off of the custom fields and indexes the module uses, so the module SIEM rules work.
Would you mind sharing your Threat Intel filebeat config for reference purpose? Wanted to understand how do I match or write parsers to adhere with ECS schema.
Here's my config for my custom threat intel source (cinsscore). Just as a reference, this isn't using the ThreatIntel module - just a regular log source with the threat intel fields added and other stuff dropped that I don't need.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.