Hi all,
I have two indexes, one is packetbeat, one is threat intelligence feed. Is there any way I can compare the source/destination IP in the captures of packetbeat to the one in the threat intelligence feed?
If anyone is interested, I'm currently using combine plus logstash csv input to bring in the threat intelligence feed.
Since you can't join the data you want to add the intelligence data to the packetbeat index. I would recommend taking a look at Logstash.
@tsmalley I'm using logstash right now. Are you saying I should have one index, which is a combination of my intel data and packetbeat data?
The threat intel input is from a csv, is there any way for me to compare a field in the packetbeat input to a field in this csv?
E.g. If [ip] == [somefieldincsv] then output to different index.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.