Starting with the following;
- 1 large data-set of network traffic to be investigated (JSON)
- 1 tls-fingerprinting data-set or 1 'bad/blocked' IP data-set or ....
When both the network traffic and fingerprint/ip data-sets are in Elasticsearch, how is it possible to correlate the values from both sources? Like some sort of translation, where the network-data gets matched with a fingerprinting data-set.
I would like to add a row to each event in the large data-set of network traffic, saying like 'Bad IP: Yes/No', so that I can create timelines or other visualizations only on data containing 'bad ip's'. Or matching specific values like a TLS fingerprint, adding an application name row to a network event based on a fingerprinting database.
For example using fingerprints found here: https://github.com/LeeBrotherston/tls-fingerprinting
Does anyone have any ideas about how to accomplish this with the Elastic stack?