It would be great to upload custom Indicators (IPs, file hashes, domains, etc) into the Threat Intelligence capabilities of Elasticsearch Security.
I know I could index this material into Elastic using the REST API, however, I was curious if Elastic had considered the ability to add custom indicators via the Security platform in Kibana or if anyone has approached this in another manner.
Hello @digital-thought!
Maybe value lists is something that can help?
Value lists can be used in Indicator Match rule
@digital-thought If you need the indicators not only for indicator match rule, but also for other TI functionality, like Intelligence view in Security and Threat Intelligence insights, I believe you can use a small hack and leverage Machine Learning > Data Visualizer > File to upload a csv to an index and define the mapping for the data in csv. Mind though, that the mapping should match ECS schema for Indicator of Compromise under threat.indicator.* and the index should either match the index pattern defined in securitySolution:defaultThreatIndex advanced setting (by default it is logs_ti*) or you can just add the index to the pattern. As this is not officially supported, there might be things I missed that prevented it from working, but you can play with the functionality and see if it works for you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.