Document enrichment via ingest pipeline or Indicator Match rule - which is preferable?

kossde · October 5, 2022, 12:29am

Our elastic cluster is being used as a SIEM and is currently ingesting approximately 3x the data than originally scoped to ingest. It's working pretty hard.

We have recently begun ingesting a MISP for enrichment and alerting and I am trying to determine the best route to employ this MISP. Should we use it for enrichment (example: add 'TOR' field and value if a document's IP address is on a TOR exit node list) or should we instead create indicator match rules to compare the IP addresses in an index to the MISP index?

We are trying to determine which method would utilize the least amount of resources.

Nikita_Khristinin · October 6, 2022, 3:15pm

Hey!

The Indicator Match rule - is an easier way to start and have alerts based on the match from your index and MISP.

But for rule execution there some matching logic happens on the Kibana site, and if you have a huge amount of data to process, it can relate to performance.

Ingest pipeline for enrichment purposes only should consume fewer resources in theory (it's will happen on Elasticsearc side)

system · November 3, 2022, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Indicator Match Detection Rule Not Matched and Mapped to Intel Feeds SIEM detection-rules	17	2307	April 1, 2021
Indicator matching rule recommendation Elastic Security	3	429	August 3, 2021
7.6.0 vs new signals and futher enrich ingestion SIEM	10	1321	April 6, 2020
ELK 7.10 - Indicator index patterns: Value lists SIEM	3	778	March 15, 2021
Issue with rules creation SIEM detection-rules	15	1717	May 5, 2022

Document enrichment via ingest pipeline or Indicator Match rule - which is preferable?

Related topics