Our elastic cluster is being used as a SIEM and is currently ingesting approximately 3x the data than originally scoped to ingest. It's working pretty hard.
We have recently begun ingesting a MISP for enrichment and alerting and I am trying to determine the best route to employ this MISP. Should we use it for enrichment (example: add 'TOR' field and value if a document's IP address is on a TOR exit node list) or should we instead create indicator match rules to compare the IP addresses in an index to the MISP index?
We are trying to determine which method would utilize the least amount of resources.