Hello,
I am trying to create a indicator match rule in ELK 7.10 where i have to give the indicator index pattern. Is there any default indicator index in ELK 7.10 or do i need to create a new indicator index with IOC logs from external source?
Thanks & regards
Currently there is a lot of different ways to set it up. In short, yes, you do need to create and setup an indicator index pattern. We do have file beat which can help out with regards to MISP feeds and modules. There's some caveats such as duplication you have to be careful of as outlined here:
Hello @jancodenew and @Frank_Hassanabad .
Just wanted to add a small update to the post that was linked.
There has been updates to the MISP module in 7.11 to fix certain caveats like deduplication and better polling intervals: [Filebeat] MISP improvements by marc-gr · Pull Request #23070 · elastic/beats · GitHub
There is also a more IOC focused filebeat module in the making, though cannot speak on specific release dates or versions as they might change at this moment, but keep your eyes open on new release notes 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.