Enrich SIEM Data

austinsonger · November 17, 2020, 6:49pm

How to enrich SIEM data with Threat Intelligence? SIEM data can be overwhelming, how to implement Threat Intelligence feed like OTX Alienvault or other Intel feeds?

randomguy · November 22, 2020, 8:10am

Hi,

I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.

Logstash:
You can use Logstash and memcached to enrich data.
Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions

Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)

Preprocessor:
Store the Threat intel inside ELK and enrich the data with enrich processor.
I can't find any good article about it.

Enrich processor | Elasticsearch Reference [7.10] | Elastic

My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack

system · December 20, 2020, 8:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need to integrate threat Intel with ELK, which solution shall i look for, any opensource suggestion? Elasticsearch	1	316	August 2, 2018
Near Realtime Threat Intel enrichment using custom external sources stored on enrichment indexes Logstash	2	313	December 23, 2021
Threat Intel and SIEM SIEM	3	4124	December 15, 2020
How to apply Third Party or Custom Threat intel feeds with SIEM App? SIEM	3	562	May 20, 2020
IP Watch List Functionality SIEM elastic-stack-alerting	7	1388	May 13, 2020

Enrich SIEM Data

Related topics