How to enrich SIEM data with Threat Intelligence? SIEM data can be overwhelming, how to implement Threat Intelligence feed like OTX Alienvault or other Intel feeds?
Hi,
I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.
- Logstash:
You can use Logstash and memcached to enrich data.
Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions
Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)
- Preprocessor:
Store the Threat intel inside ELK and enrich the data with enrich processor.
I can't find any good article about it.
Enrich processor | Elasticsearch Reference [7.10] | Elastic
My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.