Enrich SIEM Data

austinsonger · November 17, 2020, 6:49pm

How to enrich SIEM data with Threat Intelligence? SIEM data can be overwhelming, how to implement Threat Intelligence feed like OTX Alienvault or other Intel feeds?

randomguy · November 22, 2020, 8:10am

Hi,

I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.

Logstash:
You can use Logstash and memcached to enrich data.
Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions

Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)

Preprocessor:
Store the Threat intel inside ELK and enrich the data with enrich processor.
I can't find any good article about it.

Enrich processor | Elasticsearch Reference [7.10] | Elastic

My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack

system · December 20, 2020, 8:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Near Realtime Threat Intel enrichment using custom external sources stored on enrichment indexes Logstash	2	313	December 23, 2021
Threat Intel and SIEM SIEM	3	4109	December 15, 2020
IP Watch List Functionality SIEM elastic-stack-alerting	7	1382	May 13, 2020
Can you guys suggest some courses or training about using ELK in soc as a SIEM, XDR, threat hunting, IR or anything related to SOC please? Elastic Security	2	30	September 23, 2024
Integrate Events into Elastic SIEM SIEM	5	1148	April 19, 2020

Enrich SIEM Data

Related Topics