Enrich SIEM Data

How to enrich SIEM data with Threat Intelligence? SIEM data can be overwhelming, how to implement Threat Intelligence feed like OTX Alienvault or other Intel feeds?

Hi,

I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.

  1. Logstash:
    You can use Logstash and memcached to enrich data.
    Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
    Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
    Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions

Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)

  1. Preprocessor:
    Store the Threat intel inside ELK and enrich the data with enrich processor.
    I can't find any good article about it.

Enrich processor | Elasticsearch Reference [7.10] | Elastic

My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.