Enrich SIEM Data

Hi,

I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.

  1. Logstash:
    You can use Logstash and memcached to enrich data.
    Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
    Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
    Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions

Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)

  1. Preprocessor:
    Store the Threat intel inside ELK and enrich the data with enrich processor.
    I can't find any good article about it.

Enrich processor | Elasticsearch Reference [7.10] | Elastic

My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack

1 Like