Enrich SIEM Data

randomguy · November 22, 2020, 8:10am

Hi,

I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.

Logstash:
You can use Logstash and memcached to enrich data.
Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions

Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)

Preprocessor:
Store the Threat intel inside ELK and enrich the data with enrich processor.
I can't find any good article about it.

Enrich processor | Elasticsearch Reference [7.10] | Elastic

My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack

Topic		Replies	Views
Near Realtime Threat Intel enrichment using custom external sources stored on enrichment indexes Logstash	2	313	December 23, 2021
Threat Intel and SIEM SIEM	3	4109	December 15, 2020
IP Watch List Functionality SIEM elastic-stack-alerting	7	1382	May 13, 2020
Can you guys suggest some courses or training about using ELK in soc as a SIEM, XDR, threat hunting, IR or anything related to SOC please? Elastic Security	2	30	September 23, 2024
Integrate Events into Elastic SIEM SIEM	5	1148	April 19, 2020

Enrich SIEM Data

Related Topics