Enrich SIEM Data

randomguy · November 22, 2020, 8:10am

Hi,

I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.

Logstash:
You can use Logstash and memcached to enrich data.
Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions

Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)

Preprocessor:
Store the Threat intel inside ELK and enrich the data with enrich processor.
I can't find any good article about it.

Enrich processor | Elasticsearch Reference [7.10] | Elastic

My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack

Topic		Replies	Views
Need to integrate threat Intel with ELK, which solution shall i look for, any opensource suggestion? Elasticsearch	1	316	August 2, 2018
Near Realtime Threat Intel enrichment using custom external sources stored on enrichment indexes Logstash	2	313	December 23, 2021
Threat Intel and SIEM SIEM	3	4124	December 15, 2020
How to apply Third Party or Custom Threat intel feeds with SIEM App? SIEM	3	562	May 20, 2020
IP Watch List Functionality SIEM elastic-stack-alerting	7	1388	May 13, 2020

Enrich SIEM Data

Related topics