Hi,
I'm not an ELK expert so maybe others have better solution.
I also tried to find ways to deal with Threat Intel but none of them are easy and user friendly.
- Logstash:
You can use Logstash and memcached to enrich data.
Enriching ElasticSearch With Threat Data - Part 1 - MISP - Security Distractions
Enriching ElasticSearch With Threat Data - Part 2 - Memcached and Python - Security Distractions
Enriching ElasticSearch With Threat Data - Part 3 - Logstash - Security Distractions
Or you can use another method:
Dsiem - Security event correlation engine for ELK stack (hakin9.org)
- Preprocessor:
Store the Threat intel inside ELK and enrich the data with enrich processor.
I can't find any good article about it.
Enrich processor | Elasticsearch Reference [7.10] | Elastic
My original post:
Threat Intel and SIEM - Elastic Security / SIEM - Discuss the Elastic Stack