Enrichment file for threat feeds in logstash


I'm sending threat feeds to elasticsearch from a linux machine.
I created a patern feeds index in kibana.
Logstash receives Fortinet logs continuously.
I created a patern fortinet index in kibana.

My goal is to detect in the fortinet logs:
malicious IPs
malicious DNS
malicious urls

How can I enrich the logstash configuration for malicious IP detection?
Will I be able to have a sample file configuration?

You probably want to use this filter - https://www.elastic.co/guide/en/logstash/current/plugins-filters-elasticsearch.html - as you ingest your logs.

I am new to using Elastic.
I have already configured the parsing of fortinet logs. And I dropped it in / etc / logstash / cond

I will now want an example of an enrichment configuration file that will detect malicious IP, DNS, URLs in fortinet kibana logs

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.