Enrichment file for threat feeds in logstash


I'm sending threat feeds to elasticsearch from a linux machine.
I created a patern feeds index in kibana.
Logstash receives Fortinet logs continuously.
I created a patern fortinet index in kibana.

My goal is to detect in the fortinet logs:
malicious IPs
malicious DNS
malicious urls

How can I enrich the logstash configuration for malicious IP detection?
Will I be able to have a sample file configuration?

You probably want to use this filter - https://www.elastic.co/guide/en/logstash/current/plugins-filters-elasticsearch.html - as you ingest your logs.

I am new to using Elastic.
I have already configured the parsing of fortinet logs. And I dropped it in / etc / logstash / cond

I will now want an example of an enrichment configuration file that will detect malicious IP, DNS, URLs in fortinet kibana logs