Hi everyone,
I'm currently working on a preventive security analysis module as part of a project, and I'm integrating the following components:
- Wazuh for SIEM and endpoint monitoring (running via Docker)
- MISP for threat intelligence feeds (also Dockerized)
- Logstash for parsing and enriching log data
My objective is to:
- Collect endpoint logs via Wazuh.
- Forward relevant events to Logstash for processing.
- Enrich or correlate this data using threat intel from MISP.
- Optionally forward enriched logs to OpenSearch or Elasticsearch for visualization in Kibana or Dashboards.
I’ve already got each service up and running in Docker containers. My questions are:
- What is the recommended way to pull MISP data into Logstash? Is it best to use the MISP JSON API with the http_poller plugin?
- How can I ensure Logstash and Wazuh are efficiently integrated while keeping performance optimized in Docker?
- Should enrichment happen directly in Logstash, or is it more efficient to do correlation in Wazuh before shipping logs?
- Any sample pipelines or community plugins that could help with this kind of setup?
Any guidance, examples, or links to similar use cases would be really appreciated!
Thanks in advance!