Hi Guys,
Can anyone please suggest me the way to apply third party threat intel feed to SIEM App? Has that to be done with logstash translate dictionary feature? but since there are multiple indices involved can someone please guide me?
TIA
Blason R
Hiya,
You can do this if the event has already been enriched to include the threat intel feed information when it's written to ES.
We use the SIEM detection rules with something like _exists_:threat_intel.found_in, and ensure it covers all of the indexes we're interested in generating a Signal against. Currently, we do this on Logstash (general devices like un-supported NGFW (junos or Symantec)), or Filebeat (Zeek data).
We don't use the dictionary feature, however, but it doesn't matter which mutate feature you use. As long as the threat data is in the individual event, you can generate a Signal against it.
Cheers
Andy
Andy
Whew..thats too much for me at this moment since I have just started with SIEM app. But thats a great start up though and thanks for it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.