How to apply Third Party or Custom Threat intel feeds with SIEM App?

Hi Guys,

Can anyone please suggest me the way to apply third party threat intel feed to SIEM App? Has that to be done with logstash translate dictionary feature? but since there are multiple indices involved can someone please guide me?

Blason R

1 Like


You can do this if the event has already been enriched to include the threat intel feed information when it's written to ES.

We use the SIEM detection rules with something like _exists_:threat_intel.found_in, and ensure it covers all of the indexes we're interested in generating a Signal against. Currently, we do this on Logstash (general devices like un-supported NGFW (junos or Symantec)), or Filebeat (Zeek data).

We don't use the dictionary feature, however, but it doesn't matter which mutate feature you use. As long as the threat data is in the individual event, you can generate a Signal against it.



Whew..thats too much for me at this moment since I have just started with SIEM app. But thats a great start up though and thanks for it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.