I need advice on this new use case - IOC

(R) #1

Hi Guys,

I need your inputs or advice on the my use case. I have mulitple sources of malicious IP addresses and domain names. That means daily I am getting almost 1k -2 k such entries.

Now my use case is if I could index those in elasticsearch and then gather the data from my dns servers using packetbeat or logs from my proxy servers/logs from firewall, server, sysmon then

Would it be possible to match against those tagged malicious entries?
And have the dashboard like Source X contacted Destination Y which is malicious?

Can someone pls help as I am not sure how to achieve this or workflow about the same.

(Mark Walkom) #2

You can't join data between indices like that.
You can ingest the IP/domain data into one index, then when you index the logs into other indices you can do "lookups" into the first index to check the quality.

(R) #3

Correct and my ultimate intention is like that. Can you please guide me to the relevant document or guides to achieve those? I mean I found a similar kindaa stuff done by blueliv and yet to configure that.

My ultimate goal is probably use elasticsearch to hunt the threat from my logs or matching IP addresses or domains from those.

(Mark Walkom) #4

You will want to use something like https://www.elastic.co/guide/en/logstash/5.5/plugins-filters-elasticsearch.html

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.