Trying to implement an IP Watch List in SIEM and wondering if there was any guidance/best practices in doing so.
I currently have an index where new malicious IP objects are logged on a regular basis, let's say these objects contain a field named malicious.srcip
I'd like to detect when logs in other indexes, like packetbeat, have a destination IP address (we'll call the packetbeat field dstip) that matches ANY malicious.srcip in my malicious IP index.
Is there any already-known wisdom on how to accomplish such a thing using Kibana/SIEM? I'm thinking of trying to use Watcher to do this, but I'm not sure how to structure the query so that it will look across all the objects in my malicious IP index as the "value" for the filter. Thoughts?