Hello great community,
So we're migrating and testing Elastic Stack and I was wondering if there is anything similar to a Reference Set (in QRadar) where I can push and update the internal IP address (or host name) in it whenever I get an external IP communication to a blacklisted IP address (by threat Intel). Further, I want to correlate the same internal IP/ Host name with some other logs (AV, EDR, Winevents...) in order to see if it got infected.
I know the pushing can be easily done with plugins like input file plugin in logstash but I was trying to wrap my head around the action of UPDATING the file and deleting a no-more-blacklisted IP without making complex API calls to delete it since we want the set of actions as simple as possible for our threat analysts, however, we are willing to automate the engineering behind these actions.
Is there a simpler way to do this ?
what are the other stuff we can try ?
Thank you all for the great support