I was wondering if it's possible to correlate data captured using packetbeat with threat intelligence feeds?
I guess it depends on exactly what kind of threat intelligence data you have and what you need to do with it.
If you get that threat intelligence data into Elasticsearch, and you want to combine it with packetbeat in the same chart, you might want to make sure you can create an index pattern in Kibana that will match both sets if indexes. For example, by default packetbeat writes to indexes named like
If you load threat data into Elasticsearch into indexes named
threatbeat-2017.03.03 then you could make an index pattern in Kibana like
*beat-* that would allow you to query and make visualizations using all the data together.
Or, you can use Timelion which can include queries from different indexes or even different data sources together in a chart.
If you can reference something more specific maybe I can help you more.
So, the only way to correlate data is if the indices are similar, if not the same?
Depends on exactly you want to do with the data. Timelion can use completely different sources in the same chart, but other Visualizations only use a single index pattern (which could match several different indices).
Basically what I want to do is correlate all the IP/Hashes, etc from packetbeat to a threat intel and have a dashboard display stuff like, Most visited blacklisted IP, Malicious Hash, etc.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.