We use Filebeat to ingest network logs. We're experimenting with threat feed ingestion, and would like to find matches between fields in our logs (say destination.ip) and entries in the threat feed. Is there a way to do this on the Free & Open tier? We don't need alterting capabilities (we do this with Elastalert).
If I'm not wrong the only way to do that is by creating a Threat Indicator security rule.
You can try the new ES|QL LOOKUP JOIN that will be available in the upcoming release.
Interesting. I'll check that out - thanks!