Looking for suggestions here on approach for a simple use case.
I have ELK up and running monitoring SSH connections to a server. I also
use ThreatConnect which provides IP addresses (IPs of hosts that bad people
use) that I query via a RESTful API. I DO NOT have any of the threat intel
from ThreatConnect currently feeding into ELK.
I'd like to show in Kibana when there is a match on indicators: i.e. when
the host used to connect to a server via SSH matches an IP address that is
known to be bad (from ThreatConnect).
A connection or disconnection message shows as below where
_source:"message" contains the IP of the SSH client (126.96.36.199) in
"message": "Apr 29 10:41:01 ip-188.8.131.52 sshd: Received disconnect from 184.108.40.206: 11: disconnected by user",
So somehow I'd like to run logic that reads that IP, queries the
ThreatConnect API asking: , "Have you seen this IP before" - and if so
present that back to the user with an alert saying you have a problem
here... Question is where do I run that logic I suppose...
Any thoughts on best approach to implement this use case?
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/772cc2fd-ae81-4cc3-abbb-7e888600072b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.