Matching threat intel to data in ELK


(Chris Adams) #1

Folks - I'm new to ELK and considering it a replacement for Splunk.

My use case is to use ELK as a SIEM where the admin can see aggregated log data within Kibana. In addition, we have threat intelligence (indicators like hosts/domains/bad IP Addresses) and I'd like to compare content aggregated in ELK with the threat intelligence and through an alert if there is a match.

Question: where is the ideal integration point where the matching logic is performed: Logstash, Elasticsearch or in Kabana?

Thanks!


(Mark Walkom) #2

Probably Logstash, you can do a translate to handle things like that.


(Mahendra Tipale) #3

Best thing to start with loading apache combined logs.

  1. Feed log file to logstash,
  2. logstash pushes it to ES db. Use default case first.
  3. Then move to custom logs, grock filters, transforms, output.
  4. Start kibana to see how it aligns. Kibana have some version compatibility issues. Try to visualize on UI.

I know, splunk is too easy to same thing. They are older so bit matured but have $ cost along with it. I feel ELK stack is good open source replacement for splunk.
Please try to ask for more specific issue.


(system) #4