No threat intelligence data

I have installed multiple threatintel modules through my Filebeats collector, enabled them, and can verify I can view the various assets in Elastic.

However the Security - Overview Dashboard still shows "no threat intelligence data"


Hi @bigverm23 , the Threat Intelligence part of the Overview Dashboard is currently relying on Elastic Agent TI integrations to be enabled. We will look into making it available when the data is coming from Filebeat instead of Elastic Agent integrations.
Btw in 8.5, there will be a whole new Intelligence part of the Security Solution available in the Enterprise license Elastic modernizes security operations by delivering SOAR and automating actionable threat intelligence | Elastic Blog which gives a better overview of available Threat Intelligence data

Actually, I was wrong in my initial answer. For the data to show up in the TI block of the Overview dashboard you need to add the index where Threat Intelligence data is stored to securitySolution:defaultThreatIndex in the Advanced Settings of Kibana. In the case of Filebeat, the index pattern to be added there is most likely filebeat-* if you didn't change it.

it's current set as logs-ti_*...that is not correct?

If you change it to logs-ti_*, filebeat-* the data should appear in the Overview dashboard.

More context: logs-ti_* is an index pattern used when ingesting Threat Intelligence data via Elastic Agent integration. As you are ingesting Threat Intelligence data via Filebeat, you need to add the index pattern matching the Filebeat ingestiion settings. If you don't change the defaults the Filebeat ingests data inti filebeat-* . You can either add this pattern to the securitySolution:defaultThreatIndex in addition to logs-ti_* or just replace logs-ti_* with filebeat-*. More information is available in the docs Enable threat intelligence integrations | Elastic Security Solution [master] | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.