Threat Intel and SIEM

Hello Mike,

Thanks for the detailed answer. I believe you are on the right track, since I started to learn more about your product I have seen an insane fast development. EQL is also a huge step to improve the detection capabilities, but there is still room to improve the product further. I'm looking forward for the improved version of the SIEM.

Can you provide us with some of the threat intelligence feeds that you think are valuable, and for which you’d like to see a more automated ingestion and management process?

I would like to be able to import custom feeds not to limit my options. Simple CSV Parsed Feed, Text feed, or STIX/TAXII feeds. But it is easier sad than done (some vendors are open some require authentication... like Alienvault, AbuseIPDB, IBM X-Force ), deduplication dealing with false positives, deleting old entries, combine it with ECS, skipping custom fields, proxy support (within an enterprise network usually it is mandatory). It isn't an easy job...

It would be also nice to be able to easily create thing like objects and object groups for example: I would like to create a detection rule to detect port scan attempt initiated form the users network.
Or detect events from privileged users, special rules for server network or DMZ network, there are many use case for the objects. At the moment you can create manually hardcoded rules or enrich the data, I believe maintaining hardcoded rules is a nightmare. With objects it is more efficient and flexible.

2 Likes