I am using Elastic Cloud for SEIM + Endpoint Security usecase. I want to integrate OTX as threat intel source but from the documentation it seems I need to use some different system instead of adding integration directly into Elastic SIEM (cloud) by adding my API KEY and OTX URL.
Please guide how to make it work? I have only productivity desktops on-prem which are configured with Elastic Agent for log collection and Antivirus.
What we do is we have a separate ELK instance which consumes the OTX data on a day to day basis, which our main cluster correlate with it. You want to do whatever you can do to lessen the impact the processing power of the master node and etc.
so Filebeat does push to Elastic. It just acts as a middle man since ES its self isn't designed to pull in information and there is nothing saying that a 3rd party service couldn't have a native ES push mechanism but that would require your ES server to be exposed to that as opposed to a FIlebeat polling and pushing locally so nothing is exposed.
OK thanks for clarifying. All i need is to install filebeat on any machine to ingest threat intel, my apprehension is correct? The same filebeat PC or Server will also act as collector of other syslog sources in the network?
Ya, as long as Filebeat can reach the API for the threat intel source and the ES server, you should be good. and yes, YOu cna multiple modules running on Filebeat at once with the different inputs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.