Threat Intel Module for Elastic cloud


I am using Elastic Cloud for SEIM + Endpoint Security usecase. I want to integrate OTX as threat intel source but from the documentation it seems I need to use some different system instead of adding integration directly into Elastic SIEM (cloud) by adding my API KEY and OTX URL.

Please guide how to make it work? I have only productivity desktops on-prem which are configured with Elastic Agent for log collection and Antivirus.


OTX ingest is done via the filebeat module (may also have an agent package as well). Then filebeat will push it to elasticsearch

What we do is we have a separate ELK instance which consumes the OTX data on a day to day basis, which our main cluster correlate with it. You want to do whatever you can do to lessen the impact the processing power of the master node and etc.

Thanks legoguy1000. This mean we need a local instance with filebeat agent installed ?

But a more logical design could be to directly ingest into Elastic. Any idea why the CTI ingestion is designed like this?


so Filebeat does push to Elastic. It just acts as a middle man since ES its self isn't designed to pull in information and there is nothing saying that a 3rd party service couldn't have a native ES push mechanism but that would require your ES server to be exposed to that as opposed to a FIlebeat polling and pushing locally so nothing is exposed.

OK thanks for clarifying. All i need is to install filebeat on any machine to ingest threat intel, my apprehension is correct? The same filebeat PC or Server will also act as collector of other syslog sources in the network?


Ya, as long as Filebeat can reach the API for the threat intel source and the ES server, you should be good. and yes, YOu cna multiple modules running on Filebeat at once with the different inputs.

Thanks alot for your expert advice.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.