Threat Intel module with Fleet?

Hi, Im only using Fleet-managed workloads in my 7.17-cluster, using Windows, System and Endpoint-integrations. (so filebeat is being utilized on the workloads)

Can I use the Threat Intel-module to enrich alerts, and if so how do I configure it with Fleet?

Hello @slash24,
I'd like to clarify - you mentioned that you're only using agents and that filebeat module is NOT being utilized on the workloads?

You can upgrade to 8.0+ where you can use the fleet agent integrations pre-built enrichment capabilities.

Thanks!
Dhru

Thanks.

I only use Fleet-enrolled agents everywhere, and i know that Filebeat is being distributed through fleet by the misc. integrations, but I haven't fiddled with filebeat manually.
I do have Threat Intel activated in Elastic's "Security Overview", and AbuseCH and some other feeds activated, but it shows 0 on all feeds. Do I have to upgrade to 8.x to get further?

sec623×568 57.6 KB

Hey, the Threat Intelligence card in your screenshot support only Filebeat threat integrations on version 7.17.

Version 8.0 supports both Fleet agent threat intel (by default) and Filebeat (need to configure)- here is the doc, how to enable Threat Intel. So, if you use fleet agents and you want to see the coming threat indicators in this view it's worth updating to 8.x.

Although, is potentially possible to have enrichment on alerts not only from Filebeat on version 7.17.

First, we need to be sure that you have threat indicators in your Elasticsearch.

I suggest running those requests.

GET logs-ti*,filebeat-*/_search
{
  "query": {
    "match": {
      "event.type": "indicator"
    }
  }
}

If it will return some documents, then you have threat indicators in your system.
Then you can update the securitySolution:defaultThreatIndex advanced setting to logs-ti*,filebeat-*

Thanks.. I don't have any hits from that query, so I'll have to wait with this til' upgrade is possible

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.