Threat Intelligence Integration won't show any data

Good morning,

I have installed the Threat Intelligence Integration, I also have a fleet managed server and I am currently tracking different hosts with different integrations and i am managing all of that through 2 agent policies.
The issue is that the Threat Intelligence overview won't show any data, I dont have any "enable sources" option showing (as described in the documentation) and there is not any Threat Intelligence index that should have been created by default once the integration has been installed and linked to the proper policy.

Elastic doesn't show any issues or error message but still it looks like the threat intelligence integration is not doing anything at all.
What could possibly be ?
Documentation appears very unclear about it.

UP! Can someone helpe me ?

This is just a brief idea from someone out of the "cheap places" :wink: - Maybe the designated host with the "Threat Intelligence" Integrations dont have access to the sources for the Indicators? Which Threat Intel Integrations do you have installed? AbuseCH? AlienVault?
I'm in the middle of testing all the features around those integrations and it's working like a charm for now.

Hey @Gio_27 , what version of Elastic Stack do you run and what subscription level do you have? Also, what do you see in the "Threat Intelligence" block of the "Security > Dashboards > Overview" dashboard?
The block looks like this if you don't have an TI integration installed

Hey maxcold,

I have the free subscription but I didn't figure out which features are free to use and which are under a paid subscription.
I have found that block (enable sources) and once I click on it, it redirects me to the integrations list. So I guess that Threat Intelligence works only together with those TI-labeled integrations ?

@Gio_27 Out of the box yes, but you can set up a custom integration to work with some Threat Intelligence capabilities, as described here Enable threat intelligence integrations | Elastic Security Solution [8.10] | Elastic . You basically need to specify the index in which Kibana should look for indicators of compromise.

Regarding the free vs. paid subscription:

  1. TI block on the overview dashboard and Threat Indicator match functionality for alerts is available for every subscription level
  2. Investigation capabilities, like Indicators page is the Enterprise only feature

Thanks maxcold for your reply.
In order to recap:

  • TI block and Threat Indicator match functionality only work in two ways:
    1- You can use it in tandem with other TI-labeled integrations, so it means that if you are not using those services there is no point on using TI unless you create your own "beats" or custom integration. Is that correct ? I am having troubles understanding the differences between TI and Elastic Defend, how they work and which features are free to use and which are not. I am sorry, the documentation is confusing in this regard.

  • I thought that TI would automatically create the logs-ti* index once installed, but it looks like that's something you have to do on your own. Is that correct ?

Thank you for your support.

@Gio_27

You can use it in tandem with other TI-labeled integrations, so it means that if you are not using those services there is no point on using TI unless you create your own "beats" or custom integration. Is that correct ?

That's not entirely accurate. TI block and Threat Indicator matching will work with any Indicator of Compromise (IoC) data in your stack, as long as it aligns with ECS spec for IoCs Threat Fields Usage and Examples | Elastic Common Schema (ECS) Reference [8.11] | Elastic. Out-of-the-box TI integrations are primarily designed to easily ingest IoC data from established providers. Plus the integration takes the job of ingesting the data where the TI block and Threat Indicator match rule expects to find it by default. You're free to ingest IoC data through other methods like Logstash or Filebeat. Just make sure the data is ECS-compliant and configure Kibana to look in the right index.

I am having troubles understanding the differences between TI and Elastic Defend, how they work and which features are free to use and which are not. I am sorry, the documentation is confusing in this regard.

TI integrations are mainly for bringing IoC data into your stack; it doesn't offer defensive features. Then you can create Indicator Match Rule to be alerted when there is an event in your env that matches some IoC. Elastic Defend is a different beast, offering various defense features. It may use the IoC data from TI, but I can't confirm this. I'm not really well equipped to answer about Elastic Defend.

  • I thought that TI would automatically create the logs-ti* index once installed, but it looks like that's something you have to do on your own. Is that correct ?

The index should be created automatically. Are you facing issues with that?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.