Hi Guys,
Any idea , how integrate Threat Intelligence Platform with ELK?
Or I just create some config in logstash and manually lookup csv from TI data source feed?
Thanks.
It depends on your TIP and how you consume threat intelligence. If you stage CSV files somewhere on a regular basis you could use the Logstash CSV filter plugin.
If you use a commercial TIP it may have an API or database that you could consume with the appropriate Logstash input plugin. This method would probably help with normalization of your intel feed fields since each source/vendor seems to label everything different and your TIP may handle normalizing that for you already.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.