ThreatIntel + module configuration

Hi to all, i have enabled through filebeat modules the threatintel module and after that i have configured threatintel.yml activating otx and abusemalware than filebeat -e setup . So far so good but till now i dont see anything in the kibana dashboard about threat (i have filebeat just configured for ingesting netflow). Someone could help me rsolving this issue? Thanks in advance.

You should post you threatintel.yml configuration.
Also you should verify if you activate it with

filebeat modules enable threatintel

And double check in die module.d/ directory if the filename of treatintel.yml is without .disabled

Finally you could activate the SIEM Build in Rule "Threat Intel Filebeat Module Indicator Match" this correlates the data you ingest for example via Filebeat with the blocklists and alert if there's a match.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.