Threatintel module filebeat


I activate the theatintel module for filebeat but still doesn t get any datas
i have this in my logs
''' Nov 1 03:00:02 hostname filebeat[560069]: {"log.level":"info","@timestamp":"2022-11-01T03:00:02.308Z","log.logger":"input.httpjson-stateless","log.origin":{"":"httpjson/request.go","file.line":397},"message":"request finished: 1000 events published","":"filebeat","id":"theid","input_url":"","ecs.version":"1.6.0"} '''

I do not see the datas or any dashborad. Can you help please, i am new to this part of the app

1 Like


Now i can see the threat intelligence data. I can even inspect the sources . i am using ECK with logstash and kafka. I already have the filebeat dashboard overview display. It is only this dashborad that i do not have

but no dashboard in htreat intelligence overview. I do not know how to make them display.
Please Help

Hi, man!

I saw an issue like this in Elastic security version 7.16. Have you tried checking space Security permissions? Check if a variable is set to true and without the # in filebeat.yml

setup.dashboards.enabled: true

HI @wsouza ,

I tried what you said but i doesnt resolve the problem,
Thank you for your hlep

hi @emmanuel_stevens_LED , the Threat Intelligence Overview dashboard from the Threat Intelligence Utils package only supports Elastic Agent Threat Intelligence integrations and doesn't support Filebeat integrations. But you can edit this dashboard to start showing the data coming from the filebeat integrations. You need to specify the correct index pattern (filebeat-* in your case) and adjust the filtering. Here is an example of how it might look like


i have a configuration of; (beats,kafka,logstash,elastic,kibana) in that order. I see that the elastic agent does not support kafka output, what solution you can point me to.

Will it work if i add a logstash before the kafka . so i can have a config like ( agent, logstash, kafka,logstash,elastic,kibana). Would that last configuration provide the threat dashboard ?

@emmanuel_stevens_LED it's hard to give advice without the details of your requirements. I'm not sure why you need Kafka and Logstash in front of the beats. As beats and Elastic Agent can ingest directly into Elasticsearch, by default you shouldn't need Kafka and Logstash to get the data from them into Elasticsearch. For the dashboard to work you either need the Threat Intelligence data stored in logs-* index (Elastic Agent Threat Intelligence integrations by default store the data in logs-ti_* indexes), or edit the dashboard so that the lenses in this dashboard use the index where you currently store the Threat Intelligence data