I am trying to deploy a watcher to my lab home. I have logs from zeek (json) and logs from intelmq (Threat Intelligence Sharing). I need compare one field from zeek_index (field: id.resp_h) with one field from intelmq_index (field: source.ip). If they match I would like write a log with a text.
I can search on kibana the ip, but the alert not mutch.
nota: I would like change >"match": {"source.ip": "108.61.187.24"}"< with the intelmq_index.field, but if the simple examplo fail, something more complex is an error.
I am not sure I fully understand the requirement. Would it make sense to execute two searches, one in the zeek, another in the intel_mq index for that IP and then check if both return hits?
I cannot think of any efficient way of doing this, as you need to compare every entry of one index with every entry of another index. And I suppose the ip address space can be arbitrarily high (given IPv6)?
I do not search an efficient method now. It will be the second step. I need search and match one list of string (ip address) in my zeek index. IPv6 will be third step. Some idea to go for the correct route?
Thanks.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.