Threat Hunting for IOCs with Elastic Stack

preview_player
Показать описание
Elasticsearch provides various ways to collect and enrich data with threat intel feeds that can be used within the Elastic Security detection engine to help security analysts detect alerts with threat indicator matching. In this video, we’ll provide an introduction to Cyber threat intelligence (CTI) and demonstrate how Elastic provides an easy way to ingest threat intelligence feeds and build some robust cyber threat intelligence capabilities.

Guest Speaker: Alessandro Brofferio, Senior Curriculum Developer & Trainer at Elastic, Former Technical Trainer in NGFW.

#IOCs #CTI #ElasticSecurity #ThreatHunting #TechCommunity #Elasticsearch #DevOps
  1. Official Elastic Community
  2. Elastic Security
  3. IOCs
  4. elastic threat hunting
  5. Elasticsearch Cyber Threat Intelligence
  6. Elastic Security Solution
Комментарии
Автор

The most valuable information in a Threat Intelligence alert is a description (context of an indicator).
We had checked inside of the alert a presence of matched ioc description today (kibana 7.16.3) and it's absent.
Also it's impossible to understand which IOC (document[s]) and which feed[s] triggered the alert.
This lead to impossibility of an IOC pivoting and a big disappointment with the Threat Intelligence rules feature.
If your developers worked as SOC analysts, they would understand this pain.
Second point. There is no possibility of a custom cleaning (for example removing IP 127.0.0.1) of the feeds (exceptions is not a right way to do this).
Third point. There is no any de-duplication.
So if five feeds contains the same IP the query will be 5 times heavier.
I know this point is not so easy to implement but possible anyway.

sergeydrachuk
Автор

Hi, I someone have bought a paid threat intelligence, how can we ingest TI from those sources?

hamzaidris
Автор

why when I tried to map with Cisco ASA index with filebeat-* it didn't work as expected? everything was failed!

jameskin