Folks...
Looking for suggestions here on approach for a simple use case.
I have ELK up and running monitoring SSH connections to a server. I also
use ThreatConnect which provides IP addresses (IPs of hosts that bad people
use) that I query via a RESTful API. I DO NOT have any of the threat intel
from ThreatConnect currently feeding into ELK.
I'd like to show in Kibana when there is a match on indicators: i.e. when
the host used to connect to a server via SSH matches an IP address that is
known to be bad (from ThreatConnect).
A connection or disconnection message shows as below where
_source:"message" contains the IP of the SSH client (111.111.111.111) in
this case.
{
"_index": "logstash-2015.04.29",
"_type": "syslog",
"_id": "Bxxxxxxxxxxxx",
"_score": null,
"_source": {
"message": "Apr 29 10:41:01 ip-123.123.123.123 sshd[32574]: Received
disconnect from 111.111.111.111: 11: disconnected by user",
"@version": "1",
"@timestamp": "2015-04-29T14:41:01.726Z",
"type": "syslog",
"host": "xxxxxxxx.ec2.internal",
"path": "/var/log/secure"
},
So somehow I'd like to run logic that reads that IP, queries the
ThreatConnect API asking: , "Have you seen this IP before" - and if so
present that back to the user with an alert saying you have a problem
here... Question is where do I run that logic I suppose...
Any thoughts on best approach to implement this use case?
Thanks!
c
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/772cc2fd-ae81-4cc3-abbb-7e888600072b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
