Why not use the translate filter in LS to add a field based on these IPs
(eg alertableIP: true) and then run a percolator query?
On 30 April 2015 at 01:24, Chris Adams <chrisadam...@gmail.com> wrote:
> Folks...
>
> Looking for suggestions here on approach for a simple use case.
>
> I have ELK up and running monitoring SSH connections to a server. I also
> use ThreatConnect which provides IP addresses (IPs of hosts that bad people
> use) that I query via a RESTful API. I DO NOT have any of the threat intel
> from ThreatConnect currently feeding into ELK.
>
> I'd like to show in Kibana when there is a match on indicators: i.e. when
> the host used to connect to a server via SSH matches an IP address that is
> known to be bad (from ThreatConnect).
>
> A connection or disconnection message shows as below where
> _source:"message" contains the IP of the SSH client (111.111.111.111) in
> this case.
>
> {
> "_index": "logstash-2015.04.29",
> "_type": "syslog",
> "_id": "Bxxxxxxxxxxxx",
> "_score": null,
> "_source": {
> "message": "Apr 29 10:41:01 ip-123.123.123.123 sshd[32574]: Received
> disconnect from 111.111.111.111: 11: disconnected by user",
> "@version": "1",
> "@timestamp": "2015-04-29T14:41:01.726Z",
> "type": "syslog",
> "host": "xxxxxxxx.ec2.internal",
> "path": "/var/log/secure"
> },
>
>
> So somehow I'd like to run logic that reads that IP, queries the
> ThreatConnect API asking: , "Have you seen this IP before" - and if so
> present that back to the user with an alert saying you have a problem
> here... Question is where do I run that logic I suppose...
>
> Any thoughts on best approach to implement this use case?
>
> Thanks!
> c
>
> --
> You received this message because you are subscribed to the Google Groups
> "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elasticsearch+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elasticsearch/772cc2fd-ae81-4cc3-abbb-7e888600072b%40googlegroups.com
> <https://groups.google.com/d/msgid/elasticsearch/772cc2fd-ae81-4cc3-abbb-7e888600072b%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/CAEYi1X8brEQbi1_%2BQgfLYuxCKTgwNBmvkxd_7HgXp0KRK5bnZQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
