Enriching ELK with Threat Intelligence

I recently stood up a MISP instance in the lab to gather some Open Source Intelligence (OSINT). The goal of this exercise is to enrich data going into my Elastic Stack in order to identify when machines are talking to known bad actors or running known malicious executables.

I run Elastic Stack via Docker, and it is a small instance nothing fancy, you can read more about it the article I wrote, Ubiquiti Unifi logs in Elastic Stack. However, the below should work for any Elastic Stack as long as you have Logstash running.

Giving credit where credit is due, I found a 3 part article by David Thejl-Clayton on the Security Distractions blog that was the basis for this work, all credit goes to him for the code and tutorial! I had to modify a few items to make it work in my environment. I found a few things he had done a bit confusing and lacking some explanation so I am hoping to expand on those to make sure you can benefit from my trail and error.

The general idea of what we will be doing is leveraging Logstash’s memcached query capability in filter functionality. We need to get the appropriate OSINT out of MISP and into Memcached so that Logstash can query it and add contents to events as they flow through.

You can also pull MISP data in directly via Filebeat but it will not enrich the individual events.