Hey All,
We currently use the Anomali Threatstream app in Enterprise Security along with an on-premise integrator to pull our CTI down.
The data is imported great and works awesome with the Threatstream app.
I would like to see if it's possible to integrate this data with ES itself so it can be leveraged in the Security Intelligence > Threat Intelligence sections and whatever else in ES uses that data model.
I see that anomali creates a summary index with their data but all of the fields are different from what is in the DA-ESS-ThreatIntelligence data model. Was hoping to not have to reinvent the wheel here.
Does anyone have any experience setting this up or have any recommendations?
You should approach the vendor on their ES integration. They have known for a long time they do not integrate well with the ES threat intel model. If you are going to cook it yourself. you need to cook off csv lookup files from their data and map those for ES Threat Intel ingestion yourself. You can sneak a couple of fields that are not in the intel framework in through doing KV pairs in the description field in some cases. just be careful with that. And you will have to write your own macro to break it back out for use in a search.
Yep I hit them up at the same time as I posted this.
They actually said they are working on it in their next release but they don't have an ETA.
Thanks for your response!
Just to add and mark as complete.
Their newest app version 6.4 has the integration built in.
All you have to do is rerun setup, tell it to use CIM data models, and check that Upload to ES Threat Intelligence Framework is ticked within:
Settings -> Data Inputs -> Anomali IOC Ingestion -> threatstream_app
Once that stuff was done it worked like a charm.