Threat Intelligence¶
Overview¶
Threat intelligence integration provides automated detection of indicators of compromise (IOCs) across network traffic and logs.
Architecture¶
graph TB
subgraph Sources
OTX[AlienVault OTX]
end
subgraph Elastic Stack
Agent[Elastic Agent]
TI[(Threat Intel Index)]
ES[Elasticsearch]
end
subgraph Analysis
Kibana[Kibana]
Alerts[Alert Rules]
end
OTX -->|API| Agent
Agent --> TI
TI --> ES
ES --> Kibana
ES --> AlertsData Sources¶
AlienVault OTX¶
Open Threat Exchange provides community-sourced threat intelligence.
| Property | Value |
|---|---|
| Provider | AlienVault |
| Data Types | IPs, Domains, URLs, Hashes |
| Update Frequency | Hourly |
| Integration | Elastic Agent |
Indicator Types¶
| Type | Description | Use Case |
|---|---|---|
| IP Address | Malicious IPs | Network blocking |
| Domain | Malicious domains | DNS filtering |
| URL | Malicious URLs | Web filtering |
| File Hash | Malware hashes | File scanning |
Elastic Integration¶
Agent Configuration¶
The Elastic Agent collects threat intelligence via the ti_otx integration:
- name: ti_otx
type: httpjson
streams:
- input: httpjson
vars:
api_key: "<OTX_API_KEY>"
interval: 1h
Index Pattern¶
Threat indicators stored in:
- logs-ti_otx.*
Indicators¶
Ingested Indicators¶
| Indicator Type | Count | Source |
|---|---|---|
| IPv4 | ~10,000+ | OTX |
| Domain | ~15,000+ | OTX |
| URL | ~5,000+ | OTX |
| File Hash | ~3,000+ | OTX |
Indicator Fields¶
| Field | Description |
|---|---|
threat.indicator.type |
Type (ip, domain, url, file) |
threat.indicator.ip |
IP address |
threat.indicator.domain |
Domain name |
threat.indicator.url.full |
Full URL |
threat.indicator.file.hash.* |
File hashes |
threat.feed.name |
Source feed name |
Detection¶
Correlation Rules¶
Match network traffic against threat indicators:
{
"query": {
"bool": {
"must": [
{"match": {"event.category": "network"}},
{"exists": {"field": "destination.ip"}}
]
}
}
}
Alert Rules¶
| Rule | Condition | Severity |
|---|---|---|
| Known Malicious IP | destination.ip in threat.indicator.ip | High |
| Malicious Domain | dns.question.name in threat.indicator.domain | High |
| Suspicious URL | url.full in threat.indicator.url | Medium |
Kibana Dashboards¶
Threat Intelligence Overview¶
- Total indicators by type
- New indicators over time
- Top threat sources
- Geographic distribution
IOC Matches¶
- Matched indicators
- Affected hosts
- Timeline of detections
- Investigation links
Queries¶
Find IOC Matches¶
GET /logs-*/_search
{
"query": {
"bool": {
"must": [
{"exists": {"field": "threat.indicator.matched"}}
]
}
}
}
Indicator Stats¶
GET /logs-ti_otx.*/_search
{
"size": 0,
"aggs": {
"by_type": {
"terms": {"field": "threat.indicator.type"}
}
}
}
Response Actions¶
Automated Responses¶
| Detection | Action |
|---|---|
| Malicious IP | Log, Alert |
| Malware hash | Log, Alert |
| C2 domain | Log, Alert |
Manual Investigation¶
- Review matched indicator details
- Check source reputation
- Analyze affected systems
- Determine scope of exposure
- Implement blocking rules
Best Practices¶
- Regular updates - Keep feeds current
- False positive tuning - Review and whitelist legitimate hits
- Layered detection - Use multiple indicator types
- Context enrichment - Add organizational context
- Response playbooks - Document investigation steps
Maintenance¶
Health Checks¶
# Check agent status
kubectl get pods -n monitoring -l app=elastic-agent
# Check index health
curl -s "elasticsearch:9200/_cat/indices/logs-ti_otx*?v"
Indicator Freshness¶
Monitor indicator age to ensure timely updates: