Best log collection solution & zeek intel framework

[subs1138]

Wanted to get the Sec Onion communities opinion on a couple things.

1. What is the best solution for getting host logs with Security Onion?
   Seems like there are a lot of options. Kind of leaning toward beats because seems easiest and the most lightweight, but would appreciate a heads up.

2. Does Zeek Intel Framework work with SecOnion, and either way is it worth while in Sec Onion?
   A smart nerd was telling me that Zeek Intel Framework is amazing, and I should look into standing it up immediately. It does sound nice, but I am not sure what it does that Suricata and Strelka aren't doing already. Has anyone set this up with Sec Onion and mind sharing?

[subs1138]

Never mind on the Agent question. Still catching up, and I see Matt Gracie already did a thorough video on collecting end point logs.

https://www.youtube.com/watch?v=cGmQMsFuAvw&ab_channel=SecurityOnion

[subs1138]

I see the Zeek Intel stuff in the docs now too.
https://docs.securityonion.net/en/2.4/zeek.html#intel

But still not sure if it is worth using or does Suricata already scratch the same itch?

[InfosecGoon]

Zeek Intel is nice because you can just dump a list of indicators into the configuration (domain names, IPs, file hashes, etc.) and then it will trigger an alert if one of them shows up.

MISP can generate Intel rules automatically, so that's a good way to go from "my ISAC sent me this spreadsheet of IOCs" to a detection in minimal time.

[subs1138]

Great Thanks.