OTX correlation in SO

[Zer0-cyber-web]

Hi all!

Just to ask for opinion :)

I moved to SO from AlienVault OSSIM, which is end of support. Actually I am very happy with SO - it gives much more functionality and observability. And the main advantage - it has ability to manage all my logs :))

But since I have used to OTX threat feeds, I miss them very much. I saw that there is an integration for OTX in Elastic, and also it can be used as analyzer for observables. But non of these functions are purposed to create alerts on event matching. I tried to create my own Elastic alerts for DNS and IP match. But my knowledge at this point is very limited, so the alerts generated by my rules are also very limited and there's a lack of additional info, like a pulse description.

So - my question is: from your experience, what is effective way to implement OTX indicators match with SO events in order to generate fully described alerts?
Apart from generating new ruleset for this purpose - there is a way to convert OTX feed indicators to Suricata ruleset, but the only existing .py converter is already 9 years old without any commitments...

I would greatly appreciate any ideas on that! :)

[reyesj2]

I think what you're looking for is data enrichment. https://www.elastic.co/guide/en/elasticsearch/reference/8.18/ingest-enriching-data.html

You can use the integration to ingest the OTX feeds and then create an enrichment policy to pull the info you want to use for matching on your incoming logs.

This discussion post contains some info on creating an enrichment policy and some troubleshooting. #14263

[Zer0-cyber-web]

Thank you. That is what I was also looking at, but I was hoping that ehere some more elegant way... I only started to learn about Elastic enrichment, so it will be quite time consuming.
Any way - It will malke enrichment only inside Elastic, no alerts in SOC, right? I mean - I would have to look both at SOC alerts and Elastic Security Alerts.