First off, this is a genius project! Great use of Elastic ELK.
-
- I should be able to send you something to set the default kibana index once I get back to my main computer this weekend.
-
- Have you thought about doing OCR on the images? and adding to another field in elasticsearch? If you have, let me know I can send you stuff to help with that.
-
- Have you thought about adding JA3 hashes? If you have, let me know I can send you stuff to help with that. Should be able to be done with packetbeats and some proxies.
-
- Are you able to explain more what is going on with not being able to get the true source IP coorelated/added? Trying to see if I could help anyway.
-
- To solve "Ingest manual IOC data", you should be able to create a directory and point logstash or beats at it. Any new files added should automatically be parsed by logstash/beats file input.
-
- To add more useragent info using logstash useragent parser: https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
-
- To help with "Other alarm channels", you could add in https://github.com/Yelp/elastalert
-
- Have you thought about using translate plugin or even elasticsearch analyzers to make more sense out of keystroke logs? For example, you could create a custom elasticsearch analyzer on the keystroke field (still keep the raw/original key stroke field) and place it in say "keystrokes.analyzed". Your analyzer could essentially allow you easily query keystroke by splitting up in known english or even add other languages.
Also, you could create an even more customized one that essentially creates tokens on 2-3 characters in a row. Would be useful to query large strings/things by matching on only 2/3 characters.
The other languge analyzers would be really great usecase of Elastic because of its many language supports:
https://www.elastic.co/guide/en/elasticsearch/plugins/current/analysis-kuromoji.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-lang-analyzer.html
I really think you will be able to make sifting through the data even easier and better with all the custom analyzers and use cases of Elastic. Example, I know there are really great use cases of using Elastic essentially as a "file share" / file storage search. Including for microsoft office, images, pdf searching for text. Also, many projects based on images that could be used on the screenshot stuff.
There is so much potential with this already great project.
Keep up the amazing work.
First off, this is a genius project! Great use of Elastic ELK.
Also, you could create an even more customized one that essentially creates tokens on 2-3 characters in a row. Would be useful to query large strings/things by matching on only 2/3 characters.
The other languge analyzers would be really great usecase of Elastic because of its many language supports:
https://www.elastic.co/guide/en/elasticsearch/plugins/current/analysis-kuromoji.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-lang-analyzer.html
I really think you will be able to make sifting through the data even easier and better with all the custom analyzers and use cases of Elastic. Example, I know there are really great use cases of using Elastic essentially as a "file share" / file storage search. Including for microsoft office, images, pdf searching for text. Also, many projects based on images that could be used on the screenshot stuff.
There is so much potential with this already great project.
Keep up the amazing work.