ElastiFlow NetIntel
The Microsoft Defender Threat Intelligence (MDTI) standalone portal (formerly RiskIQ) is reaching end of life at June 30th 2024 and will not be available after this date. Please replace your RiskIQ threat enrichment with ElastiFlow's NetIntel enrichment before June 30th to ensure continued service.
In order to enable NetIntel enrichment you need to be on version 7.x of NetObserv Flow (flowcoll) and on Elasticsearch 8.x or OpenSearch 2.x. You will also need to download and install the latest Kibana Dashboards or OpenSearch Dashboards respectively.
Overview
ElastiFlow NetObserv Flow provides the ability to enrich flow records with threat intelligence and app/service information provided by ElastiFlow's NetIntel feed. NetIntel can help you quickly identify threats and high-risk traffic in your environment.
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE
Enrichment with NetIntel is enabled by default starting in NetObserv v7. If you don't want NetIntel enrichment set this option to false
.
- Valid Values
true
,false
- Default
true
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH & EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH
By default, the NetIntel dataset is retrieved via API requests and stored for enrichment purposes. If you want to use NetIntel enrichment in an air-gapped environment, download the dataset and specify the path to it. This feature is only available to standard or premium licensed customers
Install CLI Tools
Ubuntu/Debian Installation (deb)
The Debian package for the NetObserv cli utility can be downloaded from here. It can be used for installation on most Debian-based systems such as Debian and Ubuntu.
Download the .deb
Package
The package can be downloaded using either the wget
or curl
command:
wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv_7.4.0_linux_amd64.deb
curl https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv_7.4.0_linux_amd64.deb --output netobserv_7.4.0_linux_amd64.deb
RedHat/AlmaLinux Installation (rpm)
The RPM package for the NetObserv cli utility can be downloaded from here. It can be used for installation on most RedHat-based systems such as RHEL and CentOS.
Download the .rpm
Package
The package can be easily downloaded using wget
or curl
:
wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv-7.4.0-1.x86_64.rpm
curl https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv-7.4.0-1.x86_64.rpm --output netobserv-7.4.0-1.x86_64.rpm
Download Dataset
To download the NetIntel dataset, use the following command:
EF_ACCOUNT_ID=""
EF_FLOW_LICENSED_UNITS=0
EF_FLOW_LICENSE_KEY=""
EF_LICENSE_ACCEPTED="true"
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH=/etc/elastiflow/netintel/ipdb.pb \
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH=/etc/elastiflow/netintel/threat_collection.pb \
./netobserv pull dataset --source=netintel
This command must run within a directory where the user has write permissions to create the files.
Then, provide the path to the dataset files in the configuration:
- Valid Values
/etc/elastiflow/netintel/ipdb.pb
#PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH/etc/elastiflow/netintel/threat_collection.pb
#PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH
- Default
- ``
- ``