Skip to main content
Version: 7.5

ElastiFlow NetIntel

warning

The Microsoft Defender Threat Intelligence (MDTI) standalone portal (formerly RiskIQ) is reaching end of life at June 30th 2024 and will not be available after this date. Please replace your RiskIQ threat enrichment with ElastiFlow's NetIntel enrichment before June 30th to ensure continued service.

note

In order to enable NetIntel enrichment you need to be on version 7.x of NetObserv Flow (flowcoll) and on Elasticsearch 8.x or OpenSearch 2.x. You will also need to download and install the latest Kibana Dashboards or OpenSearch Dashboards respectively.

Overview

ElastiFlow NetObserv Flow provides the ability to enrich flow records with threat intelligence and app/service information provided by ElastiFlow's NetIntel feed. NetIntel can help you quickly identify threats and high-risk traffic in your environment.

EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE

Enrichment with NetIntel is enabled by default starting in NetObserv v7. If you don't want NetIntel enrichment set this option to false.

  • Valid Values
    • true, false
  • Default
    • true

EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH & EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH

By default, the NetIntel dataset is retrieved via API requests and stored for enrichment purposes. If you want to use NetIntel enrichment in an air-gapped environment, download the dataset and specify the path to it. This feature is only available to standard or premium licensed customers

Install CLI Tools

Ubuntu/Debian Installation (deb)

The Debian package for the NetObserv cli utility can be downloaded from here. It can be used for installation on most Debian-based systems such as Debian and Ubuntu.

Download the .deb Package

The package can be downloaded using either the wget or curl command:

wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv_7.5.1_linux_amd64.deb
curl https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv_7.5.1_linux_amd64.deb --output netobserv_7.5.1_linux_amd64.deb
RedHat/AlmaLinux Installation (rpm)

The RPM package for the NetObserv cli utility can be downloaded from here. It can be used for installation on most RedHat-based systems such as RHEL and CentOS.

Download the .rpm Package

The package can be easily downloaded using wget or curl:

wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv-7.5.1-1.x86_64.rpm
curl https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv-7.5.1-1.x86_64.rpm --output netobserv-7.5.1-1.x86_64.rpm

Download Dataset

To download the NetIntel dataset, use the following command:

EF_ACCOUNT_ID=""
EF_FLOW_LICENSED_UNITS=0
EF_FLOW_LICENSE_KEY=""
EF_LICENSE_ACCEPTED="true"
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH=/etc/elastiflow/netintel/ipdb.pb \
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH=/etc/elastiflow/netintel/threat_collection.pb \
./netobserv pull dataset --source=netintel
note

This command must run within a directory where the user has write permissions to create the files.

Then, provide the path to the dataset files in the configuration:

  • Valid Values
    • /etc/elastiflow/netintel/ipdb.pb #PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH
    • /etc/elastiflow/netintel/threat_collection.pb #PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH
  • Default
    • ``
    • ``