ElastiFlow NetIntel
The Microsoft Defender Threat Intelligence (MDTI) standalone portal (formerly RiskIQ) is reaching end of life at June 30th 2024 and will not be available after this date. Please replace your RiskIQ threat enrichment with ElastiFlow's NetIntel enrichment before June 30th to ensure continued service.
In order to enable NetIntel enrichment you need to be on version 7.x of NetObserv Flow (flowcoll) and on Elasticsearch 8.x or OpenSearch 2.x. You will also need to download and install the latest Kibana Dashboards or OpenSearch Dashboards respectively.
Overview
ElastiFlow NetObserv Flow provides the ability to enrich flow records with threat intelligence and app/service information provided by ElastiFlow's NetIntel feed. NetIntel can help you quickly identify threats and high-risk traffic in your environment.
Configuring the NetIntel integration
Enrichment with NetIntel is enabled by default starting in NetObserv v7. If you don't want threat or app identification enrichment, please go to the flowcoll.yml file and set this config option to false.
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE: 'true'