search
Ctrlk

ElastiFlow NetIntel

circle-exclamation

In order to enable NetIntel enrichment, you need to be on version 7.x of NetObserv Flow (flowcoll) and on Elasticsearch 8.x or OpenSearch 2.x. You will also need to download and install the latest Kibana Dashboardsarrow-up-right or OpenSearch Dashboardsarrow-up-right respectively.

hashtag
Overview

ElastiFlow NetObserv Flow provides the ability to enrich flow records with threat intelligence and app/service information provided by ElastiFlow's NetIntel feed. NetIntel can help you quickly identify threats and high-risk traffic in your environment.

hashtag
Configurations

hashtag
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE

Enrichment with NetIntel is enabled by default starting in NetObserv v7. If you don't want NetIntel enrichment set this option to false.

  • Valid Values

    • true, false

  • Default

    • true

hashtag
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_AS_PREFIX_PRECISION

It's possible for an Autonomous system to house other Autonomous systems. Therefore, a user can either get the most specific AS prefix or all the prefixes for all the Autonomous systems a packet went through.

  • Valid Values

    • all, exact

  • Default Value

    • exact

hashtag
Air-Gapped Environment Configurations

By default, the NetIntel dataset is retrieved via API requests and stored to the Data Path directory for enrichment purposes. If you want to use NetIntel enrichment in an air-gapped environment, download the dataset and specify the path to it.

circle-info

This feature is only available to standard or premium licensed customers.

hashtag
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH

Path for the downloaded Threat Collection dataset. Setting this configuration option to non-empty string disables the recurring retrieval of the Threat Collection dataset.

  • Default

    • ''

  • Recommended

    • /etc/elastiflow/netintel/threat_collection.pb

hashtag
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH

Path for the downloaded IPDB dataset. Setting this configuration option to non-empty string disables the recurring retrieval of the IPDB dataset.

  • Default

    • ''

  • Recommended

    • /etc/elastiflow/netintel/ipdb.pb

hashtag
Downloading the dataset

hashtag
Installing `netobserv` CLI Tool

You can download and install the netobserv CLI tool on Linux machines via our deb or rpm packages.

deb:

rpm:

If upgrading from a previously installed rpm, run the following:

hashtag
Download the Dataset

To download the NetIntel dataset, use the following command:

Or, alternatively,

circle-info

You must have permission to write to the download paths (/etc/elastiflow/netintel is the default)

Then, provide the path to the dataset files in the NetObserv Flow configuration by setting the EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH and EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH respectively.

PreviousIP Address EnrichmentNextMaxmind GeoIP2 and GeoLite2

Last updated

Was this helpful?