Run Book
Also available as:

Verify That the Threat Intel Events Are Enriched

After you finish enriching your new data source, you should verify that the output matches your enrichment information.

By convention, the index where the new messages are indexed is called squid_index_[timestamp] and the document type is squid_doc.

Use the Elasticsearch Head plug-in to verify that the messages display your enrichment information:

  1. Log in to $SEARCH_HOST host:

    ssh into Host $SEARCH_HOST
  2. Install the head plug-in:

    If you are connected to the internet, you can use the following command:

    /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head/1.x

    If you are not connected to the internet, complete the following steps:

    1. Download the tar.gz by hand.

    2. untar into the plugins directory.

    3. At this point, the URL http://:9200/_plugin/head/ should work (don't forget the trailing /).

  3. Navigate to ElasticSearch Head UI: http://$SEARCH_HOST:9200/_plugin/head/.

  4. Click the Browser tab and select the squid document in the left panel; then select one of the sample docs.

    You should see something like the following:

    Figure 5.3. Elasticsearch

  5. Review the output to ensure it reflects the enrichment functions you used.