Is there a way to add additional data sources to the SIEM dashboard? I have an index, syslog-, that collects data from our network switches & firewalls. It does use the ECS conventions. The dashboard seems to only use auditbeat-, filebeat-, packetbeat-, winlogbeat-*.
Data is currently collected via a Logstash UDP input plugin and then parsed & enriched before being sent to ES. I know filebeat can do syslog, but I haven't played with creating my own module or using processors/filters.
Yes! The way to add additional index patterns to the SIEM dashboard is by going to Management from the sidebar, then "Advanced Settings" under Kibana. From there, scroll to the SIEM section where you will find the "Default index" input. This is where you can add your index pattern.
Thanks! That appears to be what I needed.
Brilliant! Exactly what I was looking.
Just wanted to add that, on 'Visualize' you can choose the index you get the data from.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.