Add additional data source to SIEM dashboard

Is there a way to add additional data sources to the SIEM dashboard? I have an index, syslog-, that collects data from our network switches & firewalls. It does use the ECS conventions. The dashboard seems to only use auditbeat-, filebeat-, packetbeat-, winlogbeat-*.

Data is currently collected via a Logstash UDP input plugin and then parsed & enriched before being sent to ES. I know filebeat can do syslog, but I haven't played with creating my own module or using processors/filters.

Yes! The way to add additional index patterns to the SIEM dashboard is by going to Management from the sidebar, then "Advanced Settings" under Kibana. From there, scroll to the SIEM section where you will find the "Default index" input. This is where you can add your index pattern.

2 Likes

Thanks! That appears to be what I needed.

Brilliant! Exactly what I was looking.

Just wanted to add that, on 'Visualize' you can choose the index you get the data from.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.