I have set-up my ElasticStack with having WinLogbeat and Packetbeat running through my logstash. I custmoized my Sysmon (winlogbeat) dashboard and I used some default templates for Packetbeat one.
Now I would like to add some alerts to my ES. My goal is to get as close as possible to SIEM with my ES. Now that I have some data and visuals flowing on my Kibana, I am missing some alerts that would stand out.
I would like to have some icon notification either in Dashboards or in Discover tab, that would notify me that this is is a possible incident / threat (for e.g. a red triangle (if severity is high) next to some output data).
Of course I tried browsing for it and I ran into ElastAlert. I tried that one, but if I understood it correct, it would notify me only on my e-mail (if I configured the rule so) whether a hit would be made. I am seeking for a solution that can do that too + can be displayed on my Kibana Dashboard.
EXAMPLE:
WinLogbeat detects a cmd.exe execution. I define that as a threat. Now once logstash forwards that to ElasticSearch, I want that Kibana displays that index as an alert (red triangle next to logdata, red text,..whatever, something to stand out among all those other logs).
Is there any other idea on how to implement such a thing?
Using Watcher, you can detect specific events occurring and then have it send an e-mail and index a document specifying what happened. After the document is indexed, you can integrate this to be displayed in the Kibana Dashboard a number of ways. You could create a Visualization that simply lists these alerts, or you can use Time Series Visual Builder's annotations to overlay this information on a specific chart.
Do you perhaps know any OpenSource alternatives for what I am seeking for? I know something 3rd party wont integrate as nicely as your solution for my stack - but maybe if I put effort .
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.