Hello there i amtrying to build a SIEM using open source tools.
using ELK, Suricata for IDS, My sql as a DB, Ngnix as web server, Opendistro for alerting and still developping the architecture.
i would apreciate your help. what to add? what is best for threat detection and intelligence, network monitoring and if there is a open source UEBA?
We don't support open distro here. It's another project than the official distribution of elasticsearch which contains all things you need to build out of the box a SIEM solution.
Just try it on cloud.elastic.co (14 days for free). You will see in Kibana the SIEM app.
You get a lot of that by simply installing the Elastic Stack 7.6 and using Beats for data collection. We've got a filebeat module for Suricata and a Detections page in SIEM that comes with almost 100 pre-built rules.
You can't go wrong with using Zeek for network traffic analysis. Pairs great with Suricata, in most cases on the same box. Suricata will give you alerts/detections while Zeek will enable hunting and understanding of your network traffic patterns in general. If you would like to put this all together, having a great and open log pipeline into Elasticsearch is critical, and it should better follow ECS schema. Filebeats come with Zeek module, but it only has pre-defined mappings that don't even play nicely with Elastic SIEM, and don't fully follow ECS yet. I'm using ZeerBit pipeline for Zeek. It works with or without SIEM module, including Elastic Cloud. Checkout https://github.com/ZeerBit/zeerbit-ecs-pipeline
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.