Hi, I see that ELK has the capability of a good log management tool however can it also be used as an SIEM? Does it have capabilities or can it's capabilities be extended to make sense of my various log sources and tell me who is doing what ? Displaying a bunch of statistics like top IP addresses or top destination ports does not really tell me anything. ELK allows us to have visibility to what type of traffic we have, but I don't think it can be intelligent enough to make sense of logs, unless we give it specific rules and queries? hanks.
I'm interested in hearing the answer to these questions too. I'm looking at setting up ELK as a proof of concept to see if it can replace our SIEM.
s802645, if I find any lessons learned I'll let you know.
USAA presented an excellent SIEM augment/replace use case at Feb 2016 ElasticON. Their slides and recording are below. Generally speaking, it's not that difficult to create most of your SIEM rules on Elasticsearch, but it can be difficult or impossible to create advanced rules/detection without a full development stack running on top of Elasticsearch.
USAA claimed to recreate 80% of their SIEM rules (they didn't name the SIEM) on Elasticsearch.
They create alerts in Elasticsearch (I believe with Watcher). and forward them to their SIEM for incident management & workflow.
On the other hand, why would you want a less-capable product in a critical area like security? Why reinvent the wheel, and take on the responsibility of creating and maintaining/extending security rules that many vendors will do for you? Some folks claim a cost advantage, but unless you have unlimited staffing, it seems a false savings to dedicate resources to building a SIEM, instead of spending that money on security analysts and investigators.
Blog post: link
Full slides & video: link