Can we consolidate or correlate simliar incidents

ksrawat88 · November 2, 2023, 3:18pm

We are using open source ELK stack and we have different log sources enabled. Is there anyway we can have log correlation between different log sources.

For example if we search for one IP or user we can see all logs from different logs sources realated to that IP or source.

Another question :- is there any way we can consolidate similar alerts in single incident and correlate logs from different source on investigation.

For example - If we have alerts from one user from Firewall logs, and one alert from AD logs or endpoint logs, can we consolidate all those in single incident. So we dont have duplicates and reduce noise and same time can correlate different log sources for investigation.

ksrawat88 · November 6, 2023, 8:55pm

Bump…

leandrojmp · November 6, 2023, 9:34pm

You can, you need to have a data view that will point to all those data sources, and you also need that the field has the same name/mapping in all of those data sources.

For example assuming that you want to check for a source ip address, you would need to have the field source.ip in all the data sources.

ksrawat88 · November 13, 2023, 3:02pm

Thank you very much, does it works same for cross cluster (where we have multiple ELK clusters in different region ) can central ELK cluster still get correlate those logs from different clusters.?