Hi everyone
It is about siem app on kibana, so i notice that there are query that run to fetch data to show on the board on siem app, i was wondering if there is a way to change query itself because i have made some change to the index that now that query no longer working.
And i really dont want to have to change the data on the index again because it will take a lot of time and a lot of index to be reindex so any help help would be great!
Thank for your time.
Hi there @lusynda,
Thanks for taking some time to check out the SIEM app!
While there isn't currently a way to modify the queries the SIEM app runs, the good news is that the majority of the tables and visualizations have been designed to work with the Elastic Common Schema (ECS), and by following this format we can ensure your data is displayed throughout the SIEM app regardless of where it's coming from or how it's being ingested.
By default, the latest Beats will ship data that conforms to ECS, so that's a great way to get up and running. However, if you're using Logstash or have another means of ingesting data, I highly recommend checking out the following links for more details on getting your data to conform to ECS:
- Elastic Common Schema: How to Migrate Your Data (slides pdf)
- Integrating custom logs with ECS for Elastic SIEM (slides pdf)
- Blog post introducing ECS and its benefits
While I know this wasn't the answer you were hoping for, I hope the above links are able provide some insight into how you might be able to leverage ECS and the SIEM app without too much effort.
Cheers!
Garrett
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.