Configuring SIEM

Hello all,

I have been playing with ELK for a month now, and I want to setup alerting rules based on failed attempts or so. For now, I have only found ElastAlert on github.

Recently, I heard that there is a new functioality which is SIEM.

I tried to works with it but I was not able to get any data in SIEM. However, I can see data in Discover! I tried using the elasticsearch filebeat module.

Do I need to disable logstash ? Only filebeat -> elasticsearch -> kibana ?

Reference: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-logstash.html

Any hint is welcome!

Sorry for the late reply. The requirement for data to show up in SIEM is for it to be formatted as ECS. If you use Beats > 7.0 your data should already be formatted as ECS.

Easiest way to populate the SIEM app is to run Auditbeat on your hosts.

Using Logstash should be fine as long as you load the templates and use the recommended logstash config, see this docs page.

A couple of questions:

  • What Filebeat version do you use?
  • In which index does the data end up in ES? Is it filebeat-* or logstash-*?
  • What types of logs are you ingesting?

I use the latest version of filebeat.
I solve my problem using Logstash but It would have been better if I could have use directly filebeat into SIEM in Kibana with a correct parsing !

I want to make alerting on ssh brute-force, and anti-virus log.
My index is filebeat-*

Thanks :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.