Elastic SIEM for MSSP

Hi All,

I have been trying to architect how I could use the Elastic SIEM in a MSSP environment where multiple clients would have a collector ( logstash, Filebeat ), and these would forward the logs to my main ELK stack.

I have been trying to use different index per "client". however; I am having difficult to find how to use different index on filebeat.

Have you seem such a use case?

Thank you,

Hi!

Looking at the filebeat reference yml config I see you can configure a different index with some caveats https://github.com/elastic/beats/blob/7b9c535b4a0b00d1af7490efb9e796e62293052e/filebeat/filebeat.reference.yml#L1156-L1159

The Elastic SIEM will have some standard index patterns for beats so as long as your new filebeat index per client starts with filebeat-* and you update the setup.template.name and setup.template.pattern keys in the filebeat config, everything should work.

Does this help?

-- Devin

Hi Devin,

Thanks for reaching back to me.

I think that would work, I will perform some tests.

However, you mentioned something that is true, and I am not sure if there a way around it.

If I have multiple clients sending logs, and storing them on different index E.g. filebeat-client1*, filebeat-client2* and so on, my view under the SIEM app would be a mix of all the index since it will search for filebeat*. Not sure if there is a solution at this moment for this scenario or if I should have an instance of SIEM per client.

Thank you very much.

for indices, i think that should be taken care of by index privilege. each client will have their own user with only privileges to the indices storing their logs.

however i’m not sure how to handle Detections tabs as it only mentions privileges on .siem-signals- . my reading on the docs is that all signals will be stored on a single indices, which means a client will probably be able to see signals from other clients

Each kibana space will have its own signals index. So the default Kibana space has

.siem-signals-default

If you're not using spaces then you only have .siem-signals-default

So you can make and give different permissions to each space and then to each signals index that has that suffix of the space. So you can create a different space for each customer and use that space for that particular customer and give only those customers and users access to that particular space.

The rules also are tied to each space so one space's rules will not show up in another space.

If you have a super admin that needs access across all then it would be siem-signals-* and also give it access to all the spaces.

1 Like

neat !!
thanks for clarifying

Hi Frankm

Awesome, thanks for the clarification and the input.

I will definitely try it and post here the results.

Thank you very much.