Hi @InnerJoin, Thanks for giving our SIEM solution a spin.
Let me try to address some of your questions.
Also, I'm new to the product but is it possible to add dashboards to the Security App? I can see several use cases where it would be beneficial for me to be able to make some links to AD users especially for phishing use cases where I don't generally have machine information but I have user information and I can link the user at that time to what machine they were logged into. I can also see the benefit for having the sign-in info for different cloud solutions (O365, Asure, AWS, etc.) which may be SAML integrated to AD users all in one place. I understand why this may not be shipped with that in place because that is a lot of use cases which are all probably different depending on implementation but if I can build it then can I add it to the app?
There's not currently a way to directly integrate existing Kibana dashboards into the Security App. This capability is currently under investigation for possible inclusion in a future release.
It sounds like you'd like to pivot from user to machine during the course of an investigation. Do you expect to have AD or other auth logs being ingested into the Elastic Stack as well? There may be other ways to perform this pivot within the app if the additional data is available for enrichment.
Also, is there anywhere I can look to see what the searches are for the Security app so that I can make sure that I match up any external alerts that I would like to make available to the hosts? I'm just not clear what the searches are in the app. I have found the place where indexes are specified but I don't know what fields the correlation is happening on for the various alerts.
Yes. Most charts, KPI's, and tables (aka widgets) in the SIEM/Security app have an "Inspect" button in the top right of the display that allows you to see the query that is used to populate the widget, like in this example.
And, the detection rules display their underlying queries in the Rule details view like this:
In addition, theres a handy reference page that describes all the fields that the SIEM app uses. You can find it here: https://www.elastic.co/guide/en/security/current/siem-field-reference.html
Hope this helps get you going!