Hello *,
I'm currently investigating, if we can replace "GFI EventsManager" with an Elastic stack.
The GFI EM is not actively developed anymore and the latest version is from 2013.
In our project we're switching to Windows 10 soon and if possible, I'd like to give the recommendation to get rid of GFI EM and replace it with Elasticsearch + Kibana + X-Pack. I've played around privately with Elastic stacks for roughly a year now, and while it suits the needs I had at home, for the project it may be a different story.
There is a very specific security requirement that needs to be met (for which we used GFI EM) and it outgrows what I've done with the Elastic stacks before.
tl;dr
Is it possible to fulfill the following needs with an Elastic stack + X-Pack?
(1) Monitor Windows logs for specific security violations and check the number of violations against each user over a certain timespan, e.g. 2 months (I know the first part is possible, but is the second part possible as well, when combined with point (2))?
(2) After a certain number of violations, a warning shall be sent to the user (not via E-Mail, the system is not connected to the Internet or an Intranet, we'd use msg.exe) and after an additional number of violations, the user account shall be locked out (that means running e.g. a PowerShell script).
(3) Backup and archive the gathered logs in a CSV file every Sunday (I know a CSV export is now possible in Kibana, but can it be automatically downloaded, i.e. not doing it via the web interface)?
I don't need detailed explanations for the three points (although, don't hold back with tips if you want ), but if someone tells me that one of the points is not feasible with an Elastic stack + X-Pack, it would save me a lot of time and I can avoid a dead end.
Thanks in advance and best regards!