Hello,
I installed ELK as a SIEM and It works nicely. There is only one problem is that correlation of different events and it does not come default within ELK. According to my researches, Logstash filters work for this job but there is no decent document for it. My question is that: Is there a simple way for this job like an engine or plug-in? If it is not, how can I find a documentation about correlation on ELK? (with Logstash or another way) Also, logs can come from differebt sources like firewall and server.
P.S. My structure: BEAT -> Logstash -> Elastic -> Kibana
Yes, for now you can look at using Logstash with, say, the memcache plugin to implement some correlations. See this blog post for some examples. In the future, we intend to have "correlation rules" (executed post-ingestion) that will be able to detect sequences of related events.
Can you give one-two examples of correlations so we get a sense of what you are looking for? Thanks!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.