Event Correlation on ELK

alperensoydan · August 8, 2019, 6:47am

Hello,
I installed ELK as a SIEM and It works nicely. There is only one problem is that correlation of different events and it does not come default within ELK. According to my researches, Logstash filters work for this job but there is no decent document for it. My question is that: Is there a simple way for this job like an engine or plug-in? If it is not, how can I find a documentation about correlation on ELK? (with Logstash or another way) Also, logs can come from differebt sources like firewall and server.

P.S. My structure: BEAT -> Logstash -> Elastic -> Kibana

tudor · August 14, 2019, 12:59pm

Yes, for now you can look at using Logstash with, say, the memcache plugin to implement some correlations. See this blog post for some examples. In the future, we intend to have "correlation rules" (executed post-ingestion) that will be able to detect sequences of related events.

Can you give one-two examples of correlations so we get a sense of what you are looking for? Thanks!

alperensoydan · August 26, 2019, 12:07pm

Thank you for your answer. I am going to read this blog. Unfortunately, I do not have clear cases but when I get it, I will write here.

Best regards,

system · September 23, 2019, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Event Correlation Using ELK Elasticsearch	2	1419	December 19, 2019
Keeping same log events once instead of multiple time Logstash	6	902	July 29, 2020
Event Correlation Elasticsearch	4	1000	January 26, 2021
Getting event correlation of log data across different systems using elasticsearch Elasticsearch	1	1721	July 26, 2017
SIEM Event correlation with Elasticsearch and Logstash Elasticsearch elastic-stack-security	4	4606	March 14, 2019

Event Correlation on ELK

Related topics