Event Correlation on ELK

alperensoydan · August 8, 2019, 6:47am

Hello,
I installed ELK as a SIEM and It works nicely. There is only one problem is that correlation of different events and it does not come default within ELK. According to my researches, Logstash filters work for this job but there is no decent document for it. My question is that: Is there a simple way for this job like an engine or plug-in? If it is not, how can I find a documentation about correlation on ELK? (with Logstash or another way) Also, logs can come from differebt sources like firewall and server.

P.S. My structure: BEAT -> Logstash -> Elastic -> Kibana

tudor · August 14, 2019, 12:59pm

Yes, for now you can look at using Logstash with, say, the memcache plugin to implement some correlations. See this blog post for some examples. In the future, we intend to have "correlation rules" (executed post-ingestion) that will be able to detect sequences of related events.

Can you give one-two examples of correlations so we get a sense of what you are looking for? Thanks!

alperensoydan · August 26, 2019, 12:07pm

Thank you for your answer. I am going to read this blog. Unfortunately, I do not have clear cases but when I get it, I will write here.

Best regards,

system · September 23, 2019, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Event Correlation Using ELK Elasticsearch	2	1414	December 19, 2019
Keeping same log events once instead of multiple time Logstash	6	900	July 29, 2020
Event Correlation Elasticsearch	4	997	January 26, 2021
Correlation in Elastic-SIEM SIEM	2	441	July 2, 2020
Event correlation in 7.7 SIEM elastic-stack-alerting	2	1492	June 18, 2020

Event Correlation on ELK

Related Topics