Is there a possibility of extracting all the raw documents of elasticsearch with respect to SIEM events . For example if we have rule name : [Unusual Login Activity] and we have enabled this particular out of the box rule in SIEM app and if we are able to see all the related events in the SIEM app and we could use timeline app for threat hunting (its wonderful place to play with security events and for correlation) but my question is it possible to extract dynamically those security events to external source may be email or any other third party destination (for log analysis).
For e.g if we have a third party Cyber security consultants who want to review the logs without logging in to kibana. Lets say if we have 400 security events related to this rule in last 24 hrs. How to extract all these 400 events out of elasticsearch ?
Apart from this I know we have alerting feature to get the overview or insights of the incident but i would like to extract all the 400 events out of elasticsearch dynamically (if that incident occurs )
I haven't done this before, personally, but the index the signals are stored in are:
.siem-signals-${space-id}
So if you're using the "default space" the index containing the signals would be:
.siem-signals-default
Know that you can use snapshots if you want to "move data" between isolated Kibana instances:
And you can setup a workflow for moving between isolated Kibana instances. However, if for some reason you don't want to do that and just want to instead export and clean up the data from your Kibana for a 3rd party with regards to signals you can use one of the numerous open source tools out there that can do transforms against the index such as:
(Caveat I haven't used it before)
Or you can write some scripting in your choice of language or tooling such as Python, Curl, POSTMAN, etc... and our API's to extra and transform the signals how you would like to. We don't have a specific extract/transform of the signal events at the moment directly from the UI that I know of.
Apart from csv, is there any way to schedule (export ) it automatically in any other format, only those events which triggered those particular events (For e.g ) in this image we have events related to Unusual login activity.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.