Extraction Elastic SIEM security events

Hi There,

Is there a possibility of extracting all the raw documents of elasticsearch with respect to SIEM events . For example if we have rule name : [Unusual Login Activity] and we have enabled this particular out of the box rule in SIEM app and if we are able to see all the related events in the SIEM app and we could use timeline app for threat hunting (its wonderful place to play with security events and for correlation) but my question is it possible to extract dynamically those security events to external source may be email or any other third party destination (for log analysis).

For e.g if we have a third party Cyber security consultants who want to review the logs without logging in to kibana. Lets say if we have 400 security events related to this rule in last 24 hrs. How to extract all these 400 events out of elasticsearch ?

Apart from this I know we have alerting feature to get the overview or insights of the incident but i would like to extract all the 400 events out of elasticsearch dynamically (if that incident occurs )

Please do suggest any ideas.

Regards,
Raj

I haven't done this before, personally, but the index the signals are stored in are:

.siem-signals-${space-id}

So if you're using the "default space" the index containing the signals would be:

.siem-signals-default

Know that you can use snapshots if you want to "move data" between isolated Kibana instances:

And you can setup a workflow for moving between isolated Kibana instances. However, if for some reason you don't want to do that and just want to instead export and clean up the data from your Kibana for a 3rd party with regards to signals you can use one of the numerous open source tools out there that can do transforms against the index such as:

(Caveat I haven't used it before)

Or you can write some scripting in your choice of language or tooling such as Python, Curl, POSTMAN, etc... and our API's to extra and transform the signals how you would like to. We don't have a specific extract/transform of the signal events at the moment directly from the UI that I know of.

I agree with Frank but If you want to stay in the kibana world, you can try to do something like that:

  1. Create a .siem-signals-${space-id} in kibana index patterns
  2. Create a KQL and/or filters in the detection page to pick the events that you want and then you can save this query with saved query functionality
  3. Go to discover -> select your .siem-signals-${space-id} -> select your saved query -> you can export in a csv file with the button SHARE
2 Likes

Apart from csv, is there any way to schedule (export ) it automatically in any other format, only those events which triggered those particular events (For e.g ) in this image we have events related to Unusual login activity.

Any help please?

You might be able to use some features from reporting for things outside of CSV such as a PDF:

But I am careful about talking about these parts of Kibana that I haven't done much work just yet.