Hi,
In SIEM systems events can be discard or filter to safe diskspace and avoid overloading SIEM from noisy events. This way SIEM resources can be managed at optimum levels.
For example windows event 5156 from all agents to be filtered or from specific agent.
How to achieve this from Elastic SIEM UI or some other manageable way ?
You can control what event is processed by Elastic by using Ingest pipelines | Elasticsearch Guide [7.12] | Elastic
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.