Inserting Logs into SIEM

inteli · July 2, 2019, 12:24pm

Hi Guys,

the new elastic SIEM timeline feature looks amazing and I would like to use it for log analysis.
Unfortunately I don't have that much experience regarding ELK setup.

If i understand correctly it is only possible to use the SIEM functionality in combination with an input like Filebeat or Packet Beat.

In our use case we don't want to have a kind of "live" input. We want to add manually data (e.g. windows or linux log files) into the ELK-stack and analyze the data using the SIEM timeline functionality. Is that possible at the moment? I only found the possibility to import data directly by Filebeat or other stuff.

The overall aim would be to use the Elastic SIEM as a replacement for Timesketch (https://github.com/google/timesketch).

Thank you in advance and best greetings
Intelli

tudor · July 3, 2019, 10:12am

Hi,

The SIEM app and the Timeline can work with data produced outside of the Beats ecosystem as long as it is using ECS for the field names. ECS is our one big requirement, without adopting ECS I'm afraid that you won't find the app very useful, at least in its current form.

Note that you can make the SIEM app look at other index patterns besides the Beats ones, see the "SIEM default index" setting in Kibana Advanced Settings.

Finally, there is an experimental CSV/JSON/log import in Kibana, you can find it in Kibana Home (click the Kibana logo). This might be a good way to experiment before setting up Filebeat to import your logs.

inteli · July 3, 2019, 11:17am

Thank you!
That helps a lot.

Topic		Replies	Views
Configuring SIEM SIEM	3	826	August 2, 2019
Elastic SIEM - Adding more data SIEM	2	862	January 14, 2020
Integrate Events into Elastic SIEM SIEM	5	1236	April 19, 2020
Populating SIEM SIEM	2	454	August 12, 2020
ELK SIEM SIEM	4	487	September 22, 2020

Inserting Logs into SIEM

Related topics