the new elastic SIEM timeline feature looks amazing and I would like to use it for log analysis.
Unfortunately I don't have that much experience regarding ELK setup.
If i understand correctly it is only possible to use the SIEM functionality in combination with an input like Filebeat or Packet Beat.
In our use case we don't want to have a kind of "live" input. We want to add manually data (e.g. windows or linux log files) into the ELK-stack and analyze the data using the SIEM timeline functionality. Is that possible at the moment? I only found the possibility to import data directly by Filebeat or other stuff.
The SIEM app and the Timeline can work with data produced outside of the Beats ecosystem as long as it is using ECS for the field names. ECS is our one big requirement, without adopting ECS I'm afraid that you won't find the app very useful, at least in its current form.
Note that you can make the SIEM app look at other index patterns besides the Beats ones, see the "SIEM default index" setting in Kibana Advanced Settings.
Finally, there is an experimental CSV/JSON/log import in Kibana, you can find it in Kibana Home (click the Kibana logo). This might be a good way to experiment before setting up Filebeat to import your logs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.