I´m new using ELK Stack. I have been parsing log data from Palo Alto Firewall and Cisco Umbrella by using Logstash to index it into Elasticsearch. It was a difficult task, because I have no experience doing it. Now I can see data properly indexed in Elasticsearch.
I also have logs from a Windows Server and Linux using AuditBeat,WinLogBeat and Filebeat.
The problem I have is I only see data from AuditBeat, FIlebeat and Winlogbeat in the SIEM app (overview and hosts), so I only can see data from Windows and Linux. I would like also to ingest the Palo Alto and Cisco Umbrella data to see it in Elastic SIEM, and also try to detect anomalies and threats in that logs.
Is it possible? What I should I do?
I added the indices into siem:defaultindex:
apm--transaction, auditbeat-, endgame-, filebeat-, packetbeat-, winlogbeat-, umbrella, fortinet*, paloalto*
But still I don´t see data...
Thanks in advance for helping me.