Integrate Events into Elastic SIEM

Hello guys,

I´m new using ELK Stack. I have been parsing log data from Palo Alto Firewall and Cisco Umbrella by using Logstash to index it into Elasticsearch. It was a difficult task, because I have no experience doing it. Now I can see data properly indexed in Elasticsearch.
I also have logs from a Windows Server and Linux using AuditBeat,WinLogBeat and Filebeat.

The problem I have is I only see data from AuditBeat, FIlebeat and Winlogbeat in the SIEM app (overview and hosts), so I only can see data from Windows and Linux. I would like also to ingest the Palo Alto and Cisco Umbrella data to see it in Elastic SIEM, and also try to detect anomalies and threats in that logs.
Is it possible? What I should I do?

I added the indices into siem:defaultindex:
apm--transaction, auditbeat-, endgame-, filebeat-, packetbeat-, winlogbeat-, umbrella, fortinet*, paloalto*
But still I don´t see data...

Thanks in advance for helping me.

Best Regards

Hey,

Did you remap the fields for Palo Alto and Cisco Umbrella to follow the ECS standard? (https://www.elastic.co/guide/en/ecs/current/index.html)

Once you do that, and re index the data you should be able to see fields populate in the SIEM app.

Thank you very much for answer.

To be honest, I don´t know how to do it... I just tryed to filter logs using Logstash and index them into Elasticsearch, but I didn´t expect ECS standard (also don´t know about it).
What I have to do to remap the fields to follow ECS standard? Any tutorial or example? Do i have to do it using Logstash?

Regards,

@Gmexican14 I´m using Logstash to ingest both logs into Elasticsearch. I´m filtering them using kv/csv filters and then output directly to Elasticsearch.

Thank you very much

Thank you very much.

I will read the documment and try it.

Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.