I have been tasked with creating an SIEM for my company.
First off, the header for this section is "Integrate free and open SIEM, and endpoint, to prevent, detect, and respond to threats" (I added the emphasis on free).
While researching the elastic stack, including elastic security, I found time and time again that most, if not all, features were gated behind purchasing elastic premium. Maybe I found the wrong documentation page, but I would sincerely appreciate being pointed in the right direction.
My second question may also be rendered moot by the first, however, I'll ask it anyway: how would one track logins on Mac using the auditbeat beat? I have seen a way to do it with filebeat, but I was hoping to keep it to just audit beat. I also saw that elastic agent could potentially do this as well, but again, that seems to be gated behind elastic premium.
The one point of Mac login data that I do have is the login process starting and stopping. How would I convert that to successful and failed login attempts, if that is even possible?
For reference, I am starting out with logging just on Mac, but we are hoping to expand to both Linux and Windows, though Mac is our primary use case. We are also not hosting our own ELK stack (and not using Elastic Cloud), though we should be able to do any necessary configuration.
Please let me know if I left out any important information, or you need any clarification about anything.