New SIEM infrastructure with Elasticsearch

I want to implement a new SIEM infrastructure for threat detection and incident response.
I would host the systems in our datacenter where all others servers are hosted.
I want to use beat to send logs from servers to SIEM app and with machine learning detect the network anomalies.
It' possible to use only one elasticsearch instance for machine learning and SIEM purpose or it's better to create a cluster with minimum 3 nodes even with a small infrastructure?

If there is any sense of business criticality I would suggest a small 3 node cluster for HA / Resliency

Thanks @stephenb .
I have another question. If I create a small 3 node cluster for SIEM purpose with platinum license, can I create another cluster with basic license to store for long time the events that become from SIEM app? If yes, what type of mechanism can I use to sync data?

I think that is a more complex topic for when you engage with the Sales / Solution Architecture team for a commercial agreement. In general the perspective is all nodes used to ingest and store production data would be considered part of the same use case... and thus all the nodes would require a commercial license. Please validate that with the commercial team when you engage.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.