good morning all. I am very new to Elastic and am looking for resources/insight on ingesting netflow from firewall logs and help with analysis. We are ingesting a few million events per day and I'd like to get to a point where not only do I get insight on the Netflow basics (top ports, destination, direction, etc) but also we are doing advanced analysis like automating a search for beaconing.
Would anyone be willing to point me in the right direction?
We use ElastiFlow (https://docs.elastiflow.com) for Netflow/IPFIX/sFlow data from our network. Their collector supports a lot more fields than other options and pulls more detail out of those fields. They also provide around 30 pre-built dashboards that can be easily imported into Kibana, and if you have a Platinum Elasticsearch subscription they have 100+ anomaly detection jobs for Elastic's ML engine. These detect things like network attacks and performance problems. There is a free version and a commercial version depending on your needs.
The hardest part of setting up ElastiFlow is first setting up the Elastic Stack, and they provide a tutorial for that as well: https://docs.elastiflow.com/docs/elastic_install_ubuntu
IMO ElastiFlow is so far ahead of any other solution for working with netflow data using Elasticsearch that it is the clear and obvious choice. Its better than most purpose-built netflow products as well.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.