PoC - Use ELK to aggregate multiple LogInsight Systems into one SOC

I've personally in the last 3-4 years been using Grafana+ELK for Log&Metric monitoring in running a large application platform, but have now changed internally to a position in Security & Operation Automation and are here trying to push for ELK usage across the board of hosting multi tenant hybrid IT Operations of OnPrem VMware-HyperV, Azure, GCP, AWS, Kubernetes hosts+services as a replacement/enhancement of various monitoring platforms like SCOM, Nagios, CheckMK,

As a start I'm told to run a PoC for using ELK to possible aggregate SOC data across multiple LogInsight Systems of each their different area of interests (production islands) to feature search&analysis across all the LogRythm Systems. We do also run a Graylog SIEM for selected customers, which further in time possible could be moved to an ELK based system.

Would appreciate any hints to assist in building a successfully PoC, TIA

Hi, sorry for the late reply. In general, I think your experience in using ELK for operations is going to apply well for setting up ELK as a SIEM as well.

A key requirement for using Elastic SIEM is to have the data formatted in ECS. This will make the current Elastic SIEM UI work and, in the near future, you will be able to take advantage of the built-in detection rules and dashboards that we will be providing.

This means that if you are importing data from non-Beats sources, you need to figure out how to transform it in ECS. You would typically do that with Ingest Node or Logstash pipelines.

To setup a quick PoC for Elastic SIEM, see the this guide. Let us know if you have any specific questions on that.

Thanks, will look into this guide, anything more specific hints available on how to map LogInsight data into ECS, please let me know, TIA.

PS! What's Andrew Shanks' position w/Elastic these days?