Populating SIEM

I am reletively new to Elastic SIEM. I have dont some formal training with elastic (2 day entry course) along with the online SIEM fundamentals course. I am also a certifice GIAC GCDA. Our operations team have primarily being using elastic for some time and we have our own RBAC setup dedicated for security. The elastic stack itself has alot of data in it which is being mainly taken in from winlogbeats agents. I woudl like to take a look at the SIEM module for windows event log based on already indexed data in elastic but when I go to SIEM it doesnt recognise that the elastic stack already has lots of data from winlogbeats. When I go to the SIEM module it promts me to add data from the various apps. Any idea what I need to do in order to get the already ingested data in elastic to appear in the SIEM dashboard?

Thanks

Hi @darkbeatz.

The SIEM app, including all its pages (e.g., Hosts, Network, Detections, etc.) expects data to be normalized to the Elastic Common Schema (ECS). One common reason for data not appearing in SIEM tables is when data is not in ECS format.

ECS is an open source specification, developed with support from the Elastic user community. ECS defines a common set of fields to be used when storing event data in Elasticsearch. The goal of ECS is to enable and encourage users of Elasticsearch to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.

You can read about ECS documentation. And to see which ECS fields are used by the SIEM app, check out this reference page.

It is likely that your Winlogbeat deployment is acting as a simple transport mechanism for events, but not mapping them to ECS, and hence your SIEM app is not populating. We provide Winlogbeat modules which automatically map your Windows Security and Sysmon events to ECS.

For migrating your existing data to ECS, please see this blog post outlines the various options available.

I hope that helps and if you have any follow up questions please let us know!

1 Like