I have what is possibly an odd question but I'm new with elastic security/siem and thought I would ask.
Is it possible to have the elastic security read a different data stream or ingestion other than the agents?
For example I have a number of existing elastic streams that contain a ton of windows events, it would be awesome if there was a way to have this data ingested as opposed to using stand alone or fleet agents over https.
Is this even remotely possible?
Hey Roger, welcome back!
Have you already got your data ingested or need to figure out how to do that?
If you already have some custom indices or data streams with your data, you can add them into Data Sources, and Elastic Security will start using them:
All indices you specify in Data Sources or in Detection Rules must be ECS compliant.
No i have not yet added it this is what I was curious about.
I do not see the option you show in your image for "Data Sources" on my page.
I should mention perhaps that I'm using 7.9.x
There is an add data option in the upper left but that does not give me the index list yours does.
Additional add this was setup to use the default index and such for testing, i have changed all that and its now in its own index.
i have now installed 4 agents, all of which appear connected, yet have no data to speak of in the portal.
Also still cant quit figure out how to make it look at other indices even though i edited this in the "advanced" area and added the indices in question.
any pointers are appreciated as clearly something isn't registering with me from the reading.
The default list is in the Advanced settings tab then under the SIEM settings. You can add additional indices in that area. By default none of the rules will look at your new indices as they are hard coded to look at a specific set. You will need to duplicate each one you want and then add the indices as an option. It's tedious yes you'll see what I mean after the 10th one.
Just from many hours working with fleet and the agents do yourself a massive favor. Stop and upgrade to 7.13+. Don't even bother with 7.12 and lower there was a massive change in how 7.13 works with agents and you'll only end up duplicating work. Trust me that wasn't fun.
Alas, i cannot upgrade, long story, for the time being im locked into 7.9.
I am not sure what you mean by rules, though, what have i overlooked?
Rules = Detections. In the detection tab on the SIEM you'll have all the Elastic rules. You need to copy this can't recall on 7.9 if it's the same but go to detections, manage rules then on the 3 pipes on the right of the rule you can "duplicate". Open the duplicate you'll have a tab for "Custom Rules" that will be where it goes. Open the rule then click edit settings and you can add the custom index. You will need to do that for each one. Adding the default in Advanced will only make a couple of the rules run on your custom indices.
Word of caution don't use Fleet in 7.9 stick with the beats input method. Its listed as Beta and it's true to the name.
And of course i already used Fleet... Ultimately i would love to get this to read pre-existing indices with data from the same hosts if possible and bypass the need for the agents completely if that's possible. The data is already in ES, so i f i could do that i don't need to fight this at all.
But, i will check your post information and advise, thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.