Security settings for Elastic SIEM on-prem

Hi everyone,

I'm working on setting up a small Elastic Cluster as a proof of concept for a SIEM.
Consisting of 3 elastic nodes, one kibana node and one logstash node.
I managed to get a working cluster without the security configurations for the elastic and kibana nodes. So my next step was to secure the setup and get the full functionality of the SIEM working.

After reading the documentation, I'm wondering what settings I need for a minimum setup, as a lot of these settings seem optional?

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
https://www.elastic.co/guide/en/kibana/7.9/security-settings-kb.html

The blog post on a small business/home setup gave some great insight on how to setup roll based access for Kibana, but since it uses the cloud instance it doesn't explain the settings needed to secure the elastic cluster on an on-prem setup.

Is there any guide or blog post that covers the minimum settings needed to get a working on-prem SIEM?

Hi Johan, great to see that you're building a POC for Elastic SIEM.

Yes, as you noted, there are some Elasticsearch and Kibana security requirements in order to run this on-premises.

This section of the product documentation provides a good overview of what's needed:
https://www.elastic.co/guide/en/security/current/sec-requirements.html

(Note: that URL defaults to the latest Elastic Stack software version, currently 7.9. If you're using an older version, you can use this URL: https://www.elastic.co/guide/en/siem/guide/current/detection-engine-overview.html#detections-permissions, where you can just select your version at the top of that page to get the correct instructions for your version.)

You will see that in some of the subsections, it has additional requirements for on-prem deployments like yours.

FYI, here is a blog that contains a 7-minute video about enabling security on your Elastic Stack deployment. I found this really helpful in understanding what needs to be done and how to do it.

Looking forward to your feedback once you get the SIEM up and running!