SIEM doesn't show any Winlogbeat events, despite ES receiving them

Elastic Security SIEM
9

Hi @aura, as you've discovered, it seems that some of your fields are not being mapped to the correct Elasticsearch datatypes. Elastic Common Schema (ECS) specifies that fields such as host.name must be of the keyword datatype. Indeed, as you've also discovered, Elastic SIEM relies specifically on host.name to be present as a condition for populating many visualizations with host data.

I'm not sure how familiar you are with Elasticsearch mapping and index templates, as they can be challenging. The ECS GitHub repository provides an example template here.

FYI, we've been pulling together some additional notes about ECS fields required to use Elastic SIEM. We hope these might be helpful as you add additional data sources to your SIEM.

Notes for Elastic SIEM users

The Elastic SIEM app queries, filters, aggregates, and/or displays a growing list of ECS fields. For an optimal experience with Elastic SIEM, and to reduce time spent on updating your ingestion pipelines in the future, please follow the Converting your data to ECS instructions, populating as many ECS fields as practical, paying particular attention to:

  • Ensure that your network events populate ECS source and destination fields. Network events may not be displayed in the SIEM app network views if source.ip and destination.ip fields are not populated.
  • If you have network protocol events, be sure to populate the http , dns , and tls field sets.
  • Ensure that your host events populate ECS host fields. Host events will not be displayed in the SIEM app host views if the host.name field is not populated. Recall that host.name should be populated with the name of the host where the event happened, not the name of a collector or observer.
  • If your host events contain details about process activity, ensure that your fields are mapped to the corresponding ECS process fields.
  • Be sure that for all your events, you populate the ECS categorization fields: event.kind , event.category , event.type , and event.outcome . SIEM authentication and process widgets depend on these fields being populated. Also, try to populate the ECS event.action field with relevant details for your event.