Finished setting up all the ELK and all looks fine until heading to SIEM page. For some reason the events table in SIEM is looking for fields that does not exist.
Can someone point me to the right direction to fix that?
Really appreciate for the attention,
Hi @francescouk, great that you got your ELK stack up and running!
The SIEM app, including all its pages (e.g., Hosts, Network, Detections, etc.) expects data to be normalized to the Elastic Common Schema (ECS). One common reason for data not appearing in SIEM tables is when data is not in ECS format.
ECS is an open source specification, developed with support from the Elastic user community. ECS defines a common set of fields to be used when storing event data in Elasticsearch. The goal of ECS is to enable and encourage users of Elasticsearch to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
You can read about ECS documentation.
And to see which ECS fields are used by the SIEM app, check out this reference page.
How are you ingesting your data into Elasticsearch? Elastic has a substantial set of integration "modules" that can convert your data to ECS format during the ingestion process.
You can check out the security solution integrations on this web site integrations page, to see if there's already one for your data source. Feel free to browse that page for other integrations beyond security as well.
If not, you can modify your ingestion process to do that conversion. There are many good references that can help. Here are a few:
Please let us know if this helps.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
