Finished setting up all the ELK and all looks fine until heading to SIEM page. For some reason the events table in SIEM is looking for fields that does not exist.
Can someone point me to the right direction to fix that?
Hi @francescouk, great that you got your ELK stack up and running!
The SIEM app, including all its pages (e.g., Hosts, Network, Detections, etc.) expects data to be normalized to the Elastic Common Schema (ECS). One common reason for data not appearing in SIEM tables is when data is not in ECS format.
ECS is an open source specification, developed with support from the Elastic user community. ECS defines a common set of fields to be used when storing event data in Elasticsearch. The goal of ECS is to enable and encourage users of Elasticsearch to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
You can read about ECS documentation.
And to see which ECS fields are used by the SIEM app, check out this reference page.
How are you ingesting your data into Elasticsearch? Elastic has a substantial set of integration "modules" that can convert your data to ECS format during the ingestion process.
You can check out the security solution integrations on this web site integrations page, to see if there's already one for your data source. Feel free to browse that page for other integrations beyond security as well.
If not, you can modify your ingestion process to do that conversion. There are many good references that can help. Here are a few:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.