New to SIEM. Confused about functionality or my settings.
I have Fortinet and Sonicwall logs going to ES, via syslog to Logstash, then to ES.
When I go to Elastic SIEM, under either Hosts or Network pages, I see nothing related to these firewalls. The Network Events list appears to show 9 "categories" (Auditbeat Socket, Filebeat Cisco, Filebeat Netflow, Filebeat Palo Alto Network, Filebeat Suricata, Filebeat Zeek, Packetbeat DNS, Packetbeat Flow, Packetbeat TLS). These all align with known Beats input methods, but I see no method for customizing to account for ingestion not done via Beats.
- Is that list of 9 "categories" a static, pre-set list? Can I add my Fortinet and Sonicwall logs to that list somehow?
- Is SIEM so limited as to only show you logs from the supported Beats methods?
- How can I get SIEM to show these events in their main pages?