New to SIEM. Confused about functionality or my settings.
I have Fortinet and Sonicwall logs going to ES, via syslog to Logstash, then to ES.
When I go to Elastic SIEM, under either Hosts or Network pages, I see nothing related to these firewalls. The Network Events list appears to show 9 "categories" (Auditbeat Socket, Filebeat Cisco, Filebeat Netflow, Filebeat Palo Alto Network, Filebeat Suricata, Filebeat Zeek, Packetbeat DNS, Packetbeat Flow, Packetbeat TLS). These all align with known Beats input methods, but I see no method for customizing to account for ingestion not done via Beats.
Questions:
Is that list of 9 "categories" a static, pre-set list? Can I add my Fortinet and Sonicwall logs to that list somehow?
Is SIEM so limited as to only show you logs from the supported Beats methods?
How can I get SIEM to show these events in their main pages?
The SIEM app is designed to display and make use of any data that complies with ECS. The categories are based on Beats, yes, to make the getting started experience with Beats easier, but Beats are not a requirement.
So, if you didn't do it yet, I recommend mapping your data to ECS. You can do that via an Ingest Node pipeline or via Logstash or other tools.
In which indices is your data ingested, you might need to add those to the "SIEM Elasticsearch indices", which you can find under Kibana Advanced settings.
Hi tudor,
I've done all that. The data is all ECS format.
None of that would seem to make any difference when the SIEM dashboard shows Host and Network Event "categories" (like Auditbeat Socket, Filebeat Cisco, Filebeat Netflow, Filebeat Palo Alto Network, Filebeat Suricata, Filebeat Zeek, Packetbeat DNS, Packetbeat Flow, Packetbeat TLS) that are not relevant to my ECS events (think Fortinet and Sonicwall firewall logs in ECS format).
Both the elastic SIEM guide and your reply say "SIEM can be used with any ECS data", but there is a distinct lack of "how can SIEM be used with any ECS data". How can I modify my SIEM dashboard to show my Fortinet logs? Is that even possible?
Can you confirm that you've modified the Kibana advanced setting siem:defaultIndex to include the index patterns into which you're ingesting your fortinet and sonicwall log events? Would you mind posting the current value of that setting here?
Also, just to be sure, are you viewing the SIEM app using the same Kibana space for which you changed these advanced settings?
Your initial post mentions the Hosts and Network pages. If your siem:defaultIndex is configured properly, then your events should be included there and on the Detections pages.
However, you also mention the Network events list, presumably from the bottom right of the Overview page. In the current version 7.6, the network event list does not adjust to display data from indices newly added to the siem_defaultIndex and there is not currently a way for you to add your log categories to that list manually. This is something we're planning for a future release.
However, the three histograms above that list on the Overview page should indeed display your firewall events, alerts, and signals.
siem:defaultIndex is set to auditbeat-, filebeat-, packetbeat-, winlogbeat-, microsoft*, linux*, cisco*, sonicwall*, fortinet*
Obviously sonicwall* and fortinet* will cover the indexes for those products.
I am running Kibana 7.4.2. Here is my overview page.
When you say the three histograms, I assume you mean the Hosts / Network / Timelines links?
Assuming so, Hosts obviously will not have my firewall logs because Hosts is keyed off of host.name and that is not a field relevant our firewall logs. However, Network should show our firewall logs, but doesn't and I have been unable to figure out what keys whether a log appears in Network or not. Do you know?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.