We would like to log all HTTP Requests using the Elastic Common Schema (ECS).
Since Elastic propose a SIEM (known as Elastic SIEM), would it make sense to display these data in SIEM? Since it's possible to add a custom index pattern to the SIEM interface.
We like the mapping approach, cases managements, etc.
However, it seems like SIEM is more for "security" at hardware/host level.
You could definitely use the Security module for your logs in addition to Kibana. You're right, some of the newer Security features are more for endpoint protection (EDR, Elastic Agents through Fleet), but the core function of Elastic SIEM has been based around data queries and dashboards of all sorts of log data since way before Elastic offered EDR.
The biggest benefit the Security module will have for you will likely be the ability to configure rules - See high amounts of requests from a single IP? Alert for potential DDOS attacks. Requests for admin level pages? Alert for recon on your service. If you go with Elastic Cloud you can take advantage of some ML rules which might be helpful. You can also integrate threat intel. HTTP request logs from traditional services like IIS and Apache have been around for a long time, you'll likely find a lot of good examples that are already in use by others.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.