We currently have a set of microservice.
We would like to log all HTTP Requests using the Elastic Common Schema (ECS).
Since Elastic propose a SIEM (known as Elastic SIEM), would it make sense to display these data in SIEM? Since it's possible to add a custom index pattern to the SIEM interface.
We like the mapping approach, cases managements, etc.
However, it seems like SIEM is more for "security" at hardware/host level.
You could definitely use the Security module for your logs in addition to Kibana. You're right, some of the newer Security features are more for endpoint protection (EDR, Elastic Agents through Fleet), but the core function of Elastic SIEM has been based around data queries and dashboards of all sorts of log data since way before Elastic offered EDR.
The biggest benefit the Security module will have for you will likely be the ability to configure rules - See high amounts of requests from a single IP? Alert for potential DDOS attacks. Requests for admin level pages? Alert for recon on your service. If you go with Elastic Cloud you can take advantage of some ML rules which might be helpful. You can also integrate threat intel. HTTP request logs from traditional services like IIS and Apache have been around for a long time, you'll likely find a lot of good examples that are already in use by others.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.