What are the essential ecs items in elastic siem?

Elastic Security
#1

I collected syslogs of security devices (WAF, IPS, IDS (suricata), anti-DDoS) by filebeat, delivered to logstash, and stacked them in elastisearch.

I know that using filebeat, it automatically makes it into ecs format,
All collected indexes were registered in the siem index.

However, equipment other than suricata cannot be identified in the elastic siem.

This is the security equipment log collected using filebeat's cef module, and can be checked in elasticsearch.

스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.49.52
스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.49.523066Γ—890 267 KB

The index is also registered so that it can be checked in siem.

스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.51.50
스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.51.502384Γ—668 73.8 KB

However, only the suricata log can be checked in the actual siem.

If you look at the overview of siem, there are only beats in both the host and the network, and even if you add an index, it is not registered

스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.54.46
스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.54.462312Γ—1186 187 KB

스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.56.39
스크란샷 2020-10-28 α„‹α…©α„Œα…₯ᆫ 10.56.392926Γ—1020 308 KB

How can I use security device logs in siem?

and i want to remove auditbeat, packetbeat, and cisco, netflow, zeek in filebeat.
so the index was deleted in security, but it was not deleted from the screen.

In the future I will use fluentd instead of filebeat to collect logs, is it impossible to use siem at this time?

#2

Hi,
Take a look at this. I think this will answer your question.

#3

If use filebeat, isn't it automatically creating a log in ecs format?

Currently I am receiving and processing syslog using filebeat, but elastic siem can't discover logs. So, do I have to create a custom module to fill in the fields of the link?

And how do I edit the items in the overview?
I don't want to make a beat-by-beat item, but rather modify it to my liking.

#4

If you're using filebeat modules then yes. But It doesn't mean it'll create all of the necessary fields.
for example, if you want to add your device to HOSTS page in SIEM, you'll need two ecs field * @timestamp and * host.name.
Could you send a sample log so we can figure out which fields are missing and which fields needs to be changed.

#5

You were right.
As a result of checking,
syslogs of other devices are also received by filebeat from the host where suricata is installed, so all of them are checked like suricata logs.

Thank you.
If the host information is modified, it is determined that the event can be checked in siem.

And is there a way to modify the name of other equipment such as suricata, my WAF, IPS instead of Network in overview and OOOBeat of Host?
Does this part refer to agent.type and event.module?

#6

Your welcome, glad I could help.

you can add, delete or rename a field in filebeat using processors. for example, you can use rename processor to change a field's name.

#7

Is it possible to delete cisco and Palo Alto existing on the network?

Since it is collected by filebeat, I will understand what is added by modifying the host name, etc.

I would like to delete all of them and display them as waf, suricata, anti-virus rather than adding them to the sub-item by Beat in the Network tab.

#8

Do you mean from network tab on siem page? I've never tried it but by changing or deleting required field it's possible.

#9

At the bottom of the overview, I said deleting from Network and Host.

image

Where can I delete the required field?

#10

You can use the inspect option to see which fields are required. go to request and look at the query.
Screenshot from 2020-10-31 08-07-42
After finding out required fields, you could rename or delete the fields using Logstash, filebeat processors, or ingest pipeline processors.

1 Like
#11

Thank you so much for answering the question.

1 Like