Get up and runningedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

You need:

If you use a third-party collector to ship data to the SIEM app, you must map its fields to the Elastic Common Schema (ECS). Additionally, you must add its index to the SIEM Elasticsearch indices (KibanaManagementAdvanced Settingssiem:defaultIndex).

SIEM uses the host.name ECS field as the primary key for identifying hosts.

Install Beats shippersedit

To populate the SIEM app with hosts and network security events, you need to install and configure Beats on the systems from which you want to ingest security events:

You can install Beats using a Kibana-based guide or directly from the command line.

Install Beats using the Kibana-based guideedit

Follow the instructions in the Add Data section of the Kibana home page. Click Add log data or Add metrics, and follow the links for the types of data you want to collect.

add data

Download and install Beats from the command lineedit

If your data source isn’t in the list, or you want to install Beats the old fashioned way:

Enable modules and configuration optionsedit

For either approach, you need to enable modules in Auditbeat and Filebeat to populate the SIEM app with data.

To populate Hosts data, enable these Auditbeat modules:

To populate Network data, enable the relevant Packetbeat protocols and Filebeat modules: