Get up and runningedit

To use the SIEM app, you need an Elasticsearch cluster and Kibana (version 7.2 or later) with a basic license. See Getting started with the Elastic Stack.

There are some additional requirements for using the Detections feature. For more information, see Detections configuration and index privilege prerequisites.

You can skip installing Elasticsearch and Kibana by using our hosted Elasticsearch Service on Elastic Cloud. The Elasticsearch Service is available on both AWS and GCP. Try the Elasticsearch Service for free.

For information on how to perform cross-cluster searches on SIEM indices, see:

Ingest dataedit

To ingest data, you can use:

  • Beats shippers (version 7.x or later) installed for each system you want to monitor.
  • Elastic Endpoint Security, which ships events and security alerts directly to Elasticsearch.
  • Third-party collectors configured to ship ECS-compliant data. SIEM field reference guide provides a list of all fields used in SIEM.

If you use a third-party collector to ship data to the SIEM app, you must map its fields to the Elastic Common Schema (ECS). Additionally, you must add its index to the SIEM Elasticsearch indices (KibanaManagementAdvanced Settingssiem:defaultIndex).

SIEM uses the ECS field as the primary key for identifying hosts.

Install Beats shippersedit

To populate the SIEM app with hosts and network security events, you need to install and configure Beats on the systems from which you want to ingest security events:

  • Filebeat for forwarding and centralizing logs and files
  • Auditbeat for collecting security events
  • Winlogbeat for centralizing Windows event logs
  • Packetbeat for analyzing network activity

You can install Beats using a Kibana-based guide or directly from the command line.

Install Beats using the Kibana-based guideedit

Follow the instructions in the Add Data section of the Kibana home page. Click Add events, and follow the links for the types of data you want to collect.

add data

Download and install Beats from the command lineedit

If your data source isn’t in the list, or you want to install Beats the old fashioned way:

Enable modules and configuration optionsedit

No matter how you installed Beats, you need to enable modules in Auditbeat and Filebeat to populate the SIEM app with data.

To populate Hosts data, enable these Auditbeat modules:

To populate Network data, enable the relevant Packetbeat protocols and Filebeat modules: