
Elastic SIEM – Security Information and Event Management - praseodym
https://www.elastic.co/blog/introducing-elastic-siem
======
strictnein
> SIEM detection rules ... on our roadmap

The current solution in this space, that actually works really well at scale,
is ElastAlert[0]. The problem is that ElastAlert is kind of a mess to work
with. Lots of documentation, but you need to get into the weeds with it to
figure out how it really functions.

Once you get it going it's a great tool. Scaling it out (we run hundreds of
rules pretty frequently - upwards of 15 times an hour) is just standing up
more instances with their own separate rules.

[0] [https://github.com/Yelp/elastalert](https://github.com/Yelp/elastalert)

~~~
frementrep
Heard the same about elastalert that it is difficult to manage. Any idea how
much time/effort is spent per day/week/month to manage the elastalert rules
and what level of expertise is required?

------
jamestimmins
I always find that Elastic assumes decent familiarity with their products even
when "introducing" them. Everything looks beautiful but I can't quite tell
what different tools do.

~~~
freehunter
A SIEM is one of those things where you'll know if you need it. Most of the
companies I know using a SIEM do it because audit and compliance requires them
to have one.

~~~
strictnein
Are they using something else to monitor/dig through their network/etc logs,
or are they just flying blind?

~~~
freehunter
A lot of my clients use a SIEM for security and something like Splunk or
LogStash or ELK for application debugging.

------
DeepYogurt
So for those interested Mozilla is working on something pretty similar.

[https://mozdef.readthedocs.io/en/latest/](https://mozdef.readthedocs.io/en/latest/)

They have a set of docker containers which I find very handy for spinning up
deploy specific logging sinks or full on SIEMs.

~~~
PenguinCoder
Just heard about this today at reinforce conf. Looks pretty interesting and
integrates well with cloud logs or on prem. Definitely going to look into it
more.

~~~
DeepYogurt
Just a heads up; there are some rough edges. That said to get it going you can
just do a pull and then a `make run`. It's got zero auth in this mode, but if
it's ephemeral whatever.

------
pingec
Seems like the natural evolution of the already popular ELK stack. I hope they
add popular siem features like archiving, alerting, central configuration
management etc. I'll stick with graylog for now.

~~~
jcims
I grew up on Splunk and can’t seem to figure out how to get the same level of
aggregations and analysis of ad hoc data out of ELK. Sometimes I think I’d be
better served with Jupyter and Spark or similar.

~~~
vetrom
Thats because most of the ElasticSearch data model is materialized indexes.
You need to reindex (or use one of the other ops which amounts to building a
composite index) to create different aggregates. Otherwise you need to use
constructed JSON queries instead of adhoc lucene string searches to build the
more complicated searches on those fields. Kibana provides tools that can help
visualize building those if you don't do it from scratch, but its definitely a
different workflow than Splunk or something implementing a more traditional
query language.

------
msandford
Does anyone know what SIEM is? It's said multiple times in the article but
never defined that I could see.

~~~
strictnein
Also, just as an FYI, it's pronounced SIM.

~~~
Khaine
Only in America

------
bryanrasmussen
I was at a workshop a couple days ago, pretty worthwhile and they were pretty
excited about something coming out in security - I guess this is it.

Seems a logical progression from Kibana and Logstash - but sometimes I worry
search will suffer for all this other stuff.

~~~
donretag
Search has been suffering under Elastic for a long time. Only a small
percentage of Elasticsearch users use it for search. Then again, Elastic
employs many Lucene committers, so they indirectly help search by being a
major maintainer of Lucene.

If you want search, most of the NLP crowd is using Solr.

