The document provides an overview of Elastic SIEM, emphasizing its capabilities in security analytics through speed, scale, and relevance. It discusses the integration of various data sources, the use of Elastic Common Schema for data normalization, and highlights features such as automated detection and user-friendly interfaces for security alert management. It also outlines a roadmap for Elastic's security journey, including machine learning for anomaly detection and integration with various logging and monitoring tools.

1. Put you logo
above this
Elastic SIEM
Overview
Oscar Cabanillas
Solution Architect
Elastic

2. 2
SIEM & security analytics
thrive on search
Elastic is a search company.

3. Put you logo
above this
Why Elastic for security analytics?
Speed Scale Relevance

4. Put you logo
above this
Security
Analytics
Customers

5. Put you logo
above this
5
Introducing
Elastic
SIEM

6. Put you logo
above this
Elastic SIEM
A SIEM for Elastic Stack users everywhere
Elastic SIEM app
Elastic Common
Schema (ECS)
Network & host
data integrations
Kibana Visualize your Elasticsearch data and
navigate the Elastic Stack
Elasticsearc
h
A distributed, RESTful search
and analytics engine
Beats
Lightweight data shippers
Logstas
h
A server-side data processing
pipeline
Elastic &
community
security
content

7. Put you logo
above this
Elastic Security Analytics Journey
Elastic Confidential Information - Roadmap information provided on this slide is an overview of overall direction and nothing is committed.
Threat Intelligence Integration, User
Analysis
SIEM Detection Rules, More Data Sources
Dedicated SIEM App, SOC Workflow
Security Event Collection, Visualization, Dashboards
Elastic Common Schema (ECS)

8. Put you logo
above this
8
Auditbeat
● System module (Linux, macOS, Win.): packages,
processes, logins, sockets, users and groups
● Auditd module (Linux Kernel Audit info)
● File integrity monitoring (Linux, macOS, Win.)
Filebeat
● System logs (auth logs) (Linux)
● Santa (macOS)
Winlogbeat
● Windows event logs
● Sysmon
Curated integrations
Host
data

9. Put you logo
above this
9
Packetbeat
● Flows
● DNS
● Other protocols
Filebeat
● IDS/IPS/NMS modules: Zeek NMS, Suricata IDS
● Firewall modules: Cisco ASA, Palo Alto Networks,
Ubiquiti IPTables
● Kubernetes modules: CoreDNS, Envoy proxy
● Google VPC flow logs
Curated integrations
Network
data

10. Put you logo
above this
Elastic Common Schema (ECS)
Normalize data to streamline analysis
Defines a common set of fields and
objects to ingest data into Elasticsearch
Enables cross-source analysis of diverse
data
Designed to be extensible
ECS is in GA and is being adopted
throughout the Elastic Stack
Contributions & feedback welcome at
https://github.com/elastic/ecs

11. Put you logo
above this
Automated Detection
Machine learning and alerting
Anomaly detection
Unsupervised algorithms
Continuous (online) model
Single & multiple time series
Population outliers
Forecasting
Correlation
Alert on any Elasticsearch query
Distributed execution
Highly available
Trigger notifications (e.g., email, Slack,
PagerDuty, custom webhook)

12. Put you logo
above this
Elastic SIEM app (beta)
Triage and qualify security
alerts at the speed of thought
Analyst-friendly experience for
investigating security alerts
Time-ordered events
Drag-and-drop filtering
Multi-index search
Annotations, comments
Formatted event views
Persistent forensic data storage

13. Put you logo
above this
Oscar Cabanillas
Solution Architect
DEMO: how to start with
SIEM App.

14. Put you logo
above this
1. Create a Elastic Cluster using
Elastic Cloud (ESS)
2. Run agents Beats form my
laptop to ingest security data
3. Analyze with SIEM App

15. Put you logo
above this
THANK YOU!

16. Put you logo
above this
supported by
2019
powered by syone