Elastic, the company behind enterprise data and search solutions such as Elasticsearch and the Elastic Stack, have announced the introduction of Elastic SIEM. The new application offers a set of data integrations for security use cases, and a new dedicated app in Kibana that lets security employees investigate and solve common host and network security workflows.
Security departments and companies worldwide have been using Elastic’s products for security analytics for some time, and the organisation has now taken the next step in producing a bona fide SIEM application to enhance this existing functionality.
At the heart of Elastic SIEM is the new SIEM app, an interactive workspace for security teams to triage events and perform initial investigations. Its Timeline Event Viewer allows analysts to gather and store evidence of an attack, pin and annotate relevant events, and comment on and share their findings, all from within Kibana — allowing you to easily work with any data that follows the ECS format.
Kibana has proven to be a highly useful place for security teams to visualise, search and filter their security data. According to elastic, the new Elastic SIEM app takes all the positive aspects about Kibana — interactivity, ad hoc search, and responsive drill downs — and packages it into an intuitive product experience that aligns with typical SOC workflows.
Host security event analysis
As a complement to the extensive library of visualisations and dashboards that already exist in Kibana, the Hosts view in the SIEM app provides key metrics regarding host-related security events, and a set of data tables that enable interaction with the Timeline Event Viewer. Version 7.2 of the Elastic Stack also brings new host-based data collection with support for Sysmon in Winlogbeat.
Network security event analysis
Similarly, the Network view informs analysts of key network activity metrics, facilitates investigation time enrichment, and provides network event tables that enable interaction with the Timeline Event Viewer. Elastic is also introducing support for Cisco ASA and Palo Alto firewalls in 7.2.
Timeline Event Viewer
As the collaborative workspace for investigations or threat hunting, analysts can easily drag objects of interest into the Timeline Event Viewer to create exactly the query filter they need to get to the bottom of an alert. During the investigation, analysts can pin and annotate individual events, and can add notes to describe the steps taken during the investigation. Auto-saving ensures that the results of the investigation are available for incident response teams.
Elastic SIEM is available for free as a part of the default distribution. It is being introduced as a beta in the 7.2 release of the Elastic Stack and is available immediately on the Elasticsearch Service on Elastic Cloud.