My company is using ELK for over 1 year, mostly for security (SIEM) use-cases, but have always struggled to turn into a siem which provides advanced correlation rules, and alerting capabilities. We can do some using grok and in-line with logstash but on UI we struggle as it essentially is log-/data management UX.
I stumble across SIREN , by chance and is so impressed by what the team has been achieving and solve really challenging problem regard to such enriched data alerting/ correlation capabilities.
What I’m confused is with the architecture, I have indexes made of 2 dozen data sources e.g firewalls, routers , endpoints , AD etc. I want SIREN “investigate” to use existing data sources, prepare data-model, link graph based upon existing ELK setup which is version 7.2.
I see with ‘federated plugin’ I can do this, and get me to cross-related fields across data-sources or indicies i.e join. But when I read about ‘siren investigation’ its installation / config is based upon elasticsearch 6.8 and maintaning its versioning of elasticsearch.
So, with the plugin already using existing ELK , for "siren investigate’ and other components why I need different elasticsearch, my goal is use data-source which is already pre-populated using beats/ logstash and other stack tool to populate the indicies and use power of ‘siren’ to make data-model, investigation and alerts around it.
I tried reading the docs(online), but couldn’t seem to get my head around it. Help is greatly appreciated. Thanks.