How to using existing ELK 7.2 stack as data source with 'siren investigate'?

Hi,
My company is using ELK for over 1 year, mostly for security (SIEM) use-cases, but have always struggled to turn into a siem which provides advanced correlation rules, and alerting capabilities. We can do some using grok and in-line with logstash but on UI we struggle as it essentially is log-/data management UX.

I stumble across SIREN , by chance and is so impressed by what the team has been achieving and solve really challenging problem regard to such enriched data alerting/ correlation capabilities.

What I’m confused is with the architecture, I have indexes made of 2 dozen data sources e.g firewalls, routers , endpoints , AD etc. I want SIREN “investigate” to use existing data sources, prepare data-model, link graph based upon existing ELK setup which is version 7.2.

I see with ‘federated plugin’ I can do this, and get me to cross-related fields across data-sources or indicies i.e join. But when I read about ‘siren investigation’ its installation / config is based upon elasticsearch 6.8 and maintaning its versioning of elasticsearch.

So, with the plugin already using existing ELK , for "siren investigate’ and other components why I need different elasticsearch, my goal is use data-source which is already pre-populated using beats/ logstash and other stack tool to populate the indicies and use power of ‘siren’ to make data-model, investigation and alerts around it.

I tried reading the docs(online), but couldn’t seem to get my head around it. Help is greatly appreciated. Thanks.

Hi,

Siren Investigate relies on Siren Federate to perform data exploration and investigation operations. You cannot use Siren Investigate without Siren Federate.

The latest version of Elasticsearch that Siren Federate supports is 6.8.x. Therefore the latest version of Elasticsearch that Investigate support is 6.8.x. We are planning to have support for Elasticsearch 7.x by the end of September or early October.

Would this answer your question ?

Kind Regards

Hi Renaud.
Any news regarding the 7.x support.
Or did you meant September or early October 2020? :wink:

Thanks

Hi Lorenz,

Apologies for the delay, but we’re getting close. We have a 7.x version ready, and we are currently going through the last stages of the process (QA, documentation review, etc.). We are sincerely hoping to provide a Release Candidate next week.

Kind Regards

Great!
By any chances: Can you provide me a beta version? So we can go on with our implementation?
Thanks Renaud.

Hi Renaud,

any news regarding the Release Candidate?

Thanks in advanced,
Lorenz

Renaud? Still alive?

Hi Lorenz,

The team is absolutely alive !
We are working hard to deliver the first release for ES 7. It is a matter of (few) days now…
Sorry for the delay, I will keep you updated.

OK, good to know - I cross my fingers, hoping on a release before chritmas :slight_smile:

Ohhhh… X-Max is comming…

Still not released?

Federate 7.3.2-19.0 is available from our downloads page - https://siren.io/downloads
Happy Xmas!

Good joke :slightly_smiling_face:

Req:
…PUT /.siren HTTP/1.1

{“settings”:{“number_of_shards”:1},“mappings”:{“doc”:{“properties”:{“type”:{“type”:“keyword”},“updated_at”:{“type”:“date”},…

ES 7.3 resp:

HTTP/1.1 400 Bad Request
content-type: application/json; charset=UTF-8
content-length: 3462

{“error”:{“root_cause”:[{“type”:“mapper_parsing_exception”,“reason”:"Root mapping definition has unsupported parameters: [doc : …

Yes Mike was joking.
Despite Federate being available for ES 7 investigate is not yet.

It will be supported in Siren 10.5 the beta if which will be available in the next week’s