Supercharging ELK for cybersecurity
Elasticsearch is an outstanding storage for security related logs. With its ability to scale, search and drill down, it provides a great basis for investigation.
The Siren Federate plugin for Elasticsearch augments these great base capabilities with cross index/cross back end analysis and correlation (joins). These are critical capabilities in cyber security as the analyst can ‘join the dots’ at scale, across indexes and JDBC systems answering questions such as: ‘are there any records on the Fortinet index, where the destination IP is equal to the source IP on the PaloAlto index?’
Siren allows the definition of a relational datamodel where concepts such as “IP”, “MD5” are associated to the fields of your indexes.
The datamodel then drives navigation across indexes at scale on relationally connected dashboards and Link Analysis. Full use case description and video on our blog.