- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 7.8
- Get started
- Set up Kibana
- Discover
- Dashboard
- Canvas
- Maps
- Machine learning
- Graph
- Visualize
- Logs
- Metrics
- APM
- Uptime
- SIEM
- Dev Tools
- Stack Monitoring
- Management
- Advanced Settings
- Alerts and Actions
- Beats Central Management
- Cross-Cluster Replication
- Index Lifecycle Policies
- Index Management
- Ingest Node Pipelines
- Index patterns and fields
- License Management
- Numeral Formatting
- Remote Clusters
- Rollup Jobs
- Saved Objects
- Security
- Snapshot and Restore
- Spaces
- Upgrade Assistant
- Watcher
- Ingest Manager
- Reporting
- Alerting and Actions
- REST API
- Kibana plugins
- Accessibility
- Limitations
- Breaking Changes
- Release Notes
- Kibana 7.8.1
- Kibana 7.8.0
- Kibana 7.7.1
- Kibana 7.7.0
- Kibana 7.6.2
- Kibana 7.6.1
- Kibana 7.6.0
- Kibana 7.5.2
- Kibana 7.5.1
- Kibana 7.5.0
- Kibana 7.4.2
- Kibana 7.4.1
- Kibana 7.4.0
- Kibana 7.3.2
- Kibana 7.3.1
- Kibana 7.3.0
- Kibana 7.2.1
- Kibana 7.2.0
- Kibana 7.1.1
- Kibana 7.1.0
- Kibana 7.0.1
- Kibana 7.0.0
- Kibana 7.0.0-rc2
- Kibana 7.0.0-rc1
- Kibana 7.0.0-beta1
- Kibana 7.0.0-alpha2
- Kibana 7.0.0-alpha1
- Developer guide
SIEM
editSIEM
editThe SIEM app in Kibana provides an interactive workspace for security teams to triage events and perform initial investigations. It enables analysis of host-related and network-related security events as part of alert investigations or interactive threat hunting.
data:image/s3,"s3://crabby-images/b1222/b122270fa1fac7a6807e5f0e626cde6e95223113" alt="SIEM Overview in Kibana"
Add data
editKibana provides step-by-step instructions to help you add data. The SIEM Guide is a good source for more detailed information and instructions.
Beats
editAuditbeat, Filebeat, Winlogbeat, and Packetbeat send security events and other data to Elasticsearch.
The default index patterns for SIEM events are auditbeat-*
, winlogbeat-*
,
filebeat-*
, packetbeat-*
, endgame-*
, and apm-*-transaction*
. You can
change the default index patterns in
Kibana > Management > Advanced Settings > siem:defaultIndex.
Elastic Endpoint Sensor Management Platform
editThe Elastic Endpoint Sensor Management Platform (SMP) ships host and network events directly to the SIEM application, and is fully ECS compliant.
Elastic Common Schema (ECS) for normalizing data
editThe Elastic Common Schema (ECS) defines a common set of fields to be used for storing event data in Elasticsearch. ECS helps users normalize their event data to better analyze, visualize, and correlate the data represented in their events.
SIEM can ingest and normalize events from ECS-compatible data sources.
On this page