About Elastic SIEM
Elastic SIEM is the amalgamation of multiple services including, threat hunting, Security Operations Center (SOC) workflows, and automated detection. It leverages the ELK (Elastic, Logstash, and Kibana) infrastructure to provide security analysts with enhanced speed and scalability. The SIEM solution also improved the threat detection and response time.
Elastic SIEM and SIRP join forces to provide signal integration that accelerates threat identification and documentation. Bidirectional integration between SIRP SOAR and Elastic SIEM enables SOC teams to orchestrate and automate response actions through detailed, relative, and predefined playbooks. It cuts back the detection, investigation, and response period 8x times.
SIRP’s Elastic SIEM integration app allows you to execute the following actions:
Get signals from Elastic SIEM
Close signals on specified IDs
Elastic SIEM Configuration
Access the URL https://192.168.***.***.5601
On the dashboard, click on the stack management tab within the management tab located on the left.
The security tab on the left inside stack management contains the option to create users.
Click on users.
The create user option in the right allows the creation of users.
Enter the information as follows:
Username: <Username of new user>
Password: <Password of new user>
Full name: <Full name of new user>
Email Address: <Email of new user>
Roles: <Role allocated to new user>
Enable and check the user information within the Users tab.
Log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Elastic SIEM
Enable the Elastic SIEM app by clicking on the toggle button under the Status column.
As soon as you enable the App, you will get an option to add the configuration details. Add the following details and click Save:
Host: <SIRP IP>
Port: <Port from SIRP> (For on-prem use port 5601, for on-cloud use 9234)
Username: <Username to Login Elastic SIEM>
Password: <Password to Login Elastic SIEM>
Configuring Ingestion Source:
To configure Elastic SIEM's ingestion on SIRP:
Navigate to Administration > Automation > Ingestion Sources and click Add Ingestion Source.
Fill in the fields in the popup form as follows:
Ingestion Method: API
Name: (This can be any string value to distinguish the ingestion source)
Ingestion Type: Incident (because we want to ingest alerts into our Incident Management module)
Is Auto Assign? : No (By default it is set to No)
Opened By: (not mandatory)
Applications: Elastic SIEM
Actions: GET SIGNALS
Query: (KQL search query from Elastic SIEM)
And click Update
The last step after creating an ingestion source is mapping the data fields ingested from Elastic SIEM, with fields available in SIRP. After the ingestion is created, a new configuration button, Update, will appear when the ellipsis is clicked. Click on it to configure the fields.
Configure the field mapping as shown in the screenshot below and click Save
Once an Alert is ingested it will appear as so:
The alerts from Elastic SIEM are now integrated into SIRP and will be populated on the SOAR platform automatically. The signals can also be closed in the same manner using the close_signal action.