Ingest data to Elastic Security

edit

To ingest data, you can use:

If you use a third-party collector to ship data to Elastic Security, you must map its fields to the Elastic Common Schema (ECS). Additionally, you must add its index to the Elastic Security indices (KibanaStack ManagementAdvanced SettingssecuritySolution:defaultIndex).

Elastic Security uses the host.name ECS field as the primary key for identifying hosts.

The Elastic Agent with the Endpoint Security Integration ships these data sources:

  • Process - Linux, macOS, Windows
  • Network - Linux, macOS, Windows
  • File - Linux, macOS, Windows
  • DNS - Windows
  • Registry - Windows
  • DLL and Driver Load - Windows
  • Security - Windows

Install Beats shippers

edit

To populate Elastic Security with hosts and network security events, you need to install and configure Beats on the hosts from which you want to ingest security events:

  • Filebeat for forwarding and centralizing logs and files
  • Auditbeat for collecting security events
  • Winlogbeat for centralizing Windows event logs
  • Packetbeat for analyzing network activity

You can install Beats using the Kibana UI guide or directly from the command line.

Install Beats using the Kibana UI guide

edit

Click HomeAdd events, and follow the links for the types of data you want to collect.

add data

Download and install Beats from the command line

edit

To install Beats, see these installation guides:

Enable modules and configuration options

edit

No matter how you installed Beats, you need to enable modules in Auditbeat and Filebeat to populate Elastic Security with data.

For a full list of security-related beat modules, click here.

To populate Hosts data, enable these modules:

To populate Network data, enable Packetbeat protocols and Filebeat modules: