Building a SIEM with ELK Stack

Security Information and Event Management (SIEM) is critical for modern infrastructure. Here's how I implemented a production-grade SIEM using the ELK Stack (Elasticsearch, Logstash, Kibana) at BSistemi.

Why ELK for SIEM?

The ELK Stack provides powerful capabilities for log aggregation, analysis, and visualization. As an Elastic Certified Engineer, I leveraged it for:

• Real-time threat detection
• Compliance reporting (ISO 27001)
• Infrastructure observability

Architecture

The stack consists of:

• Beats: Lightweight shippers collecting logs from servers, firewalls, and applications
• Logstash: Centralized pipeline for log enrichment and normalization
• Elasticsearch: Distributed search and analytics engine
• Kibana: Visualization and dashboarding

Key Use Cases

1. Failed Login Detection

Configured alerts for repeated failed authentication attempts, a common indicator of brute-force attacks.

2. Anomaly Detection with ML

Used Elastic Machine Learning to detect unusual traffic patterns and suspicious process executions.

3. Compliance Dashboards

Created custom Kibana dashboards for ISO 27001 audit trails, tracking access logs and system changes.

Lessons Learned

• Start with a clear data taxonomy to avoid "log chaos"
• Implement retention policies early to manage storage costs
• Use index lifecycle management (ILM) for efficient data tiering