🧞Building an Open SIEM From Scratch

I have used Elastic Stack few times whether in a Threat Hunting Lab or Detection & Behavior analysis contexts. This series of blogs is about sharing what I learned in the process.


Building a SIEM based on open-sourced solutions can be particularly challenging but also much more fun. In this article series I will try to share how can we overcome some of the basic challenges that we may face during building such toolsets like:

  • Data normalization.

  • Event collection and processing.

  • Alerting : Time-based vs Event-Centric correlation

  • Visualizations and Dashboarding

  • SIEM metrics and reporting

I will be using the following tools:

  • Elastic Stack: Elasticsearch, Kibana, Logstash, and Beats for collecting, processing, storing, and searching data.

  • OpenDistro for Elasticsearch plugins for Alerting and Security.

  • ElastAlert for additional alerting features

Last updated