Introduction

Building a SIEM based on open-sourced solutions can be particularly challenging but also much more fun. In this article series I will try to share how can we overcome some of the basic challenges that we may face during building such toolsets like:

• Data normalization.

• Event collection and processing.

• Alerting : Time-based vs Event-Centric correlation

• Visualizations and Dashboarding

• SIEM metrics and reporting

I will be using the following tools:

• Elastic Stack: Elasticsearch, Kibana, Logstash, and Beats for collecting, processing, storing, and searching data.

• OpenDistro for Elasticsearch plugins for Alerting and Security.

• ElastAlert for additional alerting features