Loading

Quickstart: Detect and respond to threats with SIEM

Serverless Security Stack

In this quickstart guide, we'll learn how to use some of Elastic Security's SIEM features to detect, investigate, and respond to threats.

Before you can begin using Elastic Security, you need to choose an integration to start collecting and analyzing your data. This guide uses the Elastic Defend integration. Elastic Defend collects data from endpoints and provides several features that help protect them against threats.

  1. Install the Elastic Defend integration

  2. Add the Elastic Agent

    Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. You'll need to install this component so it can monitor any malicious activity on your hosts.

  3. Modify policy configuration settings

    After you install the Elastic Agent with Elastic Defend, the Endpoint Security (Elastic Defend) detection rule is automatically turned on and can generate detection or protection alerts. You can also set up endpoint protections—such as preventions against malware, ransomware, memory threats, and other malicious behavior—on protected hosts. This means that Elastic Defend not only monitors these behaviors and generates an alert when they are detected, but also blocks them. Due to this maximum level of protection, we recommend modifying the policy to detect instead of prevent so that only an alert will be generated, and you can decide how to respond to the threat. Then, closely monitor which alerts and how many are generating over a specific time period before enabling higher protection, if needed.

Detection rules allow you to monitor your environment by searching for source events, matches, sequences, or machine learning job anomaly results that meet their criteria. When a rule’s criteria are met, Elastic Security generates an alert. Although you can create your own rules tailored for your environment, Elastic ships out-of-the-box prebuilt rules that you can install. Remember that if you installed Elastic Defend, the Endpoint Security rule is already turned on.

Tip

Elastic Security regularly updates prebuilt rules to ensure they detect the latest threats. However, you must manually update these rules to the latest version. To learn how to do this, refer to Update prebuilt rules. To learn how to view and manage all detection rules, refer to Manage detection rules.

Now that you've installed and turned on rules, it's time to monitor your Elastic Security Serverless project to see if you receive any alerts. Remember, an alert is generated if any of the rule's criteria are met. Elastic Security provides several tools for investigating security events:

  • Alerts table: View all generated alerts in a comprehensive list, apply filters for a customized view, and drill down into details.
  • Timeline: Explore alerts in a central, interactive workspace. Create customized queries and collaborate on incident analysis by combining data from various sources.
  • Visual event analyzer: View a graphical timeline of processes leading up to the alert and the events that occurred immediately after.
  • Session View: Examine Linux process data and real-time data insights.

To view a quick video tutorial on how to use these features, on the Get Started page, scroll down to View alerts, select a feature from the list, and click Play Video on the right.

For this guide, let's take a closer look at how to visualize and examine alert details by viewing the Alerts page.

Note

If you don't have any alerts yet in your environment, that's great news! You can use the Elastic demo server to explore alerts.

To access the Alerts page, do one of the following:

  • On the Get Started page, scroll down to the View alerts section, then click View Alerts at the bottom.
  • From the left navigation menu, select Alerts.
Alerts page overview

At the top of the Alerts page are four filter controls—Status, Severity, User, and Host—that you can use to filter your alerts view. Except for Status, you can edit and customize these to your preference.

In the visualization section, you can group alerts by a specific view type:

  • Summary: Shows how alerts are distributed across specific indicators.
  • Trend: Shows the occurrence of alerts over time.
  • Counts: Shows the count of alerts in each group. Although there are default values, you can change the Group by parameters.
  • Treemap: Shows the distribution of alerts as nested, proportionally sized and color-coded tiles based on the number of alerts, and the alert's risk score. This view is useful to quickly pinpoint the most critical alerts.
Alerts page, view by type

View alert details

At the bottom of the Alerts page is the alerts table, which includes a comprehensive list of all generated alerts and inline actions so you can take action directly on the alert. You can customize and filter the table by specific criteria to help drill down and narrow alerts.

Tip

Consider grouping alerts by other parameters such as rule name, user name, host name, source IP address, or any other field. You can select up to three fields.

To view specific details about an alert, in the alerts table, click the View details button, which opens the alert details flyout. Here, you can view a quick description of the alert, or conduct a deep dive to investigate. Each section of the alert details flyout provides a different insight, and the Take Action menu at the bottom provides several options to respond to or interact with the alert.

Alert details flyout

For a comprehensive overview of the alert details flyout, refer to View detection alert details.

Once you've had a chance to install detection rules and check out alerts, we recommend exploring the following investigation tools and resources to assist you with threat hunting:

  • View and analyze data with out-of-the-box dashboards.
  • Learn how to reduce your mean time to respond with Attack Discovery, an AI threat hunting feature that leverages large language models (LLMs) to analyze alerts in your environment, identify threats, and show how they correspond to the MITRE ATT&CK matrix.
  • Learn how to use Cases to track investigation details.
  • Download the "Guide to high-volume data sources for SIEM" white paper.
  • Check out Elastic Security Labs for the latest on threat research.
  • Learn how to manage your data lifecycle, including how long data is retained, and how to transition indices through data tiers according to your performance needs and retention policies.