Use insights to track event ingestion to a SIEM

Hi… Not sure if this has been answered before, so feel free to let me if it has…

I’m simulating events around our environment that would end up in recorded in our SIEM (creating a user, forcing the FW to drop a packet, etc.) and then am querying our Elasticsearch instance to find those events in our SIEM. We have a lot of stuff going into our SIEM and need to know when something’s stopped it’s event feed.

So every five minutes or so, I’d like to simulate/invoke my event e.g. on the Firewall and then write a data point to NewRelic Insights to say this has happeneing and it’s event_id/whatever, THEN I’d like to rummage about in ES/SIEM for the recorded event, find it and then write to New Relic insights that I’d found that particular event_id/whatever and marry it up with the original.

I’d like to report on the average time it takes to ingest events AND far more importantly alert when none of my events turn up in Elastic search.

I can’t help feeling that New Relic is a far better way of tracking these events rather than me tracking them in a DB, Queue or whatever.

Any help or advice that you could offer would be appreciated… :smile:

Thanks!

Hi @JonMill, Sorry you have been waiting awhile for a response from our community.

I’m going to bring this back to the attention of our support team. Thanks for your patience!

Neal Mc

@JonMill Following up since it has been awhile. This category relies on community members responses since it is not monitored by our support team. Were you able to find a solution?