| mapped_pages | applies_to | ||||||
|---|---|---|---|---|---|---|---|
|
To ingest data, you can use:
- The {{agent}} with the {{elastic-defend}} integration, which protects your hosts and sends logs, metrics, and endpoint security data to {{elastic-sec}}. See Install {{elastic-defend}}.
- The {{agent}} with integrations, which are available in the Elastic Package Registry (EPR). To install an integration that works with {{elastic-sec}}, go to the {{kib}} Home page or navigation menu and click Add integrations. On the Integrations page, click the Security category filter, then select an integration to view the installation instructions. For more information on integrations, refer to {{integrations}}.
- {{beats}} shippers installed for each system you want to monitor.
- The {{agent}} to send data from Splunk to {{elastic-sec}}. See Get started with data from Splunk.
- Third-party collectors configured to ship ECS-compliant data. provides a list of ECS fields used in {{elastic-sec}}.
::::{important}
If you use a third-party collector to ship data to {{elastic-sec}}, you must map its fields to the Elastic Common Schema (ECS). Additionally, you must add its index to the {{elastic-sec}} indices (update the securitySolution:defaultIndex advanced setting).
{{elastic-sec}} uses the host.name ECS field as the primary key for identifying hosts.
::::
The {{agent}} with the {{elastic-defend}} integration ships these data sources:
- Process - Linux, macOS, Windows
- Network - Linux, macOS, Windows
- File - Linux, macOS, Windows
- DNS - Windows
- Registry - Windows
- DLL and Driver Load - Windows
- Security - Windows
To add hosts and populate {{elastic-sec}} with network security events, you need to install and configure Beats on the hosts from which you want to ingest security events:
- {{filebeat}} for forwarding and centralizing logs and files
- {{auditbeat}} for collecting security events
- {{winlogbeat}} for centralizing Windows event logs
- {{packetbeat}} for analyzing network activity
You can install {{beats}} using the UI guide or directly from the command line.
When you add integrations that use {{beats}}, you’re guided through the {{beats}} installation process. To begin, go to the Integrations page (select Add integrations in the toolbar on most pages), and then follow the links for the types of data you want to collect.
::::{tip} On the Integrations page, you can select the Beats only filter to only view integrations using Beats. ::::
:::{image} /solutions/images/security-add-integrations.png :alt: Shows button to add integrations :screenshot: :::
Download and install {{beats}} from the command line [security-ingest-data-download-and-install-beats-from-the-command-line]
To install {{beats}}, see these installation guides:
- {{filebeat}} quick start
- {{auditbeat}} quick start
- {{winlogbeat}} quick start
- {{packetbeat}} quick start
No matter how you installed {{beats}}, you need to enable modules in {{auditbeat}} and {{filebeat}} to populate {{elastic-sec}} with data.
::::{tip} For a full list of security-related beat modules, click here. ::::
To populate Hosts data, enable these modules:
-
Auditbeat system module - Linux, macOS, Windows:
- packages
- processes
- logins
- sockets
- users and groups
-
Auditbeat auditd module - Linux kernel audit events
-
Auditbeat file integrity module - Linux, macOS, Windows
-
Filebeat system module - Linux system logs
-
Filebeat Santa module - macOS security events
-
Winlogbeat - Windows event logs
To populate Network data, enable Packetbeat protocols and Filebeat modules:
-
{{packetbeat}}
- DNS
- TLS
- Other supported protocols
-
{{filebeat}}
- Zeek NMS module
- Suricata IDS module
- Iptables/Ubiquiti module
- CoreDNS module
- Envoy proxy module (Kubernetes)
- Palo Alto Networks firewall module
- Cisco ASA firewall module
- AWS module
- CEF module
- Google Cloud module
- NetFlow module