Elastic on Elastic Series: Data collected to the Infosec SIEM

The Elastic Infosec Detections and Analytics team employs a comprehensive security infrastructure using Elastic's own products to collect, analyze, and act on data for security detection, incident response, threat hunting, threat intelligence, compliance auditing, and vulnerability management. The team, referred to as "Customer Zero," integrates various tools such as Auditbeat, Filebeat, and Endgame across multiple clusters to monitor and protect Elastic's systems. Auditbeat is used for monitoring Linux servers and containers, collecting data on process execution, logins, and network connections, while Filebeat gathers logs from third-party services like Okta, Office 365, and Google Workspace. Additionally, they use a Monitoring Cluster for auditing activities and a Fleet Cluster to manage Elastic Agents for data collection. A Malware Sandbox cluster allows analysts to centralize malware analysis and share findings across the team. This setup facilitates seamless cross-cluster search capabilities, enabling security analysts to access a unified interface for detecting and responding to threats. The series of blog posts provides further insights into their infrastructure and practices.