Back to Integrations

Elastic SIEM Integration

Stream privileged access events to Elastic SIEM for powerful security analytics and threat hunting. Leverage machine learning to detect anomalous behavior, visualize activity in pre-built dashboards, and correlate access events with security signals across your entire infrastructure.

View DocumentationRequest Demo
Features

Enterprise Security Analytics

Complete integration with Elastic Security for privileged access monitoring and threat detection.

ECS Format Logs

All TigerAccess events are exported in Elastic Common Schema (ECS) format for seamless integration with Elastic Stack.

Pre-built Dashboards

Out-of-the-box Kibana dashboards for privileged access monitoring, session analytics, and compliance reporting.

Detection Rules

Ready-to-use detection rules for suspicious privileged access patterns, anomalous behavior, and policy violations.

Machine Learning

Leverage Elastic ML to detect anomalous access patterns, unusual command execution, and potential insider threats.

Capabilities

Comprehensive SIEM Integration

ECS-formatted audit logs
Real-time event streaming
Kibana visualization dashboards
Pre-configured detection rules
Machine learning jobs
Security alerts and cases
Timeline investigation views
Fleet agent integration
Elasticsearch data streaming
Custom field mappings
Index lifecycle management
SIEM rule correlation
Security

Pre-built Detection Rules

Out-of-the-box detection rules for common privileged access threats and policy violations.

Multiple Failed Access Attempts

High

Detects multiple failed privileged access attempts from the same user, indicating potential brute force or unauthorized access.

Privilege Escalation Command

Medium

Identifies execution of privilege escalation commands (sudo, su, etc.) during privileged sessions.

Off-Hours Privileged Access

Medium

Alerts on privileged access outside of normal business hours, indicating potential unauthorized activity.

Unusual Database Query

High

Detects anomalous database queries using ML to identify potential data exfiltration or unauthorized access.

Suspicious File Access

Medium

Identifies access to sensitive files or directories that are rarely accessed by the user.

Session Recording Disabled

Critical

Alerts when session recording is disabled or tampered with during a privileged session.

Setup

Get Started in Minutes

Follow these steps to integrate TigerAccess with your Elastic Security deployment.

1

Configure Elasticsearch Output

Configure TigerAccess to send audit events to your Elasticsearch cluster in ECS format.

# /etc/tigeraccess/config.yaml
audit:
  events:
    - session.start
    - session.end
    - access.request
    - exec
  outputs:
    - type: elasticsearch
      endpoints:
        - https://elastic.example.com:9200
      index: tigeraccess-audit-%{+yyyy.MM.dd}
      username: tigeraccess
      password: ${ELASTICSEARCH_PASSWORD}
      ssl:
        certificate_authorities:
          - /etc/tigeraccess/elastic-ca.crt
2

Import Kibana Dashboards

Import pre-built TigerAccess dashboards and visualizations into Kibana for immediate visibility.

# Download and import dashboards
curl -O https://downloads.tigeraccess.io/elastic/dashboards.ndjson

# Import using Kibana API
curl -X POST "https://kibana.example.com:5601/api/saved_objects/_import" \
  -H "kbn-xsrf: true" \
  --form [email protected]

# Or import via Kibana UI:
# Stack Management > Saved Objects > Import
3

Deploy Detection Rules

Install TigerAccess detection rules to identify suspicious privileged access patterns and security violations.

# Import detection rules
curl -X POST "https://kibana.example.com:5601/api/detection_engine/rules/_import" \
  -H "kbn-xsrf: true" \
  -H "elastic-api-version: 2023-10-31" \
  --form [email protected]

# Enable rules
curl -X POST "https://kibana.example.com:5601/api/detection_engine/rules/_bulk_action" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "enable",
    "query": "alert.attributes.tags: \"TigerAccess\""
  }'
4

Configure Machine Learning Jobs

Set up ML jobs to detect anomalous privileged access behavior and unusual command patterns.

# Create ML job for anomalous access detection
POST _ml/anomaly_detectors/tigeraccess-anomaly-access
{
  "description": "Detect anomalous privileged access patterns",
  "analysis_config": {
    "bucket_span": "15m",
    "detectors": [
      {
        "function": "rare",
        "by_field_name": "user.name",
        "over_field_name": "host.name"
      },
      {
        "function": "high_count",
        "partition_field_name": "user.name"
      }
    ]
  },
  "data_description": {
    "time_field": "@timestamp",
    "time_format": "epoch_ms"
  }
}
5

Verify Integration

Verify that events are flowing to Elasticsearch and dashboards are displaying data correctly.

# Check document count in index
GET /tigeraccess-audit-*/_count

# Search recent audit events
GET /tigeraccess-audit-*/_search
{
  "size": 10,
  "sort": [{ "@timestamp": "desc" }],
  "query": {
    "range": {
      "@timestamp": {
        "gte": "now-1h"
      }
    }
  }
}
Use Cases

Real-World Security Scenarios

Threat Detection

Detect privilege escalation attempts, lateral movement, and suspicious command execution patterns using ML-powered anomaly detection and correlation rules.

Insider Threat Monitoring

Monitor privileged user behavior for anomalous patterns such as unusual access times, uncommon resources, or high-risk command execution.

Compliance Reporting

Generate audit reports for SOC 2, HIPAA, PCI DSS, and other compliance frameworks using pre-built Kibana dashboards and visualizations.

Security Investigations

Investigate security incidents using Elastic Timeline to correlate privileged access events with other security signals across your infrastructure.

FAQ

Frequently Asked Questions

What is the Elastic Common Schema (ECS) and why does it matter?

ECS is a standardized schema for log data that makes it easy to correlate events across different sources. TigerAccess exports all audit events in ECS format, allowing you to correlate privileged access events with application logs, network traffic, and other security signals in Elastic SIEM.

Do I need Elastic Enterprise subscription for this integration?

No. The basic integration works with Elastic Free and Basic tiers. However, advanced features like machine learning anomaly detection, alerting, and case management require an Elastic Platinum or Enterprise subscription.

How much data will TigerAccess send to Elasticsearch?

Data volume depends on your access patterns. On average, expect 1-5 KB per audit event. A typical organization with 100 users and moderate activity generates 10-50 GB per month. Use index lifecycle management (ILM) to manage retention and costs.

Can I customize the detection rules?

Yes. All detection rules can be customized in Kibana. You can modify thresholds, add exceptions, change severity levels, and create custom rules based on your organization's security policies and risk tolerance.

How do I integrate with Elastic Security cases?

TigerAccess alerts automatically create cases in Elastic Security when detection rules trigger. You can configure case templates, assign analysts, and track investigations directly in Kibana. All privileged access context is preserved in the case timeline.

What about performance impact on Elasticsearch?

TigerAccess uses efficient bulk indexing and configurable batching to minimize impact. For high-volume environments, consider using Elasticsearch data tiers to store older audit data on cheaper storage, or use index lifecycle management to automatically manage hot/warm/cold data.

Ready to Secure Your Infrastructure?

Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.

Start Free TrialContact Sales

No credit card required • 14-day free trial • Enterprise support available