This post will describe how to customize the visualization of ELK and SIEM dashboards in ELK
The article is divided into the following sections:
1- Overview of ELK SIEM
2- Default dashboards
3- Creating your first dashboards
Title of all posts.
- Integration with WAZUH
- Alerting
- Reporting
- Case management
1-ELK SIEM Overview
ELK SIEM was recently added to the elk stack in version 7.2 on June 25, 2019.
This is a SIEM solution created by elastic.co to make the life of a security analyst much easier and less tedious.
In our version of work, we decided to create our own SIEM and choose our own control panel.
But we think it's important to learn ELK SIEM first.
1.1- Host events section
We'll look at the host partition first. The host section will allow you to see the events that are fired on the endpoint itself.
After clicking on view hosts, you should get something like this. As you can see, there are three hosts connected to this computer:
1 Windows 10.
2 Ubuntu Server 18.04.
We have several visualizations to display, each displaying a different type of event.
For example, the one in the middle shows login information on all three machines.
This amount of data that you see here was collected in five days. This explains the large number of failed and successful logins. You will probably have a small amount of logs, so don't worry
1.2- Network events section
Moving on to the network section, you should get something like this. This section will allow you to keep a close eye on everything that happens on your network, from HTTP/TLS traffic to DNS traffic and external event alerts.
2- Default dashboards
To make life easier for users, elastic.co developers have created a default toolbar officially supported by ELK. Our beats were no exception to this rule. Here I will take the default Packetbeat dashboard as an example.
If you have followed the step of the second article correctly. You should have a customized toolbar waiting for you. So let's get started.
On the left tab of Kibana, select the dashboard symbol. This is the third one, if you count from the top.
Enter the name of the share in the search tab
If there are several modules in a bit. A control panel will be created for each of them. But only the one with the module active will display non-empty data.
Choose the one with the name of your module.
This is the main template PacketBeat.
This is the network flow control panel. It will tell us about the incoming and outgoing packet, the sources and destinations of IP addresses, and will also give a lot of useful information for the security center analyst.
3 - Creating Your First Dashboards
3β1- Basic concepts
A- Types of dashboards:
These are the different types of visualizations that you can use to visualize your data.
for example we have:
- bar chart
- The map
- Markdown Widget
- Pie chart
B- KQL (Kibana Query Language):
This is the language used in Kibana for easy data searching. This allows you to check if certain data exists and many other useful features. To learn more, you can check the information on this link.
This is an example of a host search request with a Windows 10 pro system.
C- Filters:
This feature will allow you to filter certain parameters like hostname, event code or id, etc. Filters will greatly improve the investigation phase in terms of time and effort spent looking for clues.
D- First rendering:
Let's create a visualization for MITER ATT & CK.
First we need to go to Dashboard β Create new dashboardβcreate new βPie dashboard
Set the type for the index pattern, then tap your beat name.
Press Enter. By now you should see a green donut.
In the Buckets tab on the left you will find:
- Split slices will divide the donut into different parts depending on the spread of the data.
- Split Chart will create another donut next to this one.
We will use split slices.
We will visualize our data depending on the term we choose. In this case, the term would refer to MITER ATT & CK.
In Winlogbeat, the field that will provide us with this information is called:
winlog.event_data.RuleNameWe'll set up a counting metric to order the events based on the number of occurrences.
Turn on the "Group other values ββin a separate segment" function.
This will come in handy if the terms you have chosen have many different meanings coming from the rhythm. This helps visualize the rest of the data as a whole. This will give you an idea of ββthe percentage of other events.
Now that we have finished configuring the data tab, let's move on to the options tab
You must do the following:
** Delete the donut shape so that a full circle appears on the render.
** Select the legend position you like. In this case, we will display them on the right.
** Set the display values ββto appear next to their snippet for easier reading, and leave the rest as default
Truncation controls how much you want to display from the event name.
Set the time you want the rendering to start, and then click the blue box.
You should get something like this:
You can also add a filter to your visualization to filter out the specific host you want to check or any options you think are useful for your purpose. The visualization will only display data that matches the rule placed in the filter. In this case, we will only display MITER ATT & CK data coming from a host named win10.
3β2- Creating your first dashboard:
A dashboard is a collection of many visualizations. Your dashboards should be clear, understandable, and contain useful and deterministic data. Here is an example of the dashboards we created from scratch for winlogbeat.
Thank you for your time. I hope this article was helpful to you. If you would like more information on the topic, we recommend that you visit .
Telegram chat on Elasticsearch:
Source: habr.com