Wannan sakon zai bayyana kafa hangen nesa na ELK da SIEM dashboards a cikin ELK
An raba labarin zuwa sassa masu zuwa:
1- ELK SIEM Review
2- Default dashboards
3- Kirkirar dashboards na farko
Teburin abun ciki na duk posts.
- Haɗin kai tare da WAZUH
- Fadakarwa
- Rahoto
- Gudanar da Case
1-ELK SIEM Review
Kwanan nan an ƙara ELK SIEM zuwa tarin elk a cikin sigar 7.2 akan Yuni 25, 2019.
Wannan shine mafita na SIEM wanda elastic.co ya ƙirƙira don sanya rayuwar manazarcin tsaro ta fi sauƙi kuma ƙasa da wahala.
A cikin sigar aikin mu, mun yanke shawarar ƙirƙirar namu SIEM kuma mu zaɓi kwamitin kula da namu.
Amma muna tsammanin yana da mahimmanci a fara bincika ELK SIEM.
1.1- Sashen abubuwan da suka faru
Za mu fara duba sashin mai masaukin baki. Sashin mai watsa shiri zai ba ku damar ganin abubuwan da aka haifar a ƙarshen ƙarshen kanta.
Bayan danna duba runduna ya kamata ka sami wani abu kamar wannan. Kamar yadda kuke gani, akwai runduna guda uku da ke haɗe da wannan kwamfutar:
1 Windows 10.
2 Ubuntu Server 18.04.
Muna da abubuwan gani da yawa da aka nuna, kowanne yana wakiltar nau'ikan abubuwan da suka faru.
Misali, wanda ke tsakiya yana nuna bayanan shiga akan dukkan injina guda uku.
An tattara wannan adadin bayanan da kuke gani a nan cikin kwanaki biyar. Wannan yana bayyana adadin manyan abubuwan shiga da suka gaza da nasara. Wataƙila za ku sami ƙaramin adadin rajistan ayyukan, don haka kada ku damu
1.2- Sashen abubuwan da ke faruwa na hanyar sadarwa
Ci gaba zuwa sashin cibiyar sadarwa, yakamata ku sami wani abu kamar wannan. Wannan sashe zai ba ku damar sa ido sosai kan duk abin da ke faruwa akan hanyar sadarwar ku, daga zirga-zirgar HTTP/TLS zuwa zirga-zirgar DNS da faɗakarwar taron waje.
2- Default dashboards
Don sauƙaƙa rayuwa ga masu amfani, masu haɓakawa na elastic.co sun ƙirƙiri tsohuwar kayan aiki ta ELK bisa hukuma. Dukanmu ba su keɓanta da wannan doka ba. Anan zan yi amfani da tsoffin dashboards na Packetbeat azaman misali.
Idan kun bi mataki na biyu na labarin daidai. Yakamata a saita sandar kayan aiki tana jiranka. Don haka mu fara.
Daga shafin hagu na Kibana, zaɓi alamar dashboard. Wannan shi ne na uku, idan ka ƙidaya daga sama.
Shigar da sunan rabo a cikin shafin bincike
Idan akwai modules da yawa a cikin bit. Za a ƙirƙiri kwamiti mai kulawa don kowane ɗayansu. Amma wanda ke da module yana aiki ne kawai zai nuna bayanan mara amfani.
Zaɓi wanda yake da sunan tsarin ku.
Wannan shine babban samfuri PacketBeat.
Wannan shine cibiyar kula da kwararar hanyar sadarwa. Zai gaya mana game da fakiti mai shigowa da mai fita, tushe da wuraren adiresoshin IP, da kuma samar da bayanai masu amfani da yawa ga mai binciken cibiyar tsaro.
3 - Ƙirƙirar dashboards na farko
3–1- Ka'idoji na asali
A- Nau'in dashboards:
Waɗannan su ne nau'ikan abubuwan gani da za ku iya amfani da su don hange bayanan ku.
misali muna da:
- mashaya
- Taswira
- Widget din Markdown
- Tsarin ginshiƙi
B- KQL (Yaren Tambayar Kibana):
Wannan shine harshen da ake amfani da shi a cikin Kibana don sauƙin bincika bayanai. Yana ba ku damar bincika ko akwai wasu bayanai da sauran abubuwa masu amfani da yawa. Don ƙarin sani, kuna iya bincika bayanin a wannan hanyar haɗin yanar gizon
Wannan tambayar misali ce don nemo mai watsa shiri da ke gudana Windows 10 pro.
C- Tace:
Wannan fasalin zai ba ku damar tace wasu sigogi kamar sunan mai masauki, lambar taron ko ID, da sauransu. Tace za ta inganta yanayin bincike sosai dangane da lokaci da ƙoƙarin da aka kashe don neman shaida.
D- Hange na Farko:
Bari mu ƙirƙiri hangen nesa don MITER ATT & CK.
Da farko muna buƙatar zuwa Dashboard → Ƙirƙiri sabon dashboard → ƙirƙiri sabon →Pie dashboard
Saita nau'in ƙirar ƙirar ƙididdiga, sannan danna sunan bugun ku.
Danna Shigar. Zuwa yanzu ya kamata ku ga koren donut.
A cikin Buckets tab a gefen hagu za ku sami:
- Yanke yanka za su raba donut zuwa sassa daban-daban dangane da yaduwar bayanai.
- Tsaga Chart zai haifar da wani donut kusa da wannan.
Za mu yi amfani da tsaga-tsage.
Za mu hango bayanan mu dangane da kalmar da muka zaɓa. A wannan yanayin kalmar za ta koma MITER ATT & CK.
A Winlogbeat, filin da zai samar mana da wannan bayanin ana kiransa:
winlog.event_data.RuleNameZa mu saita ma'auni don yin odar abubuwan da suka faru dangane da adadin lokutan da suka faru.
Kunna fasalin "Rukunin sauran dabi'u a cikin wani yanki daban".
Wannan zai yi amfani idan kalmomin da kuka zaɓa suna da ma'anoni daban-daban dangane da kari. Wannan yana taimakawa ganin sauran bayanan gaba ɗaya. Wannan zai ba ku ra'ayi na yawan adadin abubuwan da suka rage.
Yanzu da mun gama saita bayanan bayanan, bari mu matsa zuwa shafin zabin
Dole ne ku yi abubuwa masu zuwa:
** Cire siffar donut don haka nunin ya nuna cikakken da'irar.
** Zaɓi matsayin almara da kuke so. A wannan yanayin, za mu nuna su a hannun dama.
** Saita ƙimar nuni don nunawa kusa da snippet ɗin su don sauƙin karantawa kuma bar sauran azaman tsoho
Truncation yana ƙayyade nawa kuke son nunawa daga sunan taron.
Saita lokacin da kuke son fara yin nunin, sannan danna murabba'in shuɗi.
Ya kamata ku ƙare da wani abu kamar haka:
Hakanan zaka iya ƙara tacewa zuwa hangen nesa don tace takamaiman mai masaukin da kake son dubawa ko kowane sigogi da kake tunanin suna da amfani don manufarka. Nunin gani kawai zai nuna bayanan da suka dace da ƙa'idar da aka sanya a cikin tacewa. A wannan yanayin, kawai za mu nuna bayanan MITER ATT&CK da ke fitowa daga mai masaukin baki mai suna win10.
3-2- Ƙirƙirar dashboard ɗin ku na farko:
Dashboard tarin abubuwan gani da yawa. Dashboards ya kamata ya zama bayyananne, mai fahimta, kuma ya ƙunshi bayanai masu amfani, ƙayyadaddun bayanai. Anan akwai misalin dashboards da muka ƙirƙira daga karce don winlogbeat.
Na gode da lokacin ku. Ina fatan kun sami taimako wannan labarin. Idan kuna son ƙarin bayani kan batun, muna ba da shawarar ku ziyarci .
Tattaunawar Telegram akan Elasticsearch:
source: www.habr.com