E wehewehe kēia pou i ka hoʻonohonoho ʻana i ka ʻike ʻana o nā papa kuhikuhi ELK a me SIEM ma ELK
Ua māhele ʻia ka ʻatikala i nā ʻāpana:
1- Nānā ELK SIEM
2- Nā papa kuhikuhi paʻamau
3- Ke hana ʻana i kāu mau dashboards mua
Papa helu o na pou a pau.
- Hoʻohui me WAZUH
- Alakai
- Hōʻike
- Ke kākoʻo mālama
1-ELK SIEM Nānā
Ua hoʻohui hou ʻia ʻo ELK SIEM i ka elk stack ma ka mana 7.2 ma Iune 25, 2019.
ʻO kēia kahi hopena SIEM i hana ʻia e elastic.co e hoʻolilo i ke ola o kahi mea loiloi palekana i maʻalahi a emi ʻole ka luhi.
Ma kā mākou mana o ka hana, ua hoʻoholo mākou e hana i kā mākou SIEM ponoʻī a koho i kā mākou papa mana.
Akā, manaʻo mākou he mea nui e ʻimi mua iā ELK SIEM.
1.1- Māhele hanana hanana
E nānā mua mākou i ka ʻāpana hoʻokipa. E ʻae ka ʻāpana hoʻokipa iā ʻoe e ʻike i nā hanana i hana ʻia ma ka hopena ponoʻī.
Ma hope o ke kaomi ʻana i ka nānā ʻana i nā hosts e loaʻa iā ʻoe kahi mea e like me kēia. E like me kāu e ʻike ai, ʻekolu mau pūʻali i pili i kēia kamepiula:
1 Windows 10.
2 Pūnaewele ʻo Ubuntu 18.04.
He nui nā hiʻohiʻona i hōʻike ʻia, e hōʻike ana kēlā me kēia me nā ʻano hanana like ʻole.
No ka laʻana, hōʻike ka mea ma waena i ka ʻikepili komo ma nā mīkini ʻekolu.
Ua hōʻiliʻili ʻia kēia nui o ka ʻikepili āu e ʻike nei ma luna o ʻelima mau lā. ʻO kēia ka wehewehe ʻana i ka heluna nui o nā logins hemahema a kūleʻa. He liʻiliʻi paha kāu mau lāʻau, no laila, mai hopohopo
1.2- Mahele hanana pūnaewele
Ke neʻe nei i ka ʻāpana pūnaewele, pono ʻoe e loaʻa i kahi mea e like me kēia. E ʻae kēia ʻāpana iā ʻoe e nānā pono i nā mea a pau e hana ana ma kāu pūnaewele, mai HTTP/TLS traffic a i DNS traffic a me nā ʻōkuhi hanana waho.
2- Nā papa kuhikuhi paʻamau
I mea e maʻalahi ai ke ola no nā mea hoʻohana, ua hana nā mea hoʻomohala elastic.co i kahi hāmeʻa paʻamau i kākoʻo ʻia e ELK. ʻAʻole ʻokoʻa kā mākou mau kuʻi i kēia lula. Maanei e hoʻohana wau i nā dashboards paʻamau o Packetbeat ma ke ʻano he laʻana.
Inā ʻoe i hahai pono i ka ʻanuʻu ʻelua o ka ʻatikala. Pono ʻoe e hoʻonohonoho i kahi hāmeʻa e kali ana iā ʻoe. No laila e hoʻomaka kākou.
Mai ka ʻaoʻao hema o Kibana, koho i ka hōʻailona dashboard. ʻO ke kolu kēia, inā ʻoe e helu mai luna mai.
E hoʻokomo i ka inoa kaʻana ma ka ʻaoʻao hulina
Inā he mau modules i loko o ka bit. E hana ʻia kahi papa mana no kēlā me kēia o lākou. Akā ʻo ka mea me ka module active e hōʻike i ka ʻikepili ʻole.
E koho i ka mea me kou inoa module.
ʻO kēia ke kumu hoʻohālike PacketBeat.
ʻO kēia ka papa hoʻokele kahe o ka pūnaewele. E haʻi mai iā mākou e pili ana i ka ʻeke komo a me ka puka ʻana, nā kumu a me nā wahi o nā helu IP, a hāʻawi pū i nā ʻike he nui no ka mea loiloi kikowaena palekana.
3 — Ke hana nei i kāu mau papa kuhikuhi mua
3–1- Manao Kumu
A- Nā ʻano o nā dashboards:
ʻO kēia nā ʻano hiʻohiʻona like ʻole e hiki ai iā ʻoe ke hoʻohana e nānā i kāu ʻikepili.
no ka laʻana, loaʻa iā mākou:
- pakuhi ʻaukā
- palapala 'āina
- Mākaʻikaʻi widget
- Pakuhi pai
B- KQL (ʻŌlelo Nīnau Kibana):
ʻO kēia ka ʻōlelo i hoʻohana ʻia ma Kibana no ka ʻimi maʻalahi o ka ʻikepili. Hiki iā ʻoe ke nānā inā loaʻa kekahi mau ʻikepili a me nā hiʻohiʻona pono ʻē aʻe. No ka ʻike hou aku, hiki iā ʻoe ke ʻimi i ka ʻike ma kēia loulou
He nīnau laʻana kēia no ka ʻimi ʻana i kahi host e holo ana Windows 10 pro.
C- Nā kānana:
ʻO kēia hiʻohiʻona e hiki iā ʻoe ke kānana i kekahi mau ʻāpana e like me ka hostname, event code a i ʻole ID, etc. E hoʻomaikaʻi nui nā kānana i ka pae hoʻokolokolo e pili ana i ka manawa a me ka hoʻoikaika ʻana i ka ʻimi ʻana i nā hōʻike.
D- ʻIke mua:
E hana kākou i hiʻohiʻona no MITER ATT & CK.
Pono mua mākou e hele i Dashboard → E hana i ka dashboard hou → hana hou → Pie dashboard
E hoʻonoho i ke ʻano no ke kumu kuhikuhi, a laila kaomi i ka inoa o kāu paʻi.
E kaomi Enter. I kēia manawa pono ʻoe e ʻike i kahi donut ʻōmaʻomaʻo.
Ma ka ʻaoʻao ʻo Buckets ma ka hema e ʻike ʻoe:
- E hoʻokaʻawale nā ʻāpana ʻāpana i ka donut i nā ʻāpana like ʻole ma muli o ka hoʻolaha ʻana o ka ʻikepili.
- E hana ʻo Split Chart i kahi donut e pili ana i kēia.
E hoʻohana mākou i nā ʻāpana ʻāpana.
E nānā mākou i kā mākou ʻikepili ma muli o ka huaʻōlelo a mākou e koho ai. Ma kēia hihia e pili ana ka huaʻōlelo iā MITRE ATT & CK.
Ma Winlogbeat, ua kapa ʻia ke kahua e hāʻawi iā mākou i kēia ʻike:
winlog.event_data.RuleNameE hoʻonohonoho mākou i kahi helu helu e hoʻonohonoho i nā hanana e pili ana i ka nui o nā manawa i loaʻa ai.
E ho'ā i ka hiʻohiʻona "Group other values in a separate section".
Pono kēia inā he nui nā manaʻo like ʻole o nā huaʻōlelo āu e koho ai e pili ana i ke kani. Kōkua kēia i ka nānā ʻana i ke koena o ka ʻikepili holoʻokoʻa. Hāʻawi kēia iā ʻoe i ka manaʻo o ka pākēneka o nā hanana i koe.
I kēia manawa ua pau mākou i ka hoʻonohonoho ʻana i ka ʻikepili ʻikepili, e neʻe kāua i ka papa koho
Pono ʻoe e hana i kēia:
**Wehe i ke ʻano donut i hōʻike ʻia ka pōʻai piha.
**E koho i ke kūlana moʻolelo āu e makemake ai. I kēia hihia, e hōʻike mākou iā lākou ma ka ʻākau.
**E hoʻonoho i nā waiwai hōʻike e hōʻike ma ka ʻaoʻao o kā lākou snippet no ka maʻalahi o ka heluhelu ʻana a waiho i ke koena ma ke ʻano he paʻamau
Hoʻoholo ʻo Truncation i ka nui āu e makemake ai e hōʻike mai ka inoa hanana.
E hoʻonohonoho i ka manawa āu e makemake ai e hoʻomaka ai ka hoʻololi ʻana, a laila kaomi i ka huinahā polū.
Pono ʻoe e hoʻopau i kahi mea e like me kēia:
Hiki iā ʻoe ke hoʻohui i kahi kānana i kāu hiʻohiʻona e kānana i ka host kikoʻī āu e makemake ai e nānā a i ʻole nā ʻāpana āu e manaʻo ai he pono no kāu kumu. E hōʻike wale ka hiʻohiʻona i ka ʻikepili i kūlike i ka lula i kau ʻia ma ka kānana. I kēia hihia, e hōʻike wale mākou i ka ʻikepili MITER ATT&CK mai ka mea hoʻokipa i kapa ʻia ʻo win10.
3-2- Ke hana ʻana i kāu dashboard mua:
ʻO ka dashboard kahi hōʻiliʻili o nā hiʻohiʻona he nui. Pono kāu mau dashboards i akaka, hiki ke hoʻomaopopo, a loaʻa i nā ʻikepili pono a hoʻoholo. Eia kahi laʻana o nā dashboards a mākou i hana ai mai ka wā ʻōpala no winlogbeat.
Mahalo no kou manawa. Manaʻo wau ua kōkua ʻoe i kēia ʻatikala. Inā makemake ʻoe i ka ʻike hou aku e pili ana i ke kumuhana, paipai mākou iā ʻoe e kipa .
Kūkākūkā Telegram ma Elasticsearch:
Source: www.habr.com