ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

Cov ncej no yuav piav qhia txog kev teeb tsa kev pom ntawm ELK thiab SIEM dashboards hauv ELK
Kab lus tau muab faib ua ntu hauv qab no:

1- ELK SIEM Review
2- Default dashboards
3- Tsim koj thawj dashboards

Cov ntsiab lus ntawm tag nrho cov ncej.

1-ELK SIEM Review

ELK SIEM tsis ntev los no tau ntxiv rau elk pawg hauv version 7.2 thaum Lub Rau Hli 25, 2019.

Qhov no yog ib qho kev daws teeb meem SIEM tsim los ntawm elastic.co los ua kom lub neej ntawm tus kws tshuaj ntsuam xyuas kev ruaj ntseg yooj yim dua thiab tsis tshua nkees.

Hauv peb qhov kev ua haujlwm, peb txiav txim siab los tsim peb tus kheej SIEM thiab xaiv peb tus kheej tswj vaj huam sib luag.

Tab sis peb xav tias nws tseem ceeb heev uas yuav tau tshawb nrhiav ELK SIEM ua ntej.

1.1- Tus tswv tsev ntu ntu

Peb mam li saib tus tswv tsev ua ntej. Ntu tus tswv tsev yuav tso cai rau koj pom cov xwm txheej uas tsim los ntawm qhov kawg ntawm nws tus kheej.

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

Tom qab txhaj rau saib hosts koj yuav tsum tau txais tej yam zoo li no. Raws li koj tuaj yeem pom, muaj peb lub koom haum txuas nrog lub khoos phis tawj no:

1 Qhov rai 10.

2 Ubuntu Server 18.04.

Peb muaj ntau qhov kev pom pom, txhua tus sawv cev sib txawv ntawm cov xwm txheej.

Piv txwv li, ib qho hauv nruab nrab qhia cov ntaub ntawv nkag mus rau tag nrho peb lub tshuab.

Cov ntaub ntawv uas koj pom ntawm no tau sau ntau tshaj tsib hnub. Qhov no piav qhia txog tus lej loj ntawm kev nkag tsis tau thiab ua tiav. Tej zaum koj yuav muaj tsawg tus cav, yog li tsis txhob txhawj

1.2- Network txheej xwm seem

Tsiv mus rau ntu network, koj yuav tsum tau txais qee yam zoo li no. Tshooj lus no yuav tso cai rau koj kom kaw qhov muag ntawm txhua yam uas tshwm sim hauv koj lub network, los ntawm HTTP / TLS kev khiav mus rau DNS tsheb thiab kev ceeb toom cov xwm txheej sab nraud.

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

2- Default dashboards

Txhawm rau ua kom lub neej yooj yim dua rau cov neeg siv, elastic.co cov neeg tsim khoom tau tsim cov cuab yeej siv tau raug txhawb los ntawm ELK. Peb cov neeg ntaus yeej tsis muaj kev zam rau txoj cai no. Ntawm no kuv yuav siv Packetbeat's default dashboards ua piv txwv.

Yog tias koj ua raws cov kauj ruam ob ntawm kab lus kom raug. Koj yuav tsum muaj lub toolbar teeb tos koj. Yog li cia peb pib.

Los ntawm sab laug tab ntawm Kibana, xaiv lub cim dashboard. Qhov no yog qhov thib peb, yog tias koj suav los ntawm sab saum toj.

Sau lub npe sib koom hauv qhov kev tshawb nrhiav tab

Yog hais tias muaj ob peb modules nyob rau hauv me ntsis. Lub vaj huam sib luag tswj yuav raug tsim rau txhua tus ntawm lawv. Tab sis tsuas yog ib qho nrog module nquag yuav tso tawm cov ntaub ntawv uas tsis yog khoob.

Xaiv ib qho nrog koj lub npe module.

Qhov no yog lub ntsiab template PacketBeat.

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

Qhov no yog lub network khiav tswj vaj huam sib luag. Nws yuav qhia peb txog cov khoom xa tuaj thiab tawm, cov peev txheej thiab cov chaw nyob ntawm IP chaw nyob, thiab tseem muab ntau cov ntaub ntawv tseem ceeb rau tus kws tshuaj ntsuam xyuas chaw ruaj ntseg.

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

3 - Tsim koj thawj dashboards

3–1- Cov Ntsiab Lus Tseem Ceeb

A- Hom dashboards:

Cov no yog ntau hom kev pom pom uas koj tuaj yeem siv los pom koj cov ntaub ntawv.

Piv txwv li peb muaj:

  • Bar teeb
  • daim ntawv qhia
  • Markdown widget
  • Daim ntawv qhia ncuav

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

B- KQL (Kibana Query Language):

Qhov no yog hom lus siv hauv Kibana kom yooj yim nrhiav cov ntaub ntawv. Nws tso cai rau koj los xyuas seb qee cov ntaub ntawv muaj nyob thiab ntau lwm yam tseem ceeb. Yog xav paub ntxiv, koj tuaj yeem tshawb xyuas cov ntaub ntawv ntawm qhov txuas no

https://www.elastic.co/guide/en/kibana/current/kuery-query.html

Nov yog ib qho piv txwv nug kom nrhiav tau tus tswv tsev khiav Windows 10 pro.

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

C- Lim:

Qhov no feature yuav tso cai rau koj mus lim tej yam tsis xws li hostname, tshwm sim code los yog ID, thiab lwm yam. Lim yuav ua tau zoo heev txhim khu kev tshawb fawb theem nyob rau hauv cov nqe lus ntawm lub sij hawm thiab kev rau siab siv tshawb nrhiav pov thawj.

D- Kev pom thawj zaug:

Cia peb tsim kev pom rau MITER ATT & CK.

Ua ntej peb yuav tsum mus rau Dashboard β†’ Tsim dashboard tshiab β†’ tsim tshiab β†’ Pie dashboard

Teem hom rau tus qauv ntsuas, ces coj mus rhaub lub npe ntawm koj ntaus.

Nias Enter. Los ntawm tam sim no koj yuav tsum pom ib tug ntsuab donut.

Nyob rau hauv lub thoob tab ntawm sab laug koj yuav pom:

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

- Cov kab sib cais yuav faib cov khoom qab zib rau hauv ntau qhov chaw nyob ntawm qhov sib kis ntawm cov ntaub ntawv.

- Split Chart yuav tsim lwm qhov khoom plig ntawm ib sab ntawm no.

Peb yuav siv cov slices.

Peb yuav pom peb cov ntaub ntawv nyob ntawm lub sijhawm peb xaiv. Hauv qhov no, lo lus yuav xa mus rau MITER ATT & CK.

Hauv Winlogbeat, daim teb uas yuav muab cov ntaub ntawv no rau peb yog hu ua:

winlog.event_data.RuleName

Peb yuav teeb tsa tus lej ntsuas kom xaj cov xwm txheej raws li tus naj npawb ntawm lub sijhawm lawv tshwm sim.

Qhib lub "Pab lwm cov nqi hauv ib ntu" feature.

Qhov no yuav muaj txiaj ntsig yog tias cov lus koj xaiv muaj ntau lub ntsiab lus sib txawv raws li kev sib dhos. Qhov no yuav pab pom qhov seem ntawm cov ntaub ntawv tag nrho. Qhov no yuav muab koj lub tswv yim ntawm feem pua ​​​​ntawm cov xwm txheej tseem tshuav.

Tam sim no uas peb tau ua tiav teeb tsa cov ntaub ntawv tab, cia peb txav mus rau qhov kev xaiv tab

Koj yuav tsum ua cov hauv qab no:

** Tshem tawm cov duab donut kom lub rendering qhia ib lub voj voog puv.

** Xaiv txoj haujlwm dab neeg koj nyiam. Hauv qhov no, peb yuav muab lawv tso rau ntawm sab xis.

** Teem cov zaub qhov tseem ceeb los qhia ib sab ntawm lawv cov snippet kom nyeem tau yooj yim dua thiab tawm ntawm qhov seem raws li lub neej ntawd

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

Truncation txiav txim siab npaum li cas koj xav tso tawm los ntawm lub npe tshwm sim.

Teem lub sij hawm uas koj xav kom lub rendering pib, thiab ces nias lub xiav square.

Koj yuav tsum xaus nrog qee yam zoo li no:

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

Koj tuaj yeem ntxiv cov lim rau koj qhov kev pom los lim tawm cov tswv tsev tshwj xeeb uas koj xav kuaj lossis ib qho kev ntsuas koj xav tias muaj txiaj ntsig rau koj lub hom phiaj. Qhov kev pom pom tsuas yog tso saib cov ntaub ntawv uas phim txoj cai muab tso rau hauv lub lim. Hauv qhov no, peb tsuas yog tso tawm MITER ATT & CK cov ntaub ntawv los ntawm tus tswv tsev hu ua win10.

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

3-2- Tsim koj thawj dashboard:

Lub dashboard yog ib phau ntawm ntau qhov kev pom. Koj cov dashboards yuav tsum meej, nkag siab, thiab muaj cov ntaub ntawv tseem ceeb, txiav txim siab. Ntawm no yog ib qho piv txwv ntawm cov dashboards peb tsim los ntawm kos rau winlogbeat.

ELK SIEM Qhib Distro: Kev pom ntawm ELK thiab SIEM dashboards hauv ELK

Ua tsaug rau koj lub sijhawm. Kuv vam tias koj pom tsab xov xwm no pab tau. Yog tias koj xav paub ntau ntxiv txog lub ncauj lus, peb xav kom koj mus ntsib official website.

Telegram tham ntawm Elasticsearch: https://t.me/elasticsearch_ru

Tau qhov twg los: www.hab.com

Ntxiv ib saib