以åã®èšäºã§ã¯ãelk ã¹ã¿ãã¯ãšãã° ããŒãµãŒçšã® Logstash æ§æãã¡ã€ã«ã®ã»ããã¢ããã«ã€ããŠå°ãç解ããŸãããããã®èšäºã§ã¯ãåæã®èŠ³ç¹ããæãéèŠãªããšãã€ãŸãäœããããã®ãã«ã€ããŠèª¬æããŸããã·ã¹ãã ããèŠãŠããã¹ãŠãäœã®ããã«äœæãããã®ãã確èªããŸãããããã¯ã°ã©ããšè¡šãçµã¿åããããã®ã§ãã ããã·ã¥ããŒããä»æ¥ã¯èŠèŠåã·ã¹ãã ã«ã€ããŠè©³ããèŠãŠãããŸãã æšå Žã§ã¯ãã°ã©ããšè¡šã®äœææ¹æ³ãèŠãŠããããã®çµæãCheck Point ãã¡ã€ã¢ãŠã©ãŒã«ããã®ãã°ã«åºã¥ããŠã·ã³ãã«ãªããã·ã¥ããŒããæ§ç¯ããŸãã
kibana ã䜿çšããæåã®ã¹ãããã¯ã 玢åŒãã¿ãŒã³ãè«ççã«ã¯ãããã¯ç¹å®ã®ååã«åŸã£ãŠçµåãããã€ã³ããã¯ã¹ã®ããŒã¹ã§ãããã¡ãããããã¯çŽç²ã«ãKibana ããã¹ãŠã®ã€ã³ããã¯ã¹ã®æ
å ±ãåæã«ãã䟿å©ã«æ€çŽ¢ã§ããããã«ããããã®èšå®ã§ããããã¯ããcheckpoint-*ããªã©ã®æååãšã€ã³ããã¯ã¹ã®ååãç
§åããããšã«ãã£ãŠèšå®ãããŸããããšãã°ããcheckpoint-2019.12.05ãã¯ãã¿ãŒã³ã«åœãŠã¯ãŸããŸãããåã«ãcheckpointããååšããªããªã£ãã ãã§ããæ€çŽ¢ã§ã¯ãåæã«ç°ãªãã€ã³ããã¯ã¹ ãã¿ãŒã³ã®æ
å ±ãæ€çŽ¢ããããšã¯äžå¯èœã§ããããšãå¥éèšåãã䟡å€ããããŸããåŸç¶ã®èšäºã®å°ãåŸã®æ¹ã§ãAPI ãªã¯ãšã¹ããã€ã³ããã¯ã¹ã®ååã«ãã£ãŠããŸãã¯ã€ã³ããã¯ã¹ã®ååã«ãã£ãŠè¡ãããããšãããããŸãããã¿ãŒã³ã®è¡ãç»åãã¯ãªãã¯å¯èœã§ã:
ãã®åŸããã¹ãŠã®ãã°ã«ã€ã³ããã¯ã¹ãä»ããããæ£ããããŒãµãŒãæ§æãããŠããããšã [æ€åº] ã¡ãã¥ãŒã§ç¢ºèªããŸããããŒã¿åãæååããæŽæ°ã«å€æŽãããªã©ãäžäžèŽãèŠã€ãã£ãå Žåã¯ãLogstash æ§æãã¡ã€ã«ãç·šéããå¿ èŠããããŸãããã®çµæãæ°ãããã°ãæ£ããæžã蟌ãŸããŸããå€ããã°ãå€æŽåã®æãŸãã圢åŒã«ããããã«ã¯ãã€ã³ããã¯ã¹ã®åäœæããã»ã¹ã®ã¿ã圹ã«ç«ã¡ãŸãããã®æäœã«ã€ããŠã¯åŸç¶ã®èšäºã§è©³ãã説æããŸãããã¹ãŠãé 調ã§ãç»åãã¯ãªãã¯ã§ããããšã確èªããŸãããã
ãã°ãé 眮ãããã®ã§ãããã·ã¥ããŒãã®æ§ç¯ãéå§ã§ããŸããã»ãã¥ãªãã£è£œåã®ããã·ã¥ããŒãã®åæã«åºã¥ããŠãçµç¹å ã®æ å ±ã»ãã¥ãªãã£ã®ç¶æ ãç解ããçŸåšã®ããªã·ãŒã®è匱æ§ãæ確ã«ç¢ºèªãããã®åŸããããæé€ããæ¹æ³ãéçºã§ããŸããããã€ãã®èŠèŠåããŒã«ã䜿çšããŠå°ããªããã·ã¥ããŒããæ§ç¯ããŠã¿ãŸããããããã·ã¥ããŒã㯠5 ã€ã®ã³ã³ããŒãã³ãã§æ§æãããŸãã
- ãã¬ãŒãããšã®ãã°ç·æ°ã®èšç®è¡š
- éèŠãª IPS ã·ã°ããã£ã«é¢ããè¡š
- è åšå¯Ÿçã€ãã³ãã®åã°ã©ã
- æã人æ°ã®ãã蚪åãµã€ãã®ã°ã©ã
- æãå±éºãªã¢ããªã±ãŒã·ã§ã³ã®äœ¿çšã«é¢ããã°ã©ã
èŠèŠåå³ãäœæããã«ã¯ãã¡ãã¥ãŒã«ç§»åããå¿ èŠããããŸã èŠèŠåãããã¯ãªãã¯ããŠãæ§ç¯ããããã£ã®ã¥ã¢ãéžæããŠãã ãããé çªã«è¡ããŸãããã
ãã¬ãŒãããšã®ãã°ç·æ°ã®èšç®è¡š
ãããè¡ãã«ã¯ãå³ãéžæããŸã ããŒã¿è¡šãã°ã©ããäœæããããã®æ©åšã«åé¡ãããŸããå·ŠåŽã¯å³ã®èšå®ãå³åŽã¯çŸåšã®èšå®ã§ã©ã®ããã«è¡šç€ºããããã瀺ããŸãããŸããå®æããããŒãã«ãã©ã®ããã«èŠãããã瀺ããŸãããã®åŸãèšå®ãé²ããŠãããŸããç»åã¯ã¯ãªãã¯å¯èœã§ãã
å³ã®ãã詳现ãªèšå®ãç»åã¯ã¯ãªãã¯å¯èœã§ã:
èšå®ãèŠãŠã¿ãŸãããã
åææ§æ ã¡ããªã¯ã¹ãããã¯ãã¹ãŠã®ãã£ãŒã«ããéèšãããå€ã§ããã¡ããªã¯ã¹ã¯ãããã¥ã¡ã³ãããäœããã®æ¹æ³ã§æœåºãããå€ã«åºã¥ããŠèšç®ãããŸããå€ã¯éåžžãããæœåºãããŸã åéã® ããã¥ã¡ã³ãã䜿çšããããšãã§ããŸãããã¹ã¯ãªããã䜿çšããŠçæããããšãã§ããŸãããã®å Žåã¯å ¥ããŸã éèš: ã«ãŠã³ã (ãã°ã®ç·æ°)ã
ãã®åŸãããŒãã«ãã¡ããªãã¯ãèšç®ããã»ã°ã¡ã³ã (ãã£ãŒã«ã) ã«åå²ããŸãããã®æ©èœã¯ãã±ããèšå®ã«ãã£ãŠå®è¡ããããã±ããèšå®ã¯ 2 ã€ã®èšå®ãªãã·ã§ã³ã§æ§æãããŸãã
- è¡ã®åå² - åãè¿œå ãããã®åŸããŒãã«ãè¡ã«åå²ããŸãã
- ããŒãã«ã®åå² - ç¹å®ã®ãã£ãŒã«ãã®å€ã«åºã¥ããŠè€æ°ã®ããŒãã«ã«åå²ããŸãã
Ð ãã±ã è€æ°ã®åå²ãè¿œå ããŠè€æ°ã®åãŸãã¯ããŒãã«ãäœæã§ããŸãããããã§ã®å¶éã¯ããªãè«ççã§ããéèšã§ã¯ãIPv4 ç¯å²ãæ¥ä»ç¯å²ãæ¡ä»¶ãªã©ã®ã»ã°ã¡ã³ãã«åå²ããããã«äœ¿çšããæ¹æ³ãéžæã§ããŸããæãèå³æ·±ãéžæã¯ãŸãã« ãå©çšèŠçŽ О éèŠãªçšèªãã»ã°ã¡ã³ããžã®åå²ã¯ç¹å®ã®ã€ã³ããã¯ã¹ ãã£ãŒã«ãã®å€ã«åŸã£ãŠå®è¡ããããããã®éãã¯è¿ãããå€ã®æ°ãšãã®è¡šç€ºã«ãããŸããããŒãã«ããã¬ãŒãã®ååã§åå²ãããã®ã§ããã£ãŒã«ããéžæããŸã - 補å.ããŒã¯ãŒã ãµã€ãºãæ»ãå€ 25 ã«èšå®ããŸãã
elasticsearch ã¯æååã®ä»£ããã« 2 ã€ã®ããŒã¿åã䜿çšããŸãã íŽëŒì°ë êž°ë° AI/MLë° ê³ ì±ë¥ 컎íší ì íµí ëì§íž ížìì êž°ìŽ â Edward Hsu, Rescale CPO ë§ì ìì§ëìŽë§ ì€ì¬ êž°ì ìê² íŽëŒì°ëë R&Dëì§íž ì íì 첫 ëšê³ìŒ ë¿ì ëë€. íŽëŒì°ë ììì íì©íŽ ìì§ëìŽë§ íì ì ìœì íŽê²°íë ëšê³ë¥Œ ëìŽ, ì뮬ë ìŽì ìŽìì íµí©íê³ ìµì ííë©°, ê¶ê·¹ì ìŒë¡ë ëªšëž êž°ë°ì íì 곌 ìì¬ ê²°ì ì ì§ìíì¬ ì ì íì ê²°ì í ë ë°ìŽí° êž°ë° ìì§ëìŽë§ì ì ì©íê³ ì í©ëë€. Rescaleì ìŽë¬í íì ì ëêž° ìíŽ ì»Žíší ì¶ì² ìì§, íµí© ë°ìŽí° íšëžëŠ, ë©íë°ìŽí° êŽëŠ¬ ë±ì ê°ë°íê³ ììµëë€. ìŽë² ì늬륌 ë¹ë € ë¹ìŠëì€ ê²œìë ¥ ì ê³ ë¥Œ ìí ëì§íž ížì ë° ëì§íž ì€ë ë ì ëµ ê°ë° ë°©ë²ì ëí ìžì¬ìŽížë¥Œ ëëê³ ì í©ëë€. О ããŒã¯ãŒããå šææ€çŽ¢ãå®è¡ããå Žåã¯ãããã¹ã ã¿ã€ãã䜿çšããå¿ èŠããããŸããããã¯ãæ€çŽ¢ãµãŒãã¹ãäœæãããšãã«ãããšãã°ãç¹å®ã®ãã£ãŒã«ãå€ (ããã¹ã) å ã®åèªã®èšåãæ€çŽ¢ããå Žåã«éåžžã«äŸ¿å©ã§ããå®å šäžèŽã®ã¿ãå¿ èŠãªå Žåã¯ãããŒã¯ãŒã ã¿ã€ãã䜿çšããå¿ èŠããããŸãããŸããããŒã¯ãŒã ããŒã¿åã¯ã䞊ã¹æ¿ããéèšãå¿ èŠãªãã£ãŒã«ã (ãã®å Žå) ã«äœ¿çšããå¿ èŠããããŸãã
ãã®çµæãElasticsearch ã¯äžå®æéã®ãã°ã®æ°ãã«ãŠã³ãããproduct ãã£ãŒã«ãã®å€ã§éèšããŸãã Custom Label ã§ã¯ãããŒãã«ã«è¡šç€ºãããåã®ååãèšå®ãããã°ãåéããæéãèšå®ããã¬ã³ããªã³ã°ãéå§ããŸããKibana 㯠elasticsearch ã«ãªã¯ãšã¹ããéä¿¡ããã¬ã¹ãã³ã¹ãåŸ ã£ãŠãããåä¿¡ããããŒã¿ãèŠèŠåããŸããããŒãã«ã®æºåã¯å®äºã§ãïŒ
è åšå¯Ÿçã€ãã³ãã®åã°ã©ã
ç¹ã«èå³æ·±ãã®ã¯ãå²åãšããŠã®åå¿ã®æ°ã«é¢ããæ å ±ã§ãã æ€åº О é²ã çŸåšã®ã»ãã¥ãªãã£ããªã·ãŒã«ãããæ å ±ã»ãã¥ãªãã£ã€ã³ã·ãã³ãã«ã€ããŠããã®ç¶æ³ã§ã¯åã°ã©ããé©ããŠããŸããããžã¥ã¢ã©ã€ãºã§éžæ - åã°ã©ãããŸããã¡ããªã¯ã¹ã§ã¯ããã°ã®æ°ã«ããéèšãèšå®ããŸãããã±ããã«ã¯ãTerms => action ãå ¥ããŸãã
ãã¹ãŠãæ£ããããã«èŠããŸãããçµæã«ã¯ãã¹ãŠã®ãã¬ãŒãã®å€ã衚瀺ããããããè åšå¯Ÿçã®ãã¬ãŒã ã¯ãŒã¯å ã§åäœãããã¬ãŒãã®ã¿ã§ãã£ã«ã¿ãªã³ã°ããå¿ èŠããããŸãããããã£ãŠãå¿ ãèšå®ããŸã ãã£ã«ã¿ãŒ æ å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã®åå ãšãªããã¬ãŒãã«é¢ããæ å ±ã®ã¿ãæ€çŽ¢ããå Žå - 補å: (ãã¢ã³ããããããŸãã¯ãæ°ããã¢ã³ããŠã€ã«ã¹ããŸãã¯ãDDoS ãããã¯ã¿ãŒããŸãã¯ãã¹ããŒããã£ãã§ã³ã¹ããŸãã¯ãè åšãšãã¥ã¬ãŒã·ã§ã³ã)ãç»åã¯ã¯ãªãã¯å¯èœã§ã:
ããã«è©³çŽ°ãªèšå®ã«ã€ããŠã¯ãç»åãã¯ãªãã¯ããŠãã ããã
IPSã€ãã³ãããŒãã«
次ã«ãæ å ±ã»ãã¥ãªãã£ã®èŠ³ç¹ããéåžžã«éèŠãªã®ã¯ããã¬ãŒãäžã®ã€ãã³ãã衚瀺ããŠç¢ºèªããããšã§ãã IPS О è åšãšãã¥ã¬ãŒã·ã§ã³ãã® ãããã¯ãããŠããªã çŸåšã®ããªã·ãŒã«åŸã£ãŠãåŸã§çœ²åãå€æŽããŠé²æ¢ãããããã©ãã£ãã¯ãæå¹ã§ããå Žåã¯çœ²åããã§ãã¯ããŸãããæåã®äŸãšåãæ¹æ³ã§ããŒãã«ãäœæããŸãããå¯äžã®éãã¯ãããã€ãã®å (protections.keywordãseverity.keywordãproduct.keywordãoriginsicname.keyword) ãäœæããç¹ã§ããæ å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã®åå ãšãªããã¬ãŒã (補å: (ãSmart Defenseã ãŸã㯠ãThreat Emulationã)) ã«é¢ããæ å ±ã®ã¿ãæ€çŽ¢ããã«ã¯ãå¿ ããã£ã«ã¿ãŒãèšå®ããŠãã ãããç»åã¯ã¯ãªãã¯å¯èœã§ã:
ãã詳现ãªèšå®ãç»åãã¯ãªãã¯ã§ããŸã:
æã人æ°ã®ãã蚪åãµã€ãã®ã°ã©ã
ãããè¡ãã«ã¯ãå³ãäœæããŸãã åçŽããŒããŸããã«ãŠã³ã (Y 軞) ãã¡ããªã¯ã¹ãšããŠäœ¿çšããX 軞ã§ã¯ã蚪åãããµã€ãã®ååãå€ãšããŠäœ¿çšããŸã â ãappi_nameããããã«ã¯ã¡ãã£ãšããããªãã¯ããããŸããçŸåšã®ããŒãžã§ã³ã§èšå®ãå®è¡ãããšããã¹ãŠã®ãµã€ãããã£ãŒãäžã§åãè²ã§ããŒã¯ãããŸãããµã€ããå€è²ã«ããããã«ãè¿œå ã®èšå®ãåå²ã·ãªãŒãºãã䜿çšããŸããããã«ãããéžæãããã£ãŒã«ãã«å¿ããŠãæ¢è£œã®åãããã«ããã€ãã®å€ã«åå²ããããšãã§ããŸãããã®åå²ã¯ãã¹ã¿ã㯠ã¢ãŒãã®å€ã«å¿ã㊠XNUMX ã€ã®ãã«ãã«ã©ãŒã®åãšããŠäœ¿çšããããšããéåžžã¢ãŒã㧠X 軞ã®ç¹å®ã®å€ã«å¿ããŠè€æ°ã®åãäœæããããã«äœ¿çšããããšãã§ããŸãã X 軞ãšåãå€ãæå®ãããšããã¹ãŠã®åãå€è²ã«ããããšãã§ããå³äžã®è²ã§ç€ºãããŸãã蚪åãããµã€ãã®æ å ±ã®ã¿ã衚瀺ããããã«ã補å:ãURL ãã£ã«ã¿ãªã³ã°ããèšå®ãããã£ã«ã¿ãŒã§ã¯ãç»åãã¯ãªãã¯å¯èœã«ãªããŸãã
èšå®ïŒ
æãå±éºãªã¢ããªã±ãŒã·ã§ã³ã®äœ¿çšã«é¢ããå³
ãããè¡ãã«ã¯ãå³ã§ããåçŽããŒãäœæããŸãããŸããã«ãŠã³ã (Y 軞) ãã¡ããªã¯ã¹ãšããŠäœ¿çšããX 軞ã§ã¯ã䜿çšãããã¢ããªã±ãŒã·ã§ã³ã®ååãappi_nameããå€ãšããŠäœ¿çšããŸããæãéèŠãªã®ã¯ãã£ã«ã¿ãŒèšå®ã§ã - 補å: ãApplication Controlã AND app_risk: (4 OR 5 OR 3 ) AND ã¢ã¯ã·ã§ã³: ãacceptããã¢ããªã±ãŒã·ã§ã³ ã³ã³ãããŒã« ãã¬ãŒãã«ãã£ãŠãã°ããã£ã«ã¿ãªã³ã°ããé倧ãé«ãäžãªã¹ã¯ã®ãµã€ããšããŠåé¡ããããµã€ãã®ã¿ãååŸãããããã®ãµã€ããžã®ã¢ã¯ã»ã¹ãèš±å¯ãããŠããå Žåã«ã®ã¿ååŸããŸããç»åã¯ã¯ãªãã¯å¯èœã§ã:
èšå®ãã¯ãªãã¯å¯èœ:
ããã·ã¥ããŒã
ããã·ã¥ããŒãã®è¡šç€ºãšäœæã¯å¥ã®ã¡ãã¥ãŒé ç®ã«ãããŸã - ããã·ã¥ããŒããããã§ã¯ãã¹ãŠãç°¡åã§ããæ°ããããã·ã¥ããŒããäœæãããããã«ããžã¥ã¢ã©ã€ãŒãŒã·ã§ã³ãè¿œå ãããæå®ã®å Žæã«é 眮ãããã ãã§ãã
ç§ãã¡ã¯ãçµç¹å ã®æ å ±ã»ãã¥ãªãã£ã®ç¶æ ã®åºæ¬çãªç¶æ³ãç解ã§ããããã·ã¥ããŒããäœæããŠããŸãããã¡ããããã§ã㯠ãã€ã³ã ã¬ãã«ã§ã®ã¿ã§ããç»åã¯ã¯ãªãã¯å¯èœã§ãã
ãããã®ã°ã©ãã«åºã¥ããŠãã©ã®éèŠãªã·ã°ããã£ããã¡ã€ã¢ãŠã©ãŒã«ã§ãããã¯ãããŠããªãã®ãããŠãŒã¶ãŒãã©ãã«è¡ãã®ãããããŠãŠãŒã¶ãŒã䜿çšããŠããæãå±éºãªã¢ããªã±ãŒã·ã§ã³ã¯äœããç解ã§ããŸãã
ãŸãšã
Kibana ã®åºæ¬çãªèŠèŠåã®æ©èœã確èªããããã·ã¥ããŒããæ§ç¯ããŸããããããã¯ã»ãã®äžéšã«ãããŸãããããã«ã³ãŒã¹ã§ã¯ããããã®ã»ããã¢ãããelasticsearch ã·ã¹ãã ã®æäœãAPI ãªã¯ãšã¹ããèªååãªã©ã«ã€ããŠåå¥ã«èŠãŠãããŸãã
ä¹ããæåŸ
åºæïŒ habr.com