Iyi posvo inotsanangura kumisikidza kuoneswa kweELK uye SIEM dashboards muELK
Chinyorwa chakakamurwa kuita zvikamu zvinotevera:
1- ELK SIEM Ongororo
2- Default dashboards
3- Kugadzira yako yekutanga dashibhodhi
Tafura yezviri mukati mezvose zvakatumirwa.
- Kubatanidzwa neWAZUH
- Alerting
- Reporting
- Case Management
1-ELK SIEM Ongororo
ELK SIEM ichangobva kuwedzerwa kune elk stack muvhezheni 7.2 muna Chikumi 25, 2019.
Iyi imhinduro yeSIEM yakagadzirwa neelastic.co kuita kuti hupenyu hwemuongorori wezvekuchengetedza huve nyore uye hushoma.
Mune yedu vhezheni yebasa, takafunga kugadzira yedu SIEM uye kusarudza yedu pachedu yekudzora pani.
Asi isu tinofunga zvakakosha kuongorora ELK SIEM kutanga.
1.1- Host zviitiko chikamu
Tichatarisa chikamu chekugamuchira kutanga. Chikamu chekugamuchira chinokutendera iwe kuti uone zviitiko zvinogadzirwa pamagumo pachayo.
Mushure mekudzvanya pane yekuona mauto iwe unofanirwa kuwana chinhu chakadai. Sezvauri kuona, kune matatu makabati akabatana nekombuta iyi:
1 Windows 10.
2 Ubuntu Server 18.04.
Tine zviratidziro zvakati wandei zvakaratidzwa, imwe neimwe ichimiririra mhando dzakasiyana dzezviitiko.
Semuenzaniso, iyo iri pakati inoratidza dhata rekupinda pamakina ese matatu.
Huwandu hwedata hwaunoona pano hwakaunganidzwa kwemazuva mashanu. Izvi zvinotsanangura huwandu hukuru hweakakundikana uye akabudirira logins. Iwe unogona kunge uine nhamba shoma yematanda, saka usanetseka
1.2- Network zviitiko chikamu
Kuenda kune network chikamu, iwe unofanirwa kuwana chimwe chinhu chakadai. Ichi chikamu chinokutendera kuti utarise nezve zvese zvinoitika panetiweki yako, kubva paHTTP/TLS traffic kuenda kuDNS traffic uye ekunze chiitiko chekuzivisa.
2- Default dashboards
Kuita kuti hupenyu huve nyore kune vashandisi, elastic.co vagadziri vakagadzira default toolbar inotsigirwa zviri pamutemo neELK. Kurova kwedu kwaisasiya mutemo uyu. Pano ini ndichashandisa Packetbeat's default dashboards semuenzaniso.
Kana iwe wakatevera nhanho yechipiri yechinyorwa nemazvo. Iwe unofanirwa kuve netoolbar yakamisikidzwa yakakumirira iwe. Saka ngatitangei.
Kubva kuruboshwe tab yeKibhana, sarudza dashboard chiratidzo. Iyi ndiyo yechitatu, kana uchiverenga kubva kumusoro.
Isa zita rekugoverana mukutsvaga tab
Kana paine akati wandei ma module mu bit. A control panel ichagadzirwa kune mumwe nemumwe wavo. Asi iyo chete ine module inoshanda ndiyo inoratidza isina-isina data.
Sarudza ine zita remodule yako.
Iyi ndiyo huru template PacketBeat.
Iyi ndiyo network flow control panel. Ichatiudza pamusoro peinouya uye inobuda packet, zvitubu uye nzvimbo dze IP kero, uye inopawo ruzivo rwakawanda runobatsira kumuongorori wekuchengetedza nzvimbo.
3 - Kugadzira madhibhodhi ako ekutanga
3β1- Basic Concepts
A- Mhando dzemadhibhodhi:
Aya ndiwo marudzi akasiyana ekuona aunogona kushandisa kuona data rako.
semuenzaniso tine:
- bha graph
- mepu
- Markdown widget
- Chati chati
B- KQL (Kibana Mutauro Wemubvunzo):
Uyu ndiwo mutauro unoshandiswa kuKibana kutsvaga nyore data. Inokutendera kuti utarise kana imwe data iripo uye mamwe akawanda anobatsira maficha. Kuti uwane mamwe mashoko, unogona kuongorora ruzivo pane iyi link
Uyu muenzaniso wekubvunza kutsvaga muenzi ari kumhanya Windows 10 pro.
C- Mafirita:
Iyi ficha ichakubvumidza kusefa mamwe ma paramita akadai sezita remugamuchiri, kodhi yechiitiko kana ID, nezvimwe. Mafirita achavandudza zvakanyanya chikamu chekuongorora maererano nenguva uye simba rinoshandiswa kutsvaga humbowo.
D-Kuona kwekutanga:
Ngatigadzirei kuona kwe MITER ATT & CK.
Kutanga tinofanira kuenda Dashboard β Gadzira dhibhodhi idzvaβ gadzira nyowani βPie dashboard
Seta mhando ye index index, wobva wabaya zita rebhiti yako.
Dzvanya Enter. Parizvino iwe unofanirwa kuona green donut.
MuBuckets tebhu kuruboshwe unowana:
- Kupatsanura zvimedu zvichakamura donut muzvikamu zvakasiyana zvichienderana nekupararira kwedata.
- Split Chati ichagadzira imwe donut padivi peiyi.
Tichashandisa kupatsanurwa zvimedu.
Tichaona data redu zvichienderana neshoko ratinosarudza. Muchiitiko ichi izwi rinozoreva MITER ATT & CK.
MuWinlogbeat, munda unozotipa ruzivo urwu unonzi:
winlog.event_data.RuleNameIsu tichaseta mametric ekuhodha zviitiko zvichienderana nehuwandu hwenguva dzazvinoitika.
Gonesa iyo "Boka mamwe maitiro muchikamu chakasiyana" chimiro.
Izvi zvichabatsira kana mazwi aunosarudza aine zvirevo zvakawanda zvakasiyana zvinoenderana nemutinhimira. Izvi zvinobatsira kuona mamwe ese data seyese. Izvi zvinokupa iwe pfungwa yehuwandu hwezviitiko zvasara.
Zvino zvatapedza kumisa iyo data tab, ngatienderere mberi kune iyo sarudzo tab
Unofanira kuita zvinotevera:
**Bvisa chimiro chedhonati kuitira kuti shanduro iratidze denderedzwa rakazara.
**Sarudza nzvimbo yengano yaunoda. Muchiitiko ichi, tichavaratidza kurudyi.
**Seta maratidziro ekuratidza padivi pesnippet yavo yekuverenga zviri nyore uye wosiya mamwe seagara aripo
Truncation inosarudza kuti yakawanda sei yaunoda kuratidza kubva kuzita rechiitiko.
Seta nguva yaunoda kuti shanduro itange, uye wobva wadzvanya bhuruu mativi.
Iwe unofanirwa kupedzisira uine chinhu chakadai:
Iwe unogona zvakare kuwedzera sefa kune yako yekuona kuti kusefa kunze iyo chaiyo host iwe yaunoda kutarisa kana chero ma paramita aunofunga anobatsira pachinangwa chako. Iyo yekuona inongoratidza data inoenderana nemutemo wakaiswa musefa. Mune ino kesi, isu tinongoratidza MITER ATT & CK data rinouya kubva kumuenzi anonzi win10.
3-2- Kugadzira yako yekutanga dashboard:
Dashboard muunganidzwa wezvakawanda zvekuona. Dashboards ako anofanirwa kuve akajeka, anonzwisisika, uye aine ruzivo runobatsira, rwekuziva. Heino muenzaniso wemadhibhodhi atakagadzira kubva mukutanga ewinlogbeat.
Ndatenda nenguva yenyu. Ndinovimba wakawana chinyorwa ichi chichibatsira. Kana iwe uchida rumwe ruzivo nezve musoro wenyaya, tinokurudzira kuti ushanyire .
Teregiramu chat paElasticsearch:
Source: www.habr.com