ProHoster > Blog > Tsamaiso > ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

Poso ena e tla hlalosa ho theha pono ea li-dashboards tsa ELK le SIEM ho ELK
Sehlooho se arotsoe ka likarolo tse latelang:

1- Tlhahlobo ea ELK SIEM
2- Li-dashboards tsa kamehla
3- Ho theha li-dashboard tsa hau tsa pele

Lethathamo la litaba tsa litaba tsohle.

Tlhahlobo ea 1-ELK SIEM

ELK SIEM e sa tsoa eketsoa ho elk stack ka mofuta oa 7.2 ka la 25 Phuptjane 2019.

Ena ke tharollo ea SIEM e entsoeng ke elastic.co ho etsa hore bophelo ba mohlahlobi oa ts'ireletso bo be bonolo le ho se tena.

Phetolelong ea rona ea mosebetsi, re nkile qeto ea ho theha SIEM ea rona le ho khetha phanele ea rona ea taolo.

Empa re nahana hore ho bohlokoa ho hlahloba ELK SIEM pele.

1.1- Karolo ea liketsahalo tsa moamoheli

Re tla sheba karolo ea moamoheli pele. Karolo ea moamoheli e tla u lumella ho bona liketsahalo tse hlahisoang qetellong ka boeona.

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

Ka mor'a ho tobetsa ho view host o lokela ho fumana ntho e kang ena. Joalokaha u bona, ho na le li-host tse tharo tse hokahantsoeng komporong ena:

1 Windows 10.

2 Ubuntu Server 18.04.

Re na le lipono tse 'maloa tse bontšitsoeng, e' ngoe le e 'ngoe e emela mefuta e fapaneng ea liketsahalo.

Mohlala, e bohareng e bonts'a data ea ho kena mecheng eohle e meraro.

Lintlha tsena tseo u li bonang mona li bokeletsoe ka matsatsi a mahlano. Sena se hlalosa palo e kholo ea li-logins tse hlōlehileng le tse atlehileng. Mohlomong u tla ba le palo e nyane ea likutu, kahoo u se ke oa tšoenyeha

1.2- Karolo ea liketsahalo tsa marang-rang

Ho fetela karolong ea marang-rang, u lokela ho fumana ntho e kang ena. Karolo ena e tla u lumella ho beha leihlo ka hloko ntho e 'ngoe le e' ngoe e etsahalang marang-rang a hau, ho tloha ho sephethephethe sa HTTP / TLS ho ea ho sephethephethe sa DNS le litlhokomeliso tsa liketsahalo tsa ka ntle.

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

2- Li-dashboards tsa kamehla

Ho nolofaletsa basebelisi bophelo, bahlahisi ba elastic.co ba thehile sesebelisoa sa kamehla se tšehetsoeng ka molao ke ELK. Ho otla ha rona ho ne ho se mokhelo molaong ona. Mona ke tla sebelisa li-dashboard tsa kamehla tsa Packetbeat joalo ka mohlala.

Haeba u latetse mohato oa bobeli oa sengoloa ka nepo. U lokela ho ba le toolbar e hlophisitsoeng e u emetseng. Kahoo a re qaleng.

Ho tloha tabeng e letšehali ea Kibana, khetha letšoao la dashboard. Ena ke ea boraro, haeba u bala ho tloha holimo.

Kenya lebitso la kabelo ho tab ya ho batla

Haeba ho na le li-module tse 'maloa ka hanyane. Ho tla etsoa sehlopha sa taolo bakeng sa e mong le e mong oa bona. Empa ke e 'ngoe feela e nang le module e sebetsang e tla bonts'a data e se nang letho.

Khetha e nang le lebitso la mojule oa hau.

Ena ke thempleite ea sehlooho PacketBeat.

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

Ena ke phanele ea taolo ea phallo ea marang-rang. E tla re bolella ka pakete e kenang le e tsoang, mehloli le libaka tsa liaterese tsa IP, hape e fana ka boitsebiso bo bongata ba bohlokoa bakeng sa mohlahlobi oa setsi sa tšireletso.

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

3 - Ho theha li-dashboard tsa hau tsa pele

3–1- Maikutlo a Motheo

A- Mefuta ea li-dashboards:

Ena ke mefuta e fapaneng ea lipono tseo u ka li sebelisang ho bona data ea hau ka mahlo.

mohlala, re na le:

  • graph ea bareng
  • 'mapa
  • Widget ea Markdown
  • Chate ea pie

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

B- KQL (Puo ea Potso ea Kibana):

Ena ke puo e sebelisoang Kibana ho batla lintlha habonolo. E u lumella ho hlahloba hore na data e itseng e teng le likarolo tse ling tse ngata tsa bohlokoa. Ho tseba haholoanyane, o ka hlahloba lintlha ho sehokelo sena

https://www.elastic.co/guide/en/kibana/current/kuery-query.html

Ona ke mohlala oa potso ea ho fumana moamoheli ea sebetsang Windows 10 pro.

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

Lisefe tsa C:

Karolo ena e tla u lumella ho sefa li-parameter tse itseng tse kang lebitso la moeti, khoutu ea ketsahalo kapa ID, joalo-joalo Li-filters li tla ntlafatsa haholo mohato oa lipatlisiso ho latela nako le boiteko bo sebelisoang ho batla bopaki.

D- Pono ea pele:

Ha re theheng pono bakeng sa MITER ATT & CK.

Pele re hloka ho ea Dashboard → Theha dashboard e ncha→ theha e ncha → Dashboard ea Pie

Beha mofuta bakeng sa paterone ea index, ebe u tlanya lebitso la pina ea hau.

Tobetsa Enter. Hona joale o lokela ho bona donut e tala.

Ho Buckets tab ka letsohong le letšehali u tla fumana:

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

- Arola lilae li tla arola donut ka likarolo tse fapaneng ho latela ho ata ha data.

- Split Chart e tla theha donut e 'ngoe haufi le ena.

Re tla sebelisa lilae tse arohaneng.

Re tla bona data ea rona ka mahlo a kelello ho latela nako eo re e khethang. Tabeng ena lentsoe le tla bolela MITER ATT & CK.

Ho Winlogbeat, sebaka se tla re fa leseli lena se bitsoa:

winlog.event_data.RuleName

Re tla theha palo ea lipalo ho odara liketsahalo ho latela palo ea linako tseo li etsahalang ka tsona.

Numella "Lihlopha tse ling tsa boleng karolong e arohaneng".

Sena se tla ba molemo haeba mantsoe ao u a khethang a na le meelelo e mengata e fapaneng e thehiloeng ho morethetho. Sena se thusa ho bona lintlha tse setseng ka kakaretso. Sena se tla u fa leseli la liperesente tsa liketsahalo tse setseng.

Kaha joale re se re qetile ho theha tab ea data, ha re feteleng ho ea ho khetho ea likhetho

U tlameha ho etsa se latelang:

**Tlosa sebopeho sa donut hore phetolelo e bontše selikalikoe se felletseng.

**Khetha boemo ba tšōmo boo u bo ratang. Tabeng ena, re tla li bontša ka ho le letona.

**Beha boleng ba ponts'o ho bonts'a haufi le snippet ea bona bakeng sa ho bala habonolo 'me u tlohele tse ling e le tsa kamehla

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

Truncation e etsa qeto ea hore na u batla ho hlahisa bokae ho tsoa lebitsong la ketsahalo.

Beha nako eo u batlang hore phetolelo e qale ka eona, 'me u tobetse lepatlelo le leputsoa.

U lokela ho qetella ka ntho e kang ena:

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

U ka boela ua kenya filthara ponong ea hau ho sefa moamoheli ea itseng eo u batlang ho e hlahloba kapa li-parameter life kapa life tseo u nahanang hore li na le thuso molemong oa hau. Ponahalo e tla bonts'a feela data e lumellanang le molao o behiloeng ka har'a sefe. Tabeng ena, re tla bonts'a feela data ea MITER ATT&CK e tsoang ho moamoheli ea bitsoang win10.

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

3-2- Ho theha dashboard ea hau ea pele:

Dashboard ke pokello ea lipono tse ngata. Li-dashboard tsa hau li tlameha ho ba tse hlakileng, tse utloisisoang, 'me li be le lintlha tsa bohlokoa, tse hlakileng. Mohlala ke ona oa li-dashboards tseo re li entseng ho tloha qalong bakeng sa winlogbeat.

ELK SIEM Open Distro: Ponahalo ea li-dashboard tsa ELK le SIEM ho ELK

Kea leboha ka nako ea hau. Ke tšepa hore u fumane sehlooho sena se thusa. Haeba u batla ho tseba haholoanyane ka sehlooho, re khothaletsa hore u etele websaete ea molao.

Puisano ea thelekramo ho Elasticsearch: https://t.me/elasticsearch_ru

Source: www.habr.com

Eketsa ka tlhaloso