Esi sithuba siya kuchaza ukuseta umboniso we-ELK kunye ne-SIEM yedashboards kwi-ELK
Inqaku lahlulwe ngokwala macandelo alandelayo:
1- Uphononongo lwe-ELK SIEM
2- Iideshibhodi ezihlala zikho
3- Ukwenza iideshibhodi zakho zokuqala
Uluhlu lweziqulatho zazo zonke izithuba.
- Ukudityaniswa ne-WAZUH
- Iyalumkisa
- Ingxelo
- Ulawulo lweNkundla
1-ELK SIEM Uphononongo
I-ELK SIEM isandula kongezwa kwisitaki se-elk kwinguqulo 7.2 ngoJuni 25, 2019.
Esi sisisombululo se-SIEM esenziwe yi-elastic.co ukwenza ubomi bomhlalutyi wokhuseleko bube lula kwaye bunganendi.
Kwinguqulelo yethu yomsebenzi, sigqibe ekubeni senze eyethu i-SIEM kwaye sikhethe eyethu iphaneli yokulawula.
Kodwa sicinga ukuba kubalulekile ukuhlola i-ELK SIEM kuqala.
1.1- Icandelo lokusingatha imisitho
Siza kujonga icandelo lokusingatha kuqala. Icandelo lokusingatha liya kukuvumela ukuba ubone iziganeko eziveliswa kwisiphelo ngokwayo.
Emva kokucofa kwiinginginya zokujonga kufuneka ufumane into enje. Njengoko ubona, kukho iinginginya ezintathu eziqhagamshelwe kule khompyutha:
1 Windows 10.
2 Ubuntu Server 18.04.
Sinemibono emininzi ebonisiweyo, nganye imele iindidi ezahlukeneyo zeziganeko.
Umzekelo, lowo usembindini ubonisa idatha yokungena kubo bobathathu oomatshini.
Esi sixa sedatha osibonayo apha siqokelelwe kwiintsuku ezintlanu. Oku kucacisa inani elikhulu lokungaphumeleli kunye nokungena okuyimpumelelo. Mhlawumbi uya kuba nenani elincinci lezigodo, ngoko ungakhathazeki
1.2-Icandelo leziganeko zothungelwano
Ukuqhubela phambili kwicandelo lothungelwano, kufuneka ufumane into enje. Eli candelo liza kukuvumela ukuba ugcine iliso elibukhali kuyo yonke into eyenzekayo kwinethiwekhi yakho, ukusuka kwi-HTTP/TLS traffic ukuya kwi-DNS traffic kunye nezilumkiso zesiganeko sangaphandle.
2- Iideshibhodi ezihlala zikho
Ukwenza ubomi bube lula kubasebenzisi, abaphuhlisi be-elastic.co benze i-toolbar engagqibekanga exhaswa ngokusemthethweni yi-ELK. Ukubetha kwethu kwakungeyongxaki kulo mthetho. Apha ndiza kusebenzisa iidashbhodi zePacketbeat ezingagqibekanga njengomzekelo.
Ukuba ulandele inyathelo lesibini lenqaku ngokuchanekileyo. Kuya kufuneka ube nebar yesixhobo esekiweyo ikulindile. Ngoko masiqalise.
Ukusuka kwithebhu yasekhohlo yaseKibana, khetha isimboli yedeshibhodi. Le yeyesithathu, ukuba ubala ukusuka phezulu.
Ngenisa igama lokwabelana kwithebhu yokukhangela
Ukuba kukho iimodyuli ezininzi kwi-bit. Iphaneli yolawulo iya kwenziwa kumntu ngamnye kubo. Kodwa kuphela enye enemodyuli esebenzayo eya kubonisa idatha engenanto.
Khetha enegama lemodyuli yakho.
Le yeyona template iphambili I-PacketBeat.
Le yiphaneli yolawulo lokuhamba komsebenzi womnatha. Iya kusixelela ngepakethi engenayo kunye nephumayo, imithombo kunye neendawo eziya kuzo iidilesi ze-IP, kwaye inikezela ngolwazi oluninzi oluluncedo kumhlalutyi weziko lokhuseleko.
3 - Ukudala iideshibhodi zakho zokuqala
3β1- Iingcamango ezisisiseko
A- Iintlobo zeedeshibhodi:
Ezi ntlobo ezahlukeneyo zokubonwayo onokuzisebenzisa ukujonga idatha yakho.
umzekelo sine:
- igrafu yebha
- imephu
- Iwijethi yeMarkdown
- Itshathi yephayi
B- KQL (Ulwimi loMbuzo waseKibana):
Olu lulwimi olusetyenziswa kwi-Kibana ukuze kube lula ukukhangela idatha. Ikuvumela ukuba ujonge ukuba kukho idatha ethile kunye nezinye izinto ezininzi eziluncedo. Ukufumana ngakumbi, ungajonga ulwazi kule link
Lo ngumzekelo wombuzo wokufumana umamkeli osebenzayo Windows 10 pro.
C- Izihluzi:
Eli nqaku liza kukuvumela ukuba ucoce iiparameters ezithile ezifana negama lomninimzi, ikhowudi yesiganeko okanye i-ID, njl. Izihluzi ziya kuphucula kakhulu isigaba sophando ngokwexesha kunye nomzamo ochithwe ukukhangela ubungqina.
D-Umboniso wokuqala:
Masenze umboniso we MITER ATT & CK.
Okokuqala kufuneka siye kuyo Dashboard β Yenza ideshibhodi entshaβyenza entsha βIdeshbhodi yePie
Cwangcisa uhlobo lwepateni yesalathisi, emva koko ucofe igama lesingqi sakho.
Cofa u-Enter. Ngoku kufuneka ubone idonathi eluhlaza.
Kwi-Buckets thebhu ngasekhohlo uya kufumana:
- Ukwahlula izilayi kuya kwahlula i-donut kwiindawo ezahlukeneyo ngokuxhomekeke ekusasazeni idatha.
-Itshathi yokwahlula iya kudala enye idonathi ecaleni kwale.
Siza kusebenzisa izilayi eziqhekezayo.
Siza kubona idatha yethu ngokuxhomekeke kwixesha esilikhethayo. Kule meko igama lizakubhekisa kwi MITER ATT & CK.
KwiWinlogbeat, indawo eza kusinika olu lwazi ibizwa ngokuba:
winlog.event_data.RuleNameSiza kuseka i-metric yokubala uku-odola iziganeko ngokusekelwe kwinani lamaxesha ezenzeke ngalo.
Nika amandla inqaku elithi "Qela amanye amaxabiso kwicandelo elahlukileyo".
Oku kuya kuba luncedo ukuba amagama owakhethayo aneentsingiselo ezininzi ezahlukeneyo ezisekelwe kwisingqisho. Oku kunceda ukujonga yonke idatha xa iyonke. Oku kuya kukunika umbono wepesenti yeziganeko eziseleyo.
Ngoku sele sigqibile ukuseta ithebhu yedatha, masiqhubele phambili siye kwiinketho zethebhu
Kufuneka wenze oku kulandelayo:
**Susa imilo yedonut ukuze unikezelo lubonise isangqa esipheleleyo.
**Khetha indawo yelivo oyithandayo. Kule meko, siya kuzibonisa ekunene.
**Seta amaxabiso okubonisa ukubonisa ecaleni kwesnippet yabo ukuze ufundeke ngokulula kwaye ushiye ukuphumla njengokuhlala kuhleli
Ukunqunyanyiswa kugqiba ukuba ufuna ukubonisa kangakanani kwigama lesiganeko.
Seta ixesha ofuna unikezelo luqale ngalo, kwaye emva koko ucofe isikwere esiluhlaza.
Kuya kufuneka ugqibe ngento efana nale:
Ungongeza kwakhona icebo lokucoca kumboniso wakho ukucoca ngaphandle umamkeli othile ofuna ukuwujonga okanye naziphi na iiparamitha ocinga ziluncedo kwinjongo yakho. Umboniso uza kubonisa kuphela idatha ehambelana nomgaqo obekwe kwisihluzi. Kule meko, siya kubonisa kuphela idatha ye-MITER ATT & CK evela kumamkeli ogama lingu-win10.
3-2- Ukwenza ideshibhodi yakho yokuqala:
Ideshibhodi yingqokelela yemibono emininzi. Iideshibhodi zakho kufuneka zicace, ziqondeke, kwaye ziqulathe ulwazi oluluncedo, oluqinisekileyo. Nanku umzekelo wedeshbhodi esizenzileyo ukusuka ekuqaleni kwi-winlogbeat.
Enkosi ngexesha lakho. Ndiyathemba ukuba ulifumene liluncedo eli nqaku. Ukuba ungathanda ulwazi oluninzi ngesihloko, sicebisa ukuba undwendwele .
Incoko yeTelegram kwi-Elasticsearch:
umthombo: www.habr.com