Correlation of Windows Event ID's

I have a list of Windows Event ID's associated with APT activity but I only want it to pop into the dashboard if more than one event happens to the same workstation within a certain amount of time.

Is this possible? If so, where would I do it?

...any related topics seem to be closed.

I would setup something to watch the data in the winlogbeat-* indices and then when it sees something matching the patterns/rules you have defined then have it write a new event back into Elasticsearch in a separate index (like alerts). Then build your a dashboards off the data in the alerts index.

You could use Alerting (an X-Pack feature) to implement the monitoring where you look for specific events. With Alerting you setup a watch which is usually an ES query, it get's fired on an interval, and you an index the results back into ES or trigger an email or slack alert. See Getting Started with Alerting.

Another option might be to route the data through Logstash and use the aggregate filter and possibly the elasticsearch filter. With this method you would built up some state in Logstash then emit events when there is a match.

2 Likes

Perfect, thanks Andrew!

Hey @andrewkroh looks like I might have some time to work on this, but where do I put it? I.E. where on the elkstack server do I put my logic? Like a list of malicious powershell commands to look for in 4103 or 4104? And then have kibana dashboard based on this? Example, If IEX appears in the 4104 'scriptblock text' add this to the dashboard, along with computer_name and 3 previous scriptblock text events. Or something along those lines... where do I get started on adding this logic?

To get started with this I would begin by writing some ES queries that return the interesting events. Then once you have some queries ready for automation I would install X-Pack to ES and Kibana. Once X-Pack is installed you can turn those queries into alerts. See Getting Started.

I recommend working in small iterations. Get the query working on its own before starting with the alert development. And when you start on the alerts do the most basic thing first and create an alert using the logging action before graduating to the index action where you write new data back into ES.

I'd use the Kibana dev console for development or try the new Watcher UI in Kibana.

Got it, so whatever queries I come up with in dev tools I paste directly into the search and save the overall dashboard?

What if I have a LONG list of powershell or windows commands that might be used for malicious purposes and I want any of these events that appear in the command line logs to pop into the dashboard . In python I could save the list externally and call it in a variable, with the elasticsearch query do I have to paste the entire list into the dashboard search?

Thanks @andrewkroh I appreciate your patience!!!

No, you develop the query in the dev console then use it as the input to a watch that creates the alerts.

This information needs to part of the query or you need to create multiple queries. There may be other optimizations that you can perform to make it easier to maintain the watch. Once you have a working watch with your list of powershell commands it would good to ask in the X-Pack forum and see if there are any recommendations.

No guarantee I can get xpack, trying to, but no guarantee...

I can't create a dashboard like this without x-pack? No alerts but the dashboard is filtered on the list malicious commands?

You can use a custom query in Kibana. See https://www.elastic.co/guide/en/kibana/5.6/field-filter.html#filter-edit

One last question and I'll try and leave you alone for a little :slight_smile: regarding searching a list of items or bad powershell commands.

If I use something like this...
https://www.elastic.co/guide/en/elasticsearch/guide/current/_finding_multiple_exact_values.html

and it's a long list of items, I have to use an array? A 'term's' query and a LONG list of array items - Can I just put the enitre list in one array? Any limits to that?

{
"terms" : {
"CommandLine" : [Set-ExecutionPolicy, Mimikatz, EncodedCommand]
}
}

... and a ton more in this array...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.