I have a list of Windows Event ID's associated with APT activity but I only want it to pop into the dashboard if more than one event happens to the same workstation within a certain amount of time.
I would setup something to watch the data in the winlogbeat-* indices and then when it sees something matching the patterns/rules you have defined then have it write a new event back into Elasticsearch in a separate index (like alerts). Then build your a dashboards off the data in the alerts index.
You could use Alerting (an X-Pack feature) to implement the monitoring where you look for specific events. With Alerting you setup a watch which is usually an ES query, it get's fired on an interval, and you an index the results back into ES or trigger an email or slack alert. See Getting Started with Alerting.
Another option might be to route the data through Logstash and use the aggregate filter and possibly the elasticsearch filter. With this method you would built up some state in Logstash then emit events when there is a match.
Hey @andrewkroh looks like I might have some time to work on this, but where do I put it? I.E. where on the elkstack server do I put my logic? Like a list of malicious powershell commands to look for in 4103 or 4104? And then have kibana dashboard based on this? Example, If IEX appears in the 4104 'scriptblock text' add this to the dashboard, along with computer_name and 3 previous scriptblock text events. Or something along those lines... where do I get started on adding this logic?
To get started with this I would begin by writing some ES queries that return the interesting events. Then once you have some queries ready for automation I would install X-Pack to ES and Kibana. Once X-Pack is installed you can turn those queries into alerts. See Getting Started.
I recommend working in small iterations. Get the query working on its own before starting with the alert development. And when you start on the alerts do the most basic thing first and create an alert using the logging action before graduating to the index action where you write new data back into ES.
What if I have a LONG list of powershell or windows commands that might be used for malicious purposes and I want any of these events that appear in the command line logs to pop into the dashboard . In python I could save the list externally and call it in a variable, with the elasticsearch query do I have to paste the entire list into the dashboard search?
No, you develop the query in the dev console then use it as the input to a watch that creates the alerts.
This information needs to part of the query or you need to create multiple queries. There may be other optimizations that you can perform to make it easier to maintain the watch. Once you have a working watch with your list of powershell commands it would good to ask in the X-Pack forum and see if there are any recommendations.
and it's a long list of items, I have to use an array? A 'term's' query and a LONG list of array items - Can I just put the enitre list in one array? Any limits to that?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.