Dec 25th, 2022: [EN] How to build a cluster for Elastic Security: Best practices for creating and generating security data in Elastic Cloud

Introduction

When building a cluster for Elastic Security in Elastic Cloud, there are different methods to add security data. The easiest method for adding and shipping security data to Elastic Cloud is with using the Elastic Agent Integration.

There are a number of factors that need to be considered prior to creation and building a cluster for Elastic Security:

  • :white_check_mark: Determine the type of data that is best suited for the use case scenario - Data architecture and design

  • :white_check_mark: Check if the host environment has sufficient resources for allocation - Depending on the type of data and analytics CPU and storage capacity may require scaling adjustments

  • :white_check_mark: Verify and check current and existing apps for compatibility to identify and resolve any potential conflicts - There are a number of security integration apps that are viable and used for SIEM environments

  • :white_check_mark: Identify any external third party apps will be needed for integration and verify any existing applications will integrate and identify any potential conflicts

  • :white_check_mark: Determine how the data will be used and the expected results - The data generated will display results based on the type of visualizations, dashboards, metrics, and based on the use case scenario, can be used for report gathering, monitoring, and analytics

How to Add Integrations and generate security data?

  1. Create a deployment in Elastic Cloud (Free 14 day trial for Elastic Cloud)
  • I created a deployment TTesting8.5.3 with a 1 GB Kibana instance, and a 1 GB Machine Learning Instance for Anomaly Detection of ML jobs, detection rules, and alerts.

  1. On the Kibana Home Screen Select --> Add Integrations

  1. There will be a number of Integrations displayed. You can also Filter for the type of Integrations that you want to see. In this case, I filtered for Security integrations

  1. Select the type of Elastic Agent integrations that you want to add. In this scenario, I will select Network Capture to capture network traffic from various protocols. I selected new hosts and named the policy networktrafficagencypolicy3debian

  1. The pop out window will display and Select ---> Add Elastic Agent to your hosts. A fly out window will provide options to add Elastic Agent based on the OS. In this scenario, I selected the Linux/Tar option. Copy the commands from the OS options that aligns with your host.

*Note: There can only be one Elastic Agent per host environment. If you want to install on multiple OS environments, a recommendation is to use virtual machines or containers.
I have Elastic Agent installed on both Linux and Windows environments in Parallels Desktop on MacOS

  1. Open a Terminal window for command line and paste the contents. In this scenario, I opened a Terminal Window on Debian GNU Linux 11.3 hosted in my Parallels Deskstop Virtual Environment on MacOS and pasted the contents on command line.

  1. Go back to your Elastic Cloud deployment to confirm if the Elastic Agent is installed and data is being shipped

  1. To view the visualization dashboard for this integration. Select from the left panel
    Under Kibana Section Analytics --> Dashboard. You will be provided a list of various dashboard option views associated with this visualization.

In this scenario, I selected Network Packet Capture Overview to get a comprehensive view of traffic latency, response times, of the different transaction types on all hosts with this integration:

Network Packet Capture Overview on all hosts

Conclusion
The Elastic Agent Integrations is an effective, time saving method for adding security data. The variety of options to ship data from third party apps helps to reduce manual setup configuration tasks. By implementing best practices for building and ingesting data, the security solution can be a viable option for security analytics, detection, and monitoring in both production and non-production environments.

Want to practice and test out Elastic Integrations and explore Security data? Please feel free to sign up for a 14 day Elastic Cloud trial, which comes with an option to add sample data and Prebuilt Detection rules.

image

4 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.