Introduction
When investigating malicious alerts in Elastic Security, it is essential to determine the type of malicious activity that is detected from an alert for response and remediation. There are many methods to perform for malicious alert investigation.
The first step in the malicious alert investigation is identification.
As the user, you will need to identify the alert and the rule that triggered the alert.
Identification of the alert encompasses the following:
Type of alert:
Malicious Alert, Ransomware Alert, etc.
Severity Classification:
Determining the severity of the malicious alert:
- Critical
- Medium
- Low
Timestamp:
The time the alert executed
Triggering of the Alert:
Alert Reason:
Alert destination- Destination IP, Windows System Registry Files, Process Executables, Script Execution
Step 2:
Tracing the Alert
- Alert Origin: Determine the origin of the alert
- Source IP address
- Host Name: Windows, MacOS, Linux
- Process Name and File Name
Step 3:
Investigation:
- Investigating the alert details and using the feature capabilities in Elastic SIEM and from any other logs and IDS sources integrations
- The behavior of the malicious activity
- Determine if it is a False Positive or a True Positive
- False Positive Classification: Mark as
False Positiveand Document any context - True Positive: Escalate and Perform IRP (Incident Response Procedures)
Document the findings:
Create an incident case for the alert if it is a True Positive and Document the Findings and record in an Incident Response Investigation Case
In the following example, I will apply the investigation techniques that I have outlined when investigating a malicious alert in Elastic Security.
In this scenario, I have applied a filter in the KQL search bar to provide results of alert rules for Malicious Detection or Ransomware Detection
The KQL filter:
kibana.alert.rule.name : "Malware Detection Alert" or kibana.alert.rule.name: "Ransomware Detection Alert"
Once the filter is applied, I will only see the Type of Alert results for Malware Detection Alerts or Ransomware Alerts in the Alerts Table
From the Alerts Table view and column details, I can see that the alerts are both “Critical”, which is the Severity Classification
I can also see the Reason for the Alert triggering details:
Next, I want to apply methods for the second step, and I will select for an example the first “Ransomware Detection Alert” with a timestamp of in the @timestamp field: "2023-12-24T22:35:02.889Z"
Tracing the alert:
In this case, I’m viewing different areas:
I observed initially in the Alerts Table, there is no source IP address which is not uncommon for malware.
Malware can obfuscate and mask their identity.
The “reason” that the alert triggered:
Ransomware.feature: "behavior"
Type of Host:
windev811host
Process.name:
process.name: "powershell.exe"
I will select the View Details to observe and get an overview of the Investigation for this rule and highlighted fields.
In View details I observe the following:
A brief overview of the rule description, alert reason, Highlighted fields, Visualizations, Insights, and Response.
When I expand the Details:
I observe the User and Host information, IP and MAC addresses (masked for security & privacy purposes) in the Insights tab Entities information
Selection of the other tabs Threat Intelligence (produced no results), Prevalance(behavior for the last 30 days on host.name: windev811host, and Correlations (info not applicable and did not show any demonstrated source events that were similar to the ransomware behavior)
Threat Intelligence details in Insight tab:
Prevalence details in Insight tab:
Correlations details in Insight tab:
Next, I will determine the type of behavior of the alert which is part of the third step via visualization.
I uncollapsed the expand details view and navigate back to the Visualizations tab in the Alert Details Flyout.
Select -> Analyzer Preview:
In Analyzer Preview, I observe the trace of the malicious file that triggered the alert which was a powershell.exe script.
Observe that the file change was in "C:\Users\User\AppData" path
The fsutil command fsutil.exe show the change and modifcatiion of the process.args of the ransomware file in System32 directory path
Observations:
-
I have determined from the investigation methods from the behavior that the alert is a True Positive for Ransomware Detection and requires escalation.
-
The next step after gathering the findings, is to create an IR (Incident Response) case and execute IRP (Incident Response Plan) procedures
Document Findings:
After performing all the steps for investigation, the final stage is documenting all the findings. The findings are a collection of evidence gathered from Elastic Security, external integrations that are configured such as log sources, monitoring tools, firewall appliances, etc. In the example I used for malicious alert activity, I have used the Elastic Security capabilities for my primary investigation for example purposes. Based on the evidence gathered, from the malicious alert investigation the findings can be recorded and the next plan of action for remediation and IR (Incident Response) can be performed to ensure remediation and prevent further exploitation.
Conclusion
Elastic Security provides a comprehensive XDR and EDR security solution platform for malicious alert investigation. The features that are included can be effective in both defensive and offensive strategies. Utilization of the SIEM capabilities can be a key component for threat detection, threat hunting, and SOAR (Security Orchestration And Response) to aid in the security of any infrastructure environment.
Want to test out Elastic Security and learn more? Please feel free to sign up with a 14 day Elastic Cloud trial and experience Elastic Security in Cloud.
