I am currently doing the DGA integration but I can't install elastic Defender, I have read that it can be done with packetbeat, can you help me how to do it, according to this DGA documentation I have done up to step 5 but from here on I don't know what to do,
can you help me what I have to do, or if you have documentation of what are the next steps to do it with packetbeat.
Thank you very much.
Hi @Miguel_Martinez ,
For Packetbeat, start with the normal instructions as you did, but when you get to the pipeline configuration step, use the following steps.
In Kibana, navigate to Management > Dev Tools and run the following to create a new component template:
PUT _component_template/packetbeat-dga-{DGA_VERSION}
{
"template": {
"mappings": {
"properties": {
"ml_is_dga": {
"type": "object",
"properties": {
"malicious_prediction": {
"type": "long"
},
"malicious_probability": {
"type": "float"
}
}
}
}
},
"settings": {
"index": {
"final_pipeline": "{DGA_VERSION}-ml_dga_ingest_pipeline"
}
}
}
}
Be sure to change {DGA_VERSION} to the version of the Domain Generation Algorithm Detection integration you are using.
Then navigate to Stack Management > Data > Index Management > Index Templates. Find the index template packetbeat-{PACKETBEAT_VERSION} for the Packetbeat version that you are using and click Edit. Then click on Component templates. Add the packetbeat-dga-{DGA_VERSION} component template that was created in the previous step. Click Review template then Save template.
Finally, roll over that index in Dev Tools:
POST packetbeat-{PACKETBEAT_VERSION}/_rollover
You should now see the mapped fields under ml_is_dga and new predictions being generated.
Gus
Thank you very much I was able to solve it thanks to you,
These were the steps I followed,
PUT _ingest/pipeline/logs-endpoint.events.network@custom
{
"processors": [
{
"pipeline": {
"name": "2.0.4-ml_dga_ingest_pipeline",
"ignore_missing_pipeline": true,
"ignore_failure": true
}
}
]
}
PUT _component_template/packetbeat-dga-2.0.4
{
"template": {
"mappings": {
"properties": {
"ml_is_dga": {
"type": "object",
"properties": {
"malicious_prediction": {
"type": "long"
},
"malicious_probability": {
"type": "float"
}
}
}
}
},
"settings": {
"index": {
"final_pipeline": "2.0.4-ml_dga_ingest_pipeline"
}
}
}
}
PUT packetbeat-8.8.2-000001
{
"aliases": {
"packetbeat-dga-alias": {
"is_write_index": true
}
}
}
packetbeat.interfaces.device: any
packetbeat.protocols:
- type: dns
ports: [53]
include_authorities: true
include_additionals: true
cloud.id: "cloud_id"
output.elasticsearch:
api_key: "id:api_key"
pipeline: "logs-endpoint.events.network@custom"
index: "packetbeat-dga-alias"
setup.template.name: "packetbeat-dga-2.0.4"
setup.template.pattern: "packetbeat-dga-*"
setup.template.enabled: true
setup.template.settings:
index:
final_pipeline: "2.0.4-ml_dga_ingest_pipeline"
And it all worked
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.