Elastic SIEM. Security rules doesn't work

Dmitriy_Esin · November 24, 2021, 4:40pm

Hi all!
I have an issue with the Elastic Security Rules.

I've installed the elastic agents on my target instances:

I can successfully see its data streams:

I've created default enrolment policy for my agents:

Here is my yml file generated by Elastic:

DmitriyEsin/elk_yml/blob/main/elastic-agent.yml

id: 856f27a0-122f-11ec-8308-176e4cb272f3
revision: 47
outputs:
  default:
    type: elasticsearch
    hosts: [HOST:9200]
    username: USERNAME
    password: PASSWORD

    protocol: "https"
    ssl.certificate_authorities: ["/etc/pki/elk/elk.pem"]
    ssl.enabled: true
output_permissions:
  default:
    system-1:
      indices:
        - names:
            - logs-system.auth-default
          privileges:
            - auto_configure

This file has been truncated. show original

As you see, I've configured the Default policy with system-1, Endpoint Security integration, linux-1, Prebuilt Security Rules. But I can's see Prebuilt Security Rules integration in the yml.

Also, I can't understand why default prebuilt security rules don't work (no succeeded rules):

I will be pleased to receive any help!
Thank you!

Jonathan_Buttner · November 24, 2021, 7:31pm

Hey @Dmitriy_Esin thanks for the question!
If you click on the Rule Monitoring tab within Rules, does it show any error messages relating to the prebuilt rules?

Could you also provide some Kibana logs? The Detection Rules should log some warnings and errors if they're running into problems.

Dmitriy_Esin · November 25, 2021, 9:47am

Hi @Jonathan_Buttner thanks for you reply!

Here is the example screenshot of the the prebuilt rule:

I have specific warnings in each prebuilt rule.

Unfortunately I can't find any logs from Kibana in web UI (elastic stack is in kubernetes), but I've found container logs (may be it's wrong logs)

github.com

DmitriyEsin/elk_yml/blob/main/kibana-kibana-f6b49655-x6t2c.log

{"type":"log","@timestamp":"2021-11-25T08:33:53+00:00","tags":["info","plugins","security","authentication"],"pid":1213,"message":"Authentication attempt failed: {\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [USER] for REST request [/_security/_authenticate]\",\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]}}],\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [USER] for REST request [/_security/_authenticate]\",\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]}},\"status\":401}"}
{"type":"response","@timestamp":"2021-11-25T08:33:53+00:00","tags":[],"pid":1213,"method":"get","statusCode":401,"req":{"url":"/","method":"get","headers":{"host":"KIBANA_HOST","x-request-id":"fcdd8c3b1e8cfe81e642259a6236dd27","x-real-ip":"10.2.4.196","x-forwarded-for":"10.2.4.196","x-forwarded-host":"KIBANA_HOST","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","accept":"*/*","accept-encoding":"deflate, gzip","user-agent":"GoogleStackdriverMonitoring-UptimeChecks(https://cloud.google.com/monitoring)"},"remoteAddress":"10.1.8.60","userAgent":"GoogleStackdriverMonitoring-UptimeChecks(https://cloud.google.com/monitoring)"},"res":{"statusCode":401,"responseTime":33,"contentLength":6},"message":"GET / 401 33ms - 6.0B"}
{"type":"response","@timestamp":"2021-11-25T08:34:03+00:00","tags":["access:securitySolution"],"pid":1213,"method":"get","statusCode":200,"req":{"url":"/api/detection_engine/rules/_find?page=1&per_page=20&sort_field=enabled&sort_order=desc","method":"get","headers":{"host":"KIBANA_HOST","x-request-id":"49a0351c26f9207f3150618226dc8fb2","x-real-ip":"10.2.4.230","x-forwarded-for":"10.2.4.230","x-forwarded-host":"KIBANA_HOST","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"96\", \"Google Chrome\";v=\"96\"","content-type":"application/json","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36","kbn-version":"7.14.0","sec-ch-ua-platform":"\"macOS\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://KIBANA_HOST/app/security/rules?sourcerer=(default:!(%27filebeat-*%27,%27logs-*%27))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272021-11-24T21:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272021-11-25T20:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272021-11-24T21:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272021-11-25T20:59:59.999Z%27,toStr:now%2Fd)))","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8,ru;q=0.7"},"remoteAddress":"10.1.8.60","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36","referer":"https://KIBANA_HOST/app/security/rules?sourcerer=(default:!(%27filebeat-*%27,%27logs-*%27))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272021-11-24T21:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272021-11-25T20:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272021-11-24T21:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272021-11-25T20:59:59.999Z%27,toStr:now%2Fd)))"},"res":{"statusCode":200,"responseTime":180,"contentLength":50553},"message":"GET /api/detection_engine/rules/_find?page=1&per_page=20&sort_field=enabled&sort_order=desc 200 180ms - 49.4KB"}
{"type":"response","@timestamp":"2021-11-25T08:34:04+00:00","tags":["access:securitySolution"],"pid":1213,"method":"post","statusCode":200,"req":{"url":"/api/detection_engine/rules/_find_statuses","method":"post","headers":{"host":"KIBANA_HOST","x-request-id":"6eff3ec9d8c1ddad5dfd5e08d0299b85","x-real-ip":"10.2.4.230","x-forwarded-for":"10.2.4.230","x-forwarded-host":"KIBANA_HOST","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","content-length":"789","sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"96\", \"Google Chrome\";v=\"96\"","content-type":"application/json","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36","kbn-version":"7.14.0","sec-ch-ua-platform":"\"macOS\"","accept":"*/*","origin":"https://KIBANA_HOST","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://KIBANA_HOST/app/security/rules?sourcerer=(default:!(%27filebeat-*%27,%27logs-*%27))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272021-11-24T21:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272021-11-25T20:59:59.999Z%27,

This file has been truncated. show original

Thank you for your help!

Dmitriy_Esin · November 29, 2021, 2:07pm

Any update on this? Thank you!

Dmitriy_Esin · November 29, 2021, 2:09pm

Here is nothing to configure

Jonathan_Buttner · November 29, 2021, 6:24pm

Hey @Dmitriy_Esin looks like the issues is that the rule isn't seeing data within the index patterns auditbeat-* or logs-endpoint.events.*. Could you check the Stack Management -> Index Management page, enable hidden indices, and then search for auditbeat or events and see if anything comes up that would match those patterns?

Here's an example

If the Docs count is zero or nothing is found it likely means that Elasticsearch hasn't received any events from auditbeat or the elastic endpoint.

Dmitriy_Esin · November 29, 2021, 6:32pm

Hi @Jonathan_Buttner !
Yes, unfortunately, I've tried it, but there are no indices that we need

Dmitriy_Esin · November 29, 2021, 6:34pm

I know that agents create indices themselves when we use any integration, but there is no Prebuilt Security Rules integration in my elastic-agent.yml and I can't configure it

Dmitriy_Esin · November 29, 2021, 6:37pm

thank you for your answer! I'll try to install auditbeat.

Dmitriy_Esin · November 29, 2021, 6:49pm

Thank you so much!!!
You saved me!
It works well now!

Dmitriy_Esin · November 29, 2021, 7:31pm

@Jonathan_Buttner one more question from me:

All rules are well, and I'm very grateful to you for your assistance, but one rule has a status "warning"

Can I kindly ask you to help to understand how to resolve it?

Jonathan_Buttner · November 29, 2021, 7:58pm

I'm glad you got it working! The warnings about the event.ingested are indicating that auditbeat and elastic agent aren't populating the event.ingested field. While it's ideal to have this field populated it's not required. The detection rules will fallback to using the @timestamp field instead. You could add a new pipeline that sets this field like this: https://github.com/elastic/beats/pull/20386/files#diff-c6f5ae0e8e34c2011f1b042924c2e20d59df35ae8d70786ec56970fa77c8e973R3-R5

and configure it to be used in auditbeat: Define processors | Auditbeat Reference [8.11] | Elastic

I believe filebeat populates this field by default but the other beats don't.

For more details on what event.ingested is used for: Create a detection rule | Elastic Security Solution [8.11] | Elastic

Specifically item j:

Timestamp override (optional): Select a source event timestamp field. When selected, the rule’s query uses the selected field, instead of the default @timestamp field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to Elasticsearch, this avoids missing alerts due to ingestion delays.

system · December 27, 2021, 7:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.