Elastic SIEM showing duplicate hosts when Defender ATP logs are shipped in

I am currently working on getting together a POC of the Elastic SIEM solution. I already have a machine shipping logs into Elasticsearch with a winlogbeat agent and I am showing in the Hosts section of the SIEM that logs are coming in for that host.

I then set up a filebeat agent and activated the Microsoft module to collect Defender ATP alerts from the cloud. The issue is that these alerts are not being associated with the existing host when I set off an EICAR test alert. A second host is now showing up under hosts with the same host name and only external has the external alerts from ATP. This has the same host.name but is lower case instead of upper case.

Additionally, it looks like sometimes winlogbeat is sending the host.name as the FQDN and sometimes it is only sending the computer name which is creating a 3rd host for the same computer.

I'm not sure if I should just start shipping the logs into logstash so that I can normalize the data or if there is a better way to do that? Any suggestions would be appreciated.

Hi @InnerJoin.

This looks like it might be a bug in the Hosts page in the Security App. I filed https://github.com/elastic/kibana/issues/77964 where it can be tracked.

@ph do you have any idea why the same Winlogbeat may be reporting different host.name values?

Thank you @ferullo. Also if it helps at all, other than changing the Kibana and Elasticsearch portions of the .yml files and authentication in the Microsoft filebeat module, everything is default so I haven't edited what shipped with the beats other than what was required for connecting to either the source or elastic stack instances.

Also, I'm new to the product but is it possible to add dashboards to the Security App? I can see several use cases where it would be beneficial for me to be able to make some links to AD users especially for phishing use cases where I don't generally have machine information but I have user information and I can link the user at that time to what machine they were logged into. I can also see the benefit for having the sign-in info for different cloud solutions (O365, Asure, AWS, etc.) which may be SAML integrated to AD users all in one place. I understand why this may not be shipped with that in place because that is a lot of use cases which are all probably different depending on implementation but if I can build it then can I add it to the app?

Also, is there anywhere I can look to see what the searches are for the Security app so that I can make sure that I match up any external alerts that I would like to make available to the hosts? I'm just not clear what the searches are in the app. I have found the place where indexes are specified but I don't know what fields the correlation is happening on for the various alerts.

Hi @InnerJoin, Thanks for giving our SIEM solution a spin.

Let me try to address some of your questions.

Also, I'm new to the product but is it possible to add dashboards to the Security App? I can see several use cases where it would be beneficial for me to be able to make some links to AD users especially for phishing use cases where I don't generally have machine information but I have user information and I can link the user at that time to what machine they were logged into. I can also see the benefit for having the sign-in info for different cloud solutions (O365, Asure, AWS, etc.) which may be SAML integrated to AD users all in one place. I understand why this may not be shipped with that in place because that is a lot of use cases which are all probably different depending on implementation but if I can build it then can I add it to the app?

There's not currently a way to directly integrate existing Kibana dashboards into the Security App. This capability is currently under investigation for possible inclusion in a future release.

It sounds like you'd like to pivot from user to machine during the course of an investigation. Do you expect to have AD or other auth logs being ingested into the Elastic Stack as well? There may be other ways to perform this pivot within the app if the additional data is available for enrichment.

Also, is there anywhere I can look to see what the searches are for the Security app so that I can make sure that I match up any external alerts that I would like to make available to the hosts? I'm just not clear what the searches are in the app. I have found the place where indexes are specified but I don't know what fields the correlation is happening on for the various alerts.

Yes. Most charts, KPI's, and tables (aka widgets) in the SIEM/Security app have an "Inspect" button in the top right of the display that allows you to see the query that is used to populate the widget, like in this example.

And, the detection rules display their underlying queries in the Rule details view like this:
image

In addition, theres a handy reference page that describes all the fields that the SIEM app uses. You can find it here: https://www.elastic.co/guide/en/security/current/siem-field-reference.html

Hope this helps get you going!

Thanks for the information. And yes I was aware of the ECS field mapping I just wasn't sure what the SIEM app was using to correlate the logs together in their search so that I could make sure I get the correct data together.

Also, yes we will be shipping in other logs like AD authentication logs, email gateway logs, EDR logs, DLP logs most of which will have user fields which will be more relevant to tracing what that account has been used for than basing an investigation on a PC and could also help us detect and mitigate lateral movement.

For instance it would help me out with say a phishing killchain where I can see an email come in > permitted click on a link > unquarentined malware alert > network authentication to other machines.

I'm pretty sure I could build the app for the use case it would just be handy to have all of these dashboards in one place or be able to click on the user names in the authentications section of a computer and be taken to a page specific to that user and their activity if you see what I mean.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.