Hi,
I'm currently testing the ELK stack with the DFIR tool Velociraptor as an agent. My goal is to setup alerts on the received data from the Velociraptor Agent.

However, I am trying to setup alerts in the Security: Detection : Alerts tab in Kibana and I'm receiving the Error: "Error updating Security Data View". This is after I've created a rule and verified its output in the "preview" field.

Information about my lab setup:

Base image: remnux v2021.15.2
Docker (20.10.6):

• velociraptor-docker (running 0.6.5)

• docker-elk (8.2.3)

Action points:

1. Setup velociraptor and ELK in docker on a remnux v2021.15.2 with xpack.encryptedSavedObjects.encryptionKey, xpack.reporting.encryptionKey and xpack.security.encryptionKey set created with the kibana CLI tool.
2. Deploy a Velociraptor client agent to create data. The client was a Windows 10 machine.
3. Send data from Velociraptor to ELK with the artifacts Elastic.Flows.Upload and Elastic.Events.Clients. These use the API which I've created an API key for within Kibana.
4. Ran the hunt Generic.System.Pstree from Velociraptor
5. In Kibana setup Data view and verify that the data is searchable in the Discover tab
6. Created a new rule in the Security:Detect:rules tab as a Custom query.
7. Received the WARNING message that the @timestamp field is not mapped for the specified indexes.
8. Created an alias @timestamp to map it for indexes
9. Added the index "artifact_*" to the Stack Managent:Kibana:Advanced Settings --> Security Solution : securitySolution:defaultIndex
10. Created a new rule in the Security:Detect:rules tab as a Custom query. Index patterns "artifact_*", custom query "Name:"System". Quick query preview "Last day". In the Preview results tab I get the output of the image below (Rule Preview), verifying that it works.
11. Creating the rule and verifies that it has run successfully: "Last response: succeeded at Jul 2, 2022 @ 15:01:35.715"
12. Going down to the Alerts tab and looking at trend "No data to display" (The timefield is "Today" as for the Preview Field).
13. Then. If I go from the Analytics: Discover tab to the Security: alerts tab. Or open a new tab in firefox and go from the discover tab to the alerts tab, I receive the error "Error updating Security Data View".

image909×360 12.8 KB

This is the error I receive when I access Kibana from the remnux machine.

**Error updating Security Data View**
The operation was aborted
{
  "name": "AbortError",
  "message": "The operation was aborted. ",
  "stack": "__kbnSharedDeps_npm__</e.exports/O<@http://172.17.0.1:5601/52239/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:422:135888\n__kbnSharedDeps_npm__</</<@http://172.17.0.1:5601/52239/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:427:1243370\nhttp_fetch_error_HttpFetchError@http://172.17.0.1:5601/52239/bundles/core/core.entry.js:10:69882\nfetchResponse@http://172.17.0.1:5601/52239/bundles/core/core.entry.js:10:74849\n"
}

This is the error I receive when I am at the Windows machine with the Velociraptor server.

**Error updating Security Data View**
The user aborted a request.
{
  "name": "AbortError",
  "body": null,
  "message": "The user aborted a request.",
  "stack": "AbortError: The user aborted a request.\n    at fetch_Fetch.fetchResponse (http://192.168.198.129:5601/52239/bundles/core/core.entry.js:10:75147)\n    at async http://192.168.198.129:5601/52239/bundles/core/core.entry.js:10:73359\n    at async http://192.168.198.129:5601/52239/bundles/core/core.entry.js:10:73316"
}

Question
What is happening here and how can I make my setup work?

This issue is now RESOLVED.

• Ran this on another lab with "Ubuntu Server 22" as base image. Accessed Kibana from Windows 11 Firefox 102.0 (64-bit).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.