Hi All,
I'm looking at Elasticsearch security and how much I can use it.
I have windows and ubuntu servers, Can anyone recommend which beats and modules are best to work with the SIEM to make sure its being feed with all of the relevant information please? (And at which logging levels!)
Hi,
I'm using beats as the agent doesn't look as feature rich at the moment.
But can you suggest which ones please?
There must be certain things the security tool looks for from certain Beats and modules that it has built in filters and alarms to look for.
Great question! Firstly, I'm curious as to what features are missing from Elastic Agent before you could consider deployment of the agent. Most of our Beats module are now available as agent integrations, and generally far easier to deploy and manage, thanks to Fleet. If there isn't a blocker that's preventing you from using agent, I'd strongly recommend consider using our integrations, rather than Beats modules.
However, regardless of what ingest technologies you're using, here's some good starting points:
Ubuntu: System module to monitor auth.log and /var/log/syslog. This will provide visibility into all authentication related events, as well as sudo commands and user/group changes.
Windows: Windows Security events (via winlogbeat or system integration) will provide great visibility into authentication events, user/group changes and lots more. This is will provide visibility into endpoint activity, but especially valuable when ingesting events from your Domain Controllers. Sysmon will provide even more granular monitoring on your Windows endpoints too.
Thanks for the reply.
So when I looked at the agents it only stated only a handful of modules and not the big list on the beats deployments.
I've also used ansible to configure and setup all of the beats and their configurations. I've not seen that functionality documented for the new agents. So mostly my servers Ubuntu so at the moment this works nicely.
But, I have seen that the agent might work much better for a Windows deployment which is a lower use for me, which I've not got onto yet. So I might look at that then.
But if you can direct me to info on agents that can be deployed and configured by ansible I'd be interested
As far as the siem goes, I'd considered some of those things, but for me I'm interested in things like logging level and config that'll make any of the built in rules trigger and/or how to identify them. If that makes sense?
The majority of modules are now available as agent integrations too, with just a few exceptions. You can view the full list of agent integrations here.
The combination of Fleet + Elastic Agent really simplifies both deployment/management of Beats and integrations. I'd definitely recommend trying it out. Support for an agent ansible role is currently an enhancement request, which we are tracking demand for.
Mappings from detection rules to integrations (and vice versa) is certainly an area of focus for us. With the large number of rules and integrations we have, it can be a challenge to understand the dependencies, and it's a problem we're aiming to solve. Is there a particular set of detection rules you're interested in, and we could provide some recommendations for you?
Ok, I'll take a look at agents and see how far I get on a demo Machine.
As far as the detection rules go I've always found a gap in information here, thus why I'm asking. I've asked others before personally and from a professional prospective as well to many other vendors. With a certain concerning blank response!
So, here is a example and for reference I'm focusing on the mitre att&ck framework at the moment.
Elastic security has 86+ rules looking for events that map to the mitre atta&ck framework.
Now I also know that the default windows logging is not good enough for most security cases and it needs to be upped / raised in quite a few areas to make sure you are collecting the correct logs to get the pre programmed rules to trigger.
You could turn everything on spending a lot of time and money setting a nice logging platform on hundreds of servers, but if your server logging isnt at the right level you'll never get the triggers when you really need to.
So I'm really looking for a list of rules Vs the type of logging needed on the servers to make sure that rule is capable of being trigger if that makes sense?
Windows use case here, but it could be Linux or cloud with the same hunt for data!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.