Matching threat indicators to content in ELK


(Chris Adams) #1

Folks...

Looking for suggestions here on approach for a simple use case.

I have ELK up and running monitoring SSH connections to a server. I also
use ThreatConnect which provides IP addresses (IPs of hosts that bad people
use) that I query via a RESTful API. I DO NOT have any of the threat intel
from ThreatConnect currently feeding into ELK.

I'd like to show in Kibana when there is a match on indicators: i.e. when
the host used to connect to a server via SSH matches an IP address that is
known to be bad (from ThreatConnect).

A connection or disconnection message shows as below where
_source:"message" contains the IP of the SSH client (111.111.111.111) in
this case.

{
"_index": "logstash-2015.04.29",
"_type": "syslog",
"_id": "Bxxxxxxxxxxxx",
"_score": null,
"_source": {
"message": "Apr 29 10:41:01 ip-123.123.123.123 sshd[32574]: Received disconnect from 111.111.111.111: 11: disconnected by user",
"@version": "1",
"@timestamp": "2015-04-29T14:41:01.726Z",
"type": "syslog",
"host": "xxxxxxxx.ec2.internal",
"path": "/var/log/secure"
},

So somehow I'd like to run logic that reads that IP, queries the
ThreatConnect API asking: , "Have you seen this IP before" - and if so
present that back to the user with an alert saying you have a problem
here... Question is where do I run that logic I suppose...

Any thoughts on best approach to implement this use case?

Thanks!
c

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/772cc2fd-ae81-4cc3-abbb-7e888600072b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Mark Walkom) #2

Why not use the translate filter in LS to add a field based on these IPs
(eg alertableIP: true) and then run a percolator query?

On 30 April 2015 at 01:24, Chris Adams chrisadams27@gmail.com wrote:

Folks...

Looking for suggestions here on approach for a simple use case.

I have ELK up and running monitoring SSH connections to a server. I also
use ThreatConnect which provides IP addresses (IPs of hosts that bad people
use) that I query via a RESTful API. I DO NOT have any of the threat intel
from ThreatConnect currently feeding into ELK.

I'd like to show in Kibana when there is a match on indicators: i.e. when
the host used to connect to a server via SSH matches an IP address that is
known to be bad (from ThreatConnect).

A connection or disconnection message shows as below where
_source:"message" contains the IP of the SSH client (111.111.111.111) in
this case.

{
"_index": "logstash-2015.04.29",
"_type": "syslog",
"_id": "Bxxxxxxxxxxxx",
"_score": null,
"_source": {
"message": "Apr 29 10:41:01 ip-123.123.123.123 sshd[32574]: Received disconnect from 111.111.111.111: 11: disconnected by user",
"@version": "1",
"@timestamp": "2015-04-29T14:41:01.726Z",
"type": "syslog",
"host": "xxxxxxxx.ec2.internal",
"path": "/var/log/secure"
},

So somehow I'd like to run logic that reads that IP, queries the
ThreatConnect API asking: , "Have you seen this IP before" - and if so
present that back to the user with an alert saying you have a problem
here... Question is where do I run that logic I suppose...

Any thoughts on best approach to implement this use case?

Thanks!
c

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/772cc2fd-ae81-4cc3-abbb-7e888600072b%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/772cc2fd-ae81-4cc3-abbb-7e888600072b%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X8brEQbi1_%2BQgfLYuxCKTgwNBmvkxd_7HgXp0KRK5bnZQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(system) #3