Hi people, I'm new at this forum so nice to meet you.
I'm testing the detection power of Elastic SIEM and in some cases it doesn't detect the rule events. This is a case:
Signal detection rule: SMTP to Internet (it's a pre-built rule)
Index patterns: filebeat-*
Custom query: network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
In one of my server with filebeat, I execute "telnet x.x.x.x 25" (x.x.x.x is the public IP from a SMTP server), but when I go to Discover and select the Filebeat index to look for the query fields, I see that the following fields don't exist in the given index:
source.ip
destination.ip
destination.port
Is it possible that these fields don't appear in filebeat index because of my filebeat configuration ?
filebeat.inputs:
-
type: log
enabled: true
paths:- /var/log/.log
filebeat.config.modules:
path: ${path.config}/modules.d/.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "https://siem.example.com:5601"
output.elasticsearch:
hosts: ["siem.example.com:9200"]
protocol: "https"
username: "elastic"
password: "xxx"
ssl.certificate_authorities: ["/etc/ssl/certs/ca.crt"]
processors:- add_host_metadata: ~
- /var/log/.log
Because the "SMTP to Internet" pre-built rule searches into filebeat-* by default.
Thank yoy very much.
Jelo
