Hi,
I can see that 50% of my packetbeat logs are from network.transport: udp .
In terms of SIEM perspective do I need this types of logs in kibana? (I don't use any VOIP or streaming services on my monitored machine.)
Any help is really appreciated.
Thank you!
Hello @ethical20 ,
Would like to know where do you usually browse you logs in? I think it would be easier if you filter it out in Kibana.
You can drop specific information before Elasticsearch ingest it by using Ingest Pipelines
But as a SOC Engineer myself, I would recommend against it.
Can you show an example of the packetbeat logs?
I browse logs using kibana, I know i can filter them there but at the end I'm having a very large number of them (which means higher storage space needed and processing resources).
My question is: From a security perspective are upd packets important or not and how? (if Im not using streaming / gaming / voip services)
Thanks you!
I can drop them by using processors from packetbeat.yml
But you said "as a SOC Engineer myself, I would recommend against it"
Can you please say why? I mean what can a security analyst benefit from upd traffic if the server doesn't use (streaming / gaming / voip services).
Isn't udp meant for 'internal ping flows'? Or I'm missing the importance/definition of udp? If yes I would appreciate sharing some resources about threat hunting via upd logs.
Thanks!
Just think about the services (DNS, DHCP, and others) that use UDP.
Now you may be able to drop UDP packets if the packets are below a specific number and only accept UDP packets if it goes above that level.
packetbeat has a bpf filter, ive only briefly used packetbeat but i spent a fair amount of time with BRO.
If you need to filter traffic to get rid of the noise then you will need to analyse the traffic and look to add filters, ideally based on source, destination, port and protocol. You might find that there is alot of broadcast traffic on the network for example.
UDP is useful, for example DNS traditionally is sent over UDP, this data is valuable from an activity perspecive, trying to spot C&C, DNS tunneling etc
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.