Watch configuration (advance watch - Jason queries for cyber security)

farciarz121 · June 1, 2021, 1:08pm

Good morning everyone,
I have recently setup ELK with elastic on cloud and I am in the process of configuring watch. I want to mainly use this to monitor my environment from suspicious events like: new user created, 5-10 failed login attempts, new task scheduled, new process created, user try to escalate privilege's, etc.

As we all know this may be time consuming. I was wondering if you know any repo/site with already created Jason queries that I can use?

I found a great website: https://uncoder.io/ that allows to create elastic queries but I haven't figure out how to do it yet.

Maybe we should create a separate thread where people can share advance watch rules written in Jason. Maybe we already have something like this ?

stephmilovic · June 1, 2021, 9:02pm

Hi @farciarz121, thanks for trying out the Elastic stack. Have you checked out our detection rules? These are prewritten detection rules that run on schedule to detect events like the ones listed and generate alerts. Here is documentation on these rules: Prebuilt rule reference | Elastic Security Solution [7.13] | Elastic

This documentation will help you to load the prebuilt rules onto your Kibana instance: Manage detection rules | Elastic Security Solution [7.13] | Elastic

Does this help?

farciarz121 · June 3, 2021, 5:00pm

Hi @stephmilovic I am testing defult rules but it looks like for some reason they are not working for me. Maybe I am doing something wrong.

Do I need to install elastic fleet agent or rules will be able to detect changes base on beats (i.e. winlog beat - new user created).
Also, I know you can edit rules and actions frequency (every hour,day etc). Is there a way to force this detection rules to execute in particular moment? In example, I am testing one of the rules now and I don't want to wait an hour to get a notification.

system · July 1, 2021, 5:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

stephmilovic · August 25, 2021, 2:32pm

Hi @farciarz121 I am so sorry I missed your question back!

Nope, fleet agent is not required for rules. Many of our prebuilt rules run on raw events.

If you click the slider next to "Activated" to the off and then back to the on position, that will force the rule to being execution immediately.

Frank_Hassanabad · August 31, 2021, 1:52am

Yes absolutely, there is a little "refresh" looking button in the Rule Details page. Click that to force a run of the rule:

That doesn't force the run of the rule. It just forces the rule to refresh its status. If you click the slider next to "Activated" to the off and then back to the on position, that will force the rule to being execution immediately.