Good morning everyone,
I have recently setup ELK with elastic on cloud and I am in the process of configuring watch. I want to mainly use this to monitor my environment from suspicious events like: new user created, 5-10 failed login attempts, new task scheduled, new process created, user try to escalate privilege's, etc.
As we all know this may be time consuming. I was wondering if you know any repo/site with already created Jason queries that I can use?
I found a great website: https://uncoder.io/ that allows to create elastic queries but I haven't figure out how to do it yet.
Maybe we should create a separate thread where people can share advance watch rules written in Jason. Maybe we already have something like this ?
Hi @farciarz121, thanks for trying out the Elastic stack. Have you checked out our detection rules? These are prewritten detection rules that run on schedule to detect events like the ones listed and generate alerts. Here is documentation on these rules: Prebuilt rule reference | Elastic Security Solution [7.13] | Elastic
Hi @stephmilovic I am testing defult rules but it looks like for some reason they are not working for me. Maybe I am doing something wrong.
Do I need to install elastic fleet agent or rules will be able to detect changes base on beats (i.e. winlog beat - new user created).
Also, I know you can edit rules and actions frequency (every hour,day etc). Is there a way to force this detection rules to execute in particular moment? In example, I am testing one of the rules now and I don't want to wait an hour to get a notification.
Yes absolutely, there is a little "refresh" looking button in the Rule Details page. Click that to force a run of the rule:
That doesn't force the run of the rule. It just forces the rule to refresh its status. If you click the slider next to "Activated" to the off and then back to the on position, that will force the rule to being execution immediately.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.