{"id":4807,"date":"2020-11-17T15:07:49","date_gmt":"2020-11-17T09:37:49","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=4807"},"modified":"2020-11-17T17:05:50","modified_gmt":"2020-11-17T11:35:50","slug":"elastic-siem-an-event-tracking-feature","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2020\/11\/17\/elastic-siem-an-event-tracking-feature\/","title":{"rendered":"Elastic SIEM – An Event Tracking Feature"},"content":{"rendered":"\r\n
\"SIEM<\/figure>\r\n\r\n\r\n\r\n

 <\/p>\r\n\r\n\r\n\r\n

\r\n

Torture the data, and it will confess to anything.<\/p>\r\nRonald Coas<\/strong>e<\/cite><\/blockquote>\r\n\r\n\r\n\r\n

WHAT IS ELASTIC SIEM<\/h3>\r\n\r\n\r\n\r\n

Elastic SIEM<\/strong> (Security Information and Event Management<\/em>) is a new feature provided by Elastic NV. Using Elastic SIEM we can track and maintain important events that concern us.<\/p>\r\n\r\n\r\n\r\n

Events are actions that reflect something that has happened.<\/p>\r\n

<\/p>\r\n\r\n\r\n\r\n

Examples <\/strong>– Let’s say we have an important instance that hosts a service. Now we want to know successful and failed login attempts made to this instance.<\/p>\r\n\r\n\r\n\r\n

Also, let’s say we have “\/etc\/nginx” directory and we want to track events, if any, in this directory. Simply put, changes that have been made in this directory i.e. file are created, deleted, or updated.<\/p>\r\n\r\n\r\n\r\n

All of this can be done. Since it’s better to show Visualization than just definitions, that’s what we’ll do.<\/strong><\/p>\r\n\r\n\r\n\r\n

OBJECTIVE<\/h3>\r\n\r\n\r\n\r\n

Below are the objectives of this blog:<\/p>\r\n\r\n\r\n\r\n

    \r\n
  1. We will install auditbeat on an important instance (Ubuntu) and configure auditbeat.yml in a secured way so that it will send events to elasticsearch.<\/li>\r\n
  2. Visualise various events on Kibana<\/li>\r\n
  3. File-Integrity Module<\/li>\r\n
  4. System Module<\/li>\r\n
  5. Auditd Module<\/li>\r\n
  6. Data Exporters<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n

    Install Auditbeat<\/h3>\r\n\r\n\r\n\r\n

    Here, we are going to install auditbeat on an instance where events are important to us. Our OS is ubuntu.<\/p>\r\n\r\n\r\n\r\n

    curl -L -O https:\/\/artifacts.elastic.co\/downloads\/beats\/auditbeat\/auditbeat-7.7.1-amd64.deb\r\nsudo dpkg -i auditbeat-7.7.1-amd64.deb<\/pre>\r\n\r\n\r\n\r\n
    If your OS is different, you may download the package from the given link.<\/p>\r\n\r\n\r\n\r\n
    https:\/\/www.elastic.co\/downloads\/beats\/auditbeat<\/p>\r\n\r\n\r\n\r\n
    Now it is required to add elasticsearch host, username, and password in auditbeat.yml configuration file.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 1:- Example of elasticsearch config we need to change<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    For password, we will be using auditbeat keystore. It is not recommended to enter a password in plain text format as shown in the above example.<\/p>\r\n\r\n\r\n\r\n
    sudo auditbeat keystore create\r\nsudo auditbeat keystore add elasticsearch_password<\/pre>\r\n\r\n\r\n\r\n
    A prompt will be shown asking for value.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 2 Using Keystore which will store our credentials in key-value format.<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    Now our password is stored in elasticsearch_password variable. Let’s use this variable in the config file.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 3 Here we are using key name and value will be retrieved with help of Keystore<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    Now add kibana host.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 4: Kibana hostname<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    We have successfully set up our auditbeat. Let’s test it.<\/p>\r\n\r\n\r\n\r\n
    sudo auditbeat setup\r\nsudo service auditbeat start<\/pre>\r\n\r\n\r\n\r\n
    Visualise various events in Kibana<\/h3>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 5: Number of Hosts in which auditbeat has been installed and sending logs to SIEM<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    All hosts under the hosts section tell us the total number of hosts we have configured.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 6: User login Authentication<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    Here we can see that there have been 5 success login attempts and 478 failed attempts made for both hosts.<\/p>\r\n\r\n\r\n\r\n
    Since the most important part of SIEM is events, we can use KQL(Kibana query Language) and add filters to go through them.<\/p>\r\n\r\n\r\n\r\n
    Example:- After audit beat, I installed Nodejs and tree using apt-get. Let’s see our relevant data.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 7: Filter results to get the package installed<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    Below we can see relevant events.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 8: <\/em>Result of executed KQL query<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
     <\/p>\r\n\r\n\r\n\r\n
    Let’s see various login attempts made on our instance. Use and set event.action to user_login.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 9: Filter results to get user_login<\/em><\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 10:- Here we can see two users karol and query trying to access my instance and we also have their source IP.<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
     <\/p>\r\n\r\n\r\n\r\n
    Event Action<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 11:- This shows various available event actions. Also, zero value depicts that the respective event hasn’t happened in the last frame.<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    File Integrity Module<\/h3>\r\n\r\n\r\n\r\n
    The audit beat has three available modules. System, File Integrity, and auditd.<\/p>\r\n\r\n\r\n\r\n
    File Integrity module handles file related events.<\/p>\r\n\r\n\r\n\r\n
    It uses Linux kernel API, i.e. inotify \u00a0(An API that provides a mechanism for monitoring filesystem events). So, if anyone is using a lower version of Linux or if inotify is not supported in their version, then this module will not be available.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 12:- Here paths represent the various path that has been entered for the event.<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    Let’s add some files in \/bin and check for the relevant events.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 13: Filtering results to get results from module file_integrity<\/em><\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 14:- Here we can see opstree and opstree1 files have been created. We can also see a file named tree created from an earlier installation of tree utility<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    Custom Directory or File<\/h5>\r\n\r\n\r\n\r\n
    Here, I have a sample nodejs application which is being served. So I want to know if any changes have been done to this directory.<\/p>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 15:- I have added the custom path of my application<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    \"\"\r\n
    Figure 16:- Here we can see I have deleted my package.json file and created a directory opstree.<\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\n
    System Module<\/h3>\r\n\r\n\r\n\r\n
    The system Module collects important events related to a system.<\/p>\r\n\r\n\r\n\r\n