Module 17: SIEM Part One: Intro to ELK

Log Management Introduction

SIEM Concepts

Elastic Stack (ELK)

The Discover page is where all the incoming data from agents is presented. A search bar located at the top allows users to submit their queries in Kibana Query Language (KQL) format.

Example of Standard KQL Syntax

field1: value1 and field2: "value 2" and not field3: value3* and field4.subfield <= 30

KQL Query for Sysmon ProcessCreate Events

host.hostname: "appsrv01" and data_stream.dataset : "windows.sysmon_operational" and process.name : "svchost.exe" and event.code: "1"

KQL Query for Apache access log

"apache-access" and host.hostname: "web01" and not source.ip: 127.0.0.1

Results from KQL Query for Apache access log

Field

Value

source.ip

192.168.51.54

ELK Integrations with OSQuery

For Elastic Agents, there is only one active integration called OSQuery. This integration is based on the original project and stores device-specific information into a relational database that can be queried on-demand.

Every listing of OSQuery has the following:

Query: Query that was submitted to Elastic Agents
Agents: The Elastic Agent(s) that received the query
Created at: The query's creation time
Run by: The user that submitted the query

% can be used as a wildcard.

Example of SQL syntax for OSQuery

SELECT field1, field2, fieldx FROM table1 WHERE field1 = value1 AND field2 like '%value2%';

OSQuery for text files on every Windows user's Desktop

select directory, filename from file where path like 'C:\Users\%\Desktop\%' and filename like '%.txt';

OSQuery results for text files

agent

directory

filename

appsrv01

C:\Users\Administrator\Desktop

proof.txt

OSQuery for processes listening on network ports

select distinct processes.name, listening_ports.port, listening_ports.address, processes.pid from processes join listening_ports on processes.pid = listening_ports.pid;

OSQuery results for processes listening on network ports

agent

address

name

pid

port

web01

127.0.0.1

elastic-agent

292547

6789

web01

0.0.0.0

httpd

293453

web01

127.0.0.1

cupsd

1259

631

...

OSQuery for all processes with outbound connections to nonstandard ports

select pos.pid, p.name, pos.local_address, pos.remote_address, pos.local_port, pos.remote_port from process_open_sockets pos join processes p on pos.pid = p.pid where pos.remote_port not in (80, 443) and pos.family = 2 and pos.local_address not in ("0.0.0.0", "127.0.0.1");

agent

local_address

local_port

name

pid

remote_address

port

appsrv01

172.16.51.32

57301

osquerybeat.exe

5104

172.16.51.35

9200

...

web01

172.16.51.33

33522

metricbeat

292468

172.16.51.35

9200

...

snort03

172.16.51.254

41088

elastic-agent

754

172.16.51.35

8220

ELK Security

Rules and Alerts

KQL for failed authentications

event.code : "4625"

Creating a RDP Brute Force rule

Timelines and Cases

Expanded query for RDP Brute Force

(event.code: 4625 or event.code : 4624) and host.hostname : "appsrv01"

Successful authentication from RDP Brute Force in most recent entry

@timestamp

message

event.category

event.action

host.name

source.ip

destination.ip

user.name

Mar 2, 2022 @ 15:06:00.521

An account was ...

authentication

logged-in

appsrv01

172.16.50.254

Administrator

There is no perfect way to draft an incident report. Many organizations develop their own reporting standards to adequately describe attacks.

PreviousModule 16: Active Directory Persistence NextModule 18: SIEM Part Two: Combining the Logs

Last updated 4 months ago