ELK SIEM Open Distro: ELK stack - instalaĆ§Ć£o e configuraĆ§Ć£o.
Este capĆtulo descreverĆ” a instalaĆ§Ć£o e configuraĆ§Ć£o da pilha ELK. AlguĆ©m poderia ter pulado este capĆtulo e nĆ£o traduzido, mas entĆ£o o fio entre os capĆtulos originais serĆ” perdido.
Ćndice de todas as postagens.
- IntroduĆ§Ć£o. ImplantaĆ§Ć£o de infraestrutura e tecnologia para SOC as a Service (SOCasS)
- Pilha ELK - instalaĆ§Ć£o e configuraĆ§Ć£o
- Caminhando pela Distro aberta
- PainĆ©is e visualizaĆ§Ć£o ELK SIEM
- IntegraĆ§Ć£o com WAZUH
- Alerta
- Fazendo relatĆ³rio
- GestĆ£o de caso
1- InstalaĆ§Ć£o e configuraĆ§Ć£o de ELK STACK
1.1- IntroduĆ§Ć£o ao ELK
A- O que Ć© ELK?
B- DiferenƧa entre ELK Basic e ELK Oss?
1.2- Instalando ELK
Em nosso projeto, comeƧamos a configurar ELK Stack Basic (7.6.1) e consultamos o guia oficial fornecido por elastic.co:
https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html
1.3- configuraĆ§Ć£o ELK
Nesta seĆ§Ć£o, forneceremos a configuraĆ§Ć£o que fizemos para a pilha ELK.
A- ConfiguraĆ§Ć£o do Elasticsearch
Todas as configuraƧƵes foram feitas no arquivo elasticsearch.yml localizado em /etc/elasticsearch/elasticsearch.yml
, : sudo nano /etc/elasticsearch/elasticsearch.yml
elasticsearch.
. , , . http.port . .
network.bind_host: 0.0.0.0 Elasticsearch, ELK.
, ElasticSearch :
sudo systemctl restart elasticsearch
: network.bind_host to 0.0.0.0 - . .
B-Kibana:
kibana.yml, /etc/kibana/kibana.yml. , :
sudo nano /etc/kibana/kibana.yml
Kibana , server.host: "0.0.0.0". , , . , , 5601. Kibana: sudo systemctl restart kibana
Kibana . Http://your_Server_IP: 5601
, , , .
: server.host 0.0.0.0 - . .
C-Logstash:
logstash:
sudo cat /etc/logstash/logstash-sample.conf
Logstash. , /etc/logstash/conf.d/ logstash.conf
: sudo systemctl restart logstash
D- :**
logstash, kibana elasticsearch. :
, . , tcp6 tcp.
Kibana: 5601
Elasticsearch: 9200
Logstash: 5044
2-Beats :
A- Winlogbeat:
URL:
https://www.elastic.co/fr/downloads/beats/winlogbeat
:
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html
B- Winlogbeat:
winlogbeat.yml:
winlogbeat.event_logs:
winlogbeat winlogbeat.yml , Winlogbeat. , , . , Sysmon .
:
ā index.number_of_shards:
, . , Elasticsearch , , .
ā index.number_of_replicas:
, Elasticsearch . , , Elasticsearch. , .
:
Elasticsearch Logstash .
:
, winlogbeat, :
(ILM):
, ILM. ILM Index Lifecycle Manager ā x-pack, ELK, ELK oss. ILM , . : , , , , , .
ILM ELK, , Elasticsearch. ILM , .
Sysmon MITER ATT & CK:
Sysmon , , sysmon ELK.
(Sysmon) ā Windows , , , Windows. , . , Windows Event Collection SIEM, , , .
MITER ATT & CK ā , . ATT & CK , , .
I. Sysmon:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
II. xml- sysmon, MITER ATT CK: https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml
III. Sysmon :
sysmon64 -accepteula -i sysmonconfig-export.xml
IV. :
sysmon64 āc
, :
I. :
, . , , , , .
Elasticsearch. Elasticsearch, . winlogbeat Elasticsearch, .
Logstash Elasticsearch.
II. :
https://www.elastic.co/guide/en/beats/winlogbeat/current/load-kibana-dashboards.html
:
, Kibana.
:
, . Elasticsearch, , Logstash, .
ELK:
winlogbeat sysmon PowerShell services.msc, Kibana.
winlogbeat. ELK STACK Logstash , .
winlogbeat:
Discover sysmon ( MITER):
winlogbeat , .
, :
Winlogbeat
Filebeat
Packetbeat
Metricbeat
, , metricbeat filebeat, , .
, filebeat ssh, sudo ubuntu Suricata Suricata IDS.
Suricata:
Suricata filebeat:
sudo filebeat modules enable Suricata
, filebeat, /etc/filebeat/modules.d/
, :
filebeat modules list
Este Ć© o link que usamos para instalar o Suricata em nosso dispositivo: https://www.alibabacloud.com/blog/594941
VocĆŖ deve obter uma barra de ferramentas semelhante a esta. NĆ£o se preocupe se nĆ£o obtiver exatamente esse resultado, trabalharemos com o painel nos artigos a seguir.
TambĆ©m Ć© possĆvel integrar a interface Suricata na pilha ELK, para a qual vocĆŖ pode verificar este link .