This post will describe how to customize the visualization of ELK and SIEM dashboards in ELK.The
article is divided into the following sections:
1- ELK SIEM overview
2- Default dashboards
3- Create your first dashboards
Table of contents for all posts.
- Introduction. Infrastructure and technology deployment for SOC as a Service (SOCasS)
- ELK stack - installation and configuration
- Walking through the open Distro
- Dashboards and ELK SIEM visualization
- Integration with WAZUH
- Alerting
- Making report
- Case Management
1-ELK SIEM Overview
ELK SIEM was recently added to the elk stack in version 7.2 of June 25, 2019.
This is a SIEM solution created by elastic.co to make the life of a security analyst much easier and less tedious.
In our version of the work, we decided to create our own SIEM and choose our own control panel.
But we think it's important to learn ELK SIEM first.
1.1- Host events section
We'll first look at the host section. The host section will allow you to see the events that are generated at the very endpoint.
- . , :
1 Windows 10.
2 Ubuntu 18.04.
, .
, , , .
, , . . , , ,
1.2-
, - . , , HTTP / TLS DNS .
2-
, elastic.co , ELK. . Packetbeat .
. , . , .
Kibana . , .
. . , , .
, .
PacketBeat.
. , IP-, .
3 β
3β1-
A- :
, .
:
- Markdown
B- KQL ( Kibana):
, . , , . ,
https://www.elastic.co/guide/en/kibana/current/kuery-query.html
Windows 10 pro.
C- :
, , , . . , .
D- :
MITER ATT & CK.
Dashboard β Create new dashboardβcreate new βPie dashboard
, .
. .
Buckets :
β Split slices .
β Split Chart .
.
. MITER ATT & CK.
Winlogbeat , , :
winlog.event_data.RuleName, .
β β.
, , , , . . .
, ,
:
** , .
** , . .
** , ,
, .
, , .
:
, , , , , , . , , . MITER ATT & CK, win10.
3-2- Create your first dashboard:
A dashboard is a collection of many visualizations. Your dashboards should be clear, understandable, and contain useful and deterministic data. Here's an example of the dashboards we created from scratch for winlogbeat.
Thank you for your time. I hope this article was helpful to you. If you want more information on the topic, we recommend that you visit the official website .
Telegram chat on Elasticsearch: https://t.me/elasticsearch_ru