SlideShare a Scribd company logo

Elasticsearch audit logging | Search Guard

Jochen Kressin
Jochen Kressin

How to enable and use audit logging for Elasticsearch using the Search Guard security suite. Stay compliant with PCI, HIPAA, SOX, ISO, and GDPR.

Software
1 of 16
Download to read offline
SEARCH GUARD AUDIT LOGGING © 2018 floragunn GmbH - All Rights Reserved
© 2018 floragunn GmbH - All Rights Reserved WHAT IS AUDITLOGGING Track irregular, security-related events, e.g. failed log in attempts missing privileges spoofed HTTP headers Track regular events Login events Executed actions like searches or aggregations Can be logged to different output channels Elasticsearch, Kafka, Cassandra, Webhooks, etc. 01.
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE Enterprise Edition Search Guard https://example.com:9200 Logging Cluster Access attempt Intercepts request Allows / disallows request Forwards events to audit log Search Guard Audit Logging Evalutes event category Gathers meta information Logs event to configured endpoint(s) Elasticsearch
© 2018 floragunn GmbH - All Rights Reserved EVENT CATEGORIES FAILED_LOGIN The user credentials of a request could not be validated. Most likely because the user does not exist or the password is incorrect AUTHENTICATED The provided user credentials were authenticated successfully MISSING_PRIVILEGES The user is authenticated but lacks the respective privileges for the requested action GRANTED_PRIVILEGES Represents a successfully executed action, e.g., a search request 02.
© 2018 floragunn GmbH - All Rights Reserved EVENT CATEGORIES SSL_EXCEPTION An attempt was made to access Elasticsearch without a valid SSL/TLS certificate. BAD_HEADERS An attempt was made to spoof a request with Search Guard internal headers SG_INDEX_ATTEMPT An attempt was made to access the Search Guard internal user- and privileges index without a valid admin TLS certificate 03.
© 2018 floragunn GmbH - All Rights Reserved EVENT CONTENT Category FAILED_LOGIN, MISSING_PRIVILEGS Username if available for the logged category Metadata Timestamp, remote IP, node name, cluster name, layer (REST/transport), etc. Request type E.g. SearchRequest, GetIndexRequest, GetMappingsRequest … 04.
© 2018 floragunn GmbH - All Rights Reserved EXTENDED LOGGING Indices affected by the request Enable by: searchguard.audit.resolve_indices: true Indices need to be resolved before the event is logged Slight performance overhead Request body E.g., executed query, indexed document Enable by: searchguard.audit.log_request_body: true Increases event size 05.
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE audit_cluster_name: "searchguard_demo", ... audit_transport_request_type: "SearchRequest", audit_category: "MISSING_PRIVILEGES", audit_request_origin: "REST", … audit_request_body: "{"query":{"match":{"Designation": {"auto_generate_synonyms_phrase_query":true,"query":"CEO","zero_terms_query":"NONE","fuzzy_transpositions ":true,"boost":1.0,"prefix_length":0,"operator":"OR","lenient":false,"max_expansions":50}}}}", … audit_request_layer: "TRANSPORT", audit_request_effective_user: “jdoe", audit_trace_resolved_indices: [ "humanresources" ]
© 2018 floragunn GmbH - All Rights Reserved EVENT STORAGE Log events are stored asynchronously Minimizes performance impact Thread pool can be optimized Log events can come from any node Only centralized storage is useful Search Guard ships with pre-defined storage endpoints Own implementations also possible 06.
© 2018 floragunn GmbH - All Rights Reserved PRE-DEFINED STORAGE ENDPOINTS Events can be shipped to one or more storage endpoints Internal Elasticsearch Stores events on the same cluster they have been generated on External Elasticsearch Stores events on a remote Elasticsearch cluster Webhooks Any system that supports GET or POST webhooks log4j Kafka, Cassandra, SNMP, Mail, etc. 07.
© 2018 floragunn GmbH - All Rights Reserved DATA CONSISTENCY Security events must be tamper-proof Security events must not be changed once they are written Immutable indices Any index can be marked “immutable” “write-once / read many” Documents can be indexed, but not changed afterward Immutable indices cannot be deleted or closed Ideal for storing audit events 08.
© 2018 floragunn GmbH - All Rights Reserved CONFIGURATION Audit logging is configured statically, not dynamically in elasticsearch.yml Due to security considerations Audit logging must not be disabled by any unauthorized user Configuration must not be changed by any unauthorized user Logged events and data must be predictable and consistent over time Any change to the audit logging configuration requires a cluster restart 09.
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE Internal: searchguard.audit.type: internal_elasticsearch searchguard.audit.config.index: auditlog External: searchguard.audit.type: external_elasticsearch searchguard.audit.config.http_endpoints: [‘es1.example.com’,’es2.example.com’]” searchguard.audit.config.index: auditlog searchguard.audit.config.username: auditloguser searchguard.audit.config.password: auditlogpassword searchguard.audit.config.enable_ssl: true Webhooks: searchguard.audit.config.webhook.url: “https://siem.example.com/ingest” searchguard.audit.config.webhook.format: JSON
© 2018 floragunn GmbH - All Rights Reserved ADDITIONAL RESOURCES Configuring Search Guard audit logging https://docs.search-guard.com/latest/audit-logging-compliance Configuring storage endpoints https://docs.search-guard.com/latest/audit-logging-storage Audit events field reference https://docs.search-guard.com/latest/audit-logging-reference 10.
SEARCH GUARD info@search-guard.com © 2018 floragunn GmbH - All Rights Reserved SEND US A MESSAGE: 15
© 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.

Recommended

Asp for sap_data_sheet___appsian_application_security_platform_2019
Asp for sap_data_sheet___appsian_application_security_platform_2019Asp for sap_data_sheet___appsian_application_security_platform_2019
Asp for sap_data_sheet___appsian_application_security_platform_2019Appsian
 
O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...
O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...
O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...NCCOMMS
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
Defence in Depth for your data in the cloud
Defence in Depth for your data in the cloudDefence in Depth for your data in the cloud
Defence in Depth for your data in the cloudAmazon Web Services
 
Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...
Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...
Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...Maarten Eekels
 
Logsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign
 
Logsign Focus Overview
Logsign Focus OverviewLogsign Focus Overview
Logsign Focus OverviewLogsign
 
Secure Collaboration: Start classifying, labeling, and protecting your (most ...
Secure Collaboration: Start classifying, labeling, and protecting your (most ...Secure Collaboration: Start classifying, labeling, and protecting your (most ...
Secure Collaboration: Start classifying, labeling, and protecting your (most ...Bram de Jager
 

Recommended

Asp for sap_data_sheet___appsian_application_security_platform_2019
Asp for sap_data_sheet___appsian_application_security_platform_2019Asp for sap_data_sheet___appsian_application_security_platform_2019
Asp for sap_data_sheet___appsian_application_security_platform_2019Appsian
 
O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...
O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...
O365Con18 - Classify, Label and Protect your Data with Azure Information Prot...NCCOMMS
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
Defence in Depth for your data in the cloud
Defence in Depth for your data in the cloudDefence in Depth for your data in the cloud
Defence in Depth for your data in the cloudAmazon Web Services
 
Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...
Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...
Dutch Microsoft & Security Meetup - Ignite recap Microsoft 365 Security and C...Maarten Eekels
 
Logsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign Forest Enterprise Solution Overview
Logsign Forest Enterprise Solution OverviewLogsign
 
Logsign Focus Overview
Logsign Focus OverviewLogsign Focus Overview
Logsign Focus OverviewLogsign
 
Secure Collaboration: Start classifying, labeling, and protecting your (most ...
Secure Collaboration: Start classifying, labeling, and protecting your (most ...Secure Collaboration: Start classifying, labeling, and protecting your (most ...
Secure Collaboration: Start classifying, labeling, and protecting your (most ...Bram de Jager
 
Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchJochen Kressin
 
Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchJochen Kressin
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
Search Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchSearch Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchJochen Kressin
 
Elasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardElasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardJochen Kressin
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Amazon Web Services
 
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Amazon Web Services
 
test-sgsgsgs.pptx
test-sgsgsgs.pptxtest-sgsgsgs.pptx
test-sgsgsgs.pptxshramangupta2
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDutyAmazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Amazon Web Services
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018Amazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Search Guard Architecure | Security for Elasticsearch
Search Guard Architecure | Security for ElasticsearchSearch Guard Architecure | Security for Elasticsearch
Search Guard Architecure | Security for ElasticsearchJochen Kressin
 
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Amazon Web Services
 
Cloudten aws-siem
Cloudten aws-siemCloudten aws-siem
Cloudten aws-siemPolarSeven Pty Ltd
 
AWS Meetup Nov 2015 - CloudTen Presentation
AWS Meetup Nov 2015 - CloudTen PresentationAWS Meetup Nov 2015 - CloudTen Presentation
AWS Meetup Nov 2015 - CloudTen PresentationPolarSeven Pty Ltd
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitivaDiego Iván Oliveros Acosta
 

More Related Content

Similar to Elasticsearch audit logging | Search Guard

Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchJochen Kressin
 
Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchJochen Kressin
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
Search Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchSearch Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchJochen Kressin
 
Elasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardElasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardJochen Kressin
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Amazon Web Services
 
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Amazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDutyAmazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Amazon Web Services
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018Amazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Search Guard Architecure | Security for Elasticsearch
Search Guard Architecure | Security for ElasticsearchSearch Guard Architecure | Security for Elasticsearch
Search Guard Architecure | Security for ElasticsearchJochen Kressin
 
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Amazon Web Services
 
AWS Meetup Nov 2015 - CloudTen Presentation
AWS Meetup Nov 2015 - CloudTen PresentationAWS Meetup Nov 2015 - CloudTen Presentation
AWS Meetup Nov 2015 - CloudTen PresentationPolarSeven Pty Ltd
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...Amazon Web Services
 

Similar to Elasticsearch audit logging | Search Guard (20)

Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for Elasticsearch
 
Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for Elasticsearch
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
 
Search Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchSearch Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for Elasticsearch
 
Elasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardElasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search Guard
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
 
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
 
test-sgsgsgs.pptx
test-sgsgsgs.pptxtest-sgsgsgs.pptx
test-sgsgsgs.pptx
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
 
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
 
Search Guard Architecure | Security for Elasticsearch
Search Guard Architecure | Security for ElasticsearchSearch Guard Architecure | Security for Elasticsearch
Search Guard Architecure | Security for Elasticsearch
 
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
 
Cloudten aws-siem
Cloudten aws-siemCloudten aws-siem
Cloudten aws-siem
 
AWS Meetup Nov 2015 - CloudTen Presentation
AWS Meetup Nov 2015 - CloudTen PresentationAWS Meetup Nov 2015 - CloudTen Presentation
AWS Meetup Nov 2015 - CloudTen Presentation
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 

Recently uploaded

GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Recently uploaded (20)

GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

Elasticsearch audit logging | Search Guard

  • 1. SEARCH GUARD AUDIT LOGGING © 2018 floragunn GmbH - All Rights Reserved
  • 2. © 2018 floragunn GmbH - All Rights Reserved WHAT IS AUDITLOGGING Track irregular, security-related events, e.g. failed log in attempts missing privileges spoofed HTTP headers Track regular events Login events Executed actions like searches or aggregations Can be logged to different output channels Elasticsearch, Kafka, Cassandra, Webhooks, etc. 01.
  • 3. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE Enterprise Edition Search Guard https://example.com:9200 Logging Cluster Access attempt Intercepts request Allows / disallows request Forwards events to audit log Search Guard Audit Logging Evalutes event category Gathers meta information Logs event to configured endpoint(s) Elasticsearch
  • 4. © 2018 floragunn GmbH - All Rights Reserved EVENT CATEGORIES FAILED_LOGIN The user credentials of a request could not be validated. Most likely because the user does not exist or the password is incorrect AUTHENTICATED The provided user credentials were authenticated successfully MISSING_PRIVILEGES The user is authenticated but lacks the respective privileges for the requested action GRANTED_PRIVILEGES Represents a successfully executed action, e.g., a search request 02.
  • 5. © 2018 floragunn GmbH - All Rights Reserved EVENT CATEGORIES SSL_EXCEPTION An attempt was made to access Elasticsearch without a valid SSL/TLS certificate. BAD_HEADERS An attempt was made to spoof a request with Search Guard internal headers SG_INDEX_ATTEMPT An attempt was made to access the Search Guard internal user- and privileges index without a valid admin TLS certificate 03.
  • 6. © 2018 floragunn GmbH - All Rights Reserved EVENT CONTENT Category FAILED_LOGIN, MISSING_PRIVILEGS Username if available for the logged category Metadata Timestamp, remote IP, node name, cluster name, layer (REST/transport), etc. Request type E.g. SearchRequest, GetIndexRequest, GetMappingsRequest … 04.
  • 7. © 2018 floragunn GmbH - All Rights Reserved EXTENDED LOGGING Indices affected by the request Enable by: searchguard.audit.resolve_indices: true Indices need to be resolved before the event is logged Slight performance overhead Request body E.g., executed query, indexed document Enable by: searchguard.audit.log_request_body: true Increases event size 05.
  • 8. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE audit_cluster_name: "searchguard_demo", ... audit_transport_request_type: "SearchRequest", audit_category: "MISSING_PRIVILEGES", audit_request_origin: "REST", … audit_request_body: "{"query":{"match":{"Designation": {"auto_generate_synonyms_phrase_query":true,"query":"CEO","zero_terms_query":"NONE","fuzzy_transpositions ":true,"boost":1.0,"prefix_length":0,"operator":"OR","lenient":false,"max_expansions":50}}}}", … audit_request_layer: "TRANSPORT", audit_request_effective_user: “jdoe", audit_trace_resolved_indices: [ "humanresources" ]
  • 9. © 2018 floragunn GmbH - All Rights Reserved EVENT STORAGE Log events are stored asynchronously Minimizes performance impact Thread pool can be optimized Log events can come from any node Only centralized storage is useful Search Guard ships with pre-defined storage endpoints Own implementations also possible 06.
  • 10. © 2018 floragunn GmbH - All Rights Reserved PRE-DEFINED STORAGE ENDPOINTS Events can be shipped to one or more storage endpoints Internal Elasticsearch Stores events on the same cluster they have been generated on External Elasticsearch Stores events on a remote Elasticsearch cluster Webhooks Any system that supports GET or POST webhooks log4j Kafka, Cassandra, SNMP, Mail, etc. 07.
  • 11. © 2018 floragunn GmbH - All Rights Reserved DATA CONSISTENCY Security events must be tamper-proof Security events must not be changed once they are written Immutable indices Any index can be marked “immutable” “write-once / read many” Documents can be indexed, but not changed afterward Immutable indices cannot be deleted or closed Ideal for storing audit events 08.
  • 12. © 2018 floragunn GmbH - All Rights Reserved CONFIGURATION Audit logging is configured statically, not dynamically in elasticsearch.yml Due to security considerations Audit logging must not be disabled by any unauthorized user Configuration must not be changed by any unauthorized user Logged events and data must be predictable and consistent over time Any change to the audit logging configuration requires a cluster restart 09.
  • 13. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE Internal: searchguard.audit.type: internal_elasticsearch searchguard.audit.config.index: auditlog External: searchguard.audit.type: external_elasticsearch searchguard.audit.config.http_endpoints: [‘es1.example.com’,’es2.example.com’]” searchguard.audit.config.index: auditlog searchguard.audit.config.username: auditloguser searchguard.audit.config.password: auditlogpassword searchguard.audit.config.enable_ssl: true Webhooks: searchguard.audit.config.webhook.url: “https://siem.example.com/ingest” searchguard.audit.config.webhook.format: JSON
  • 14. © 2018 floragunn GmbH - All Rights Reserved ADDITIONAL RESOURCES Configuring Search Guard audit logging https://docs.search-guard.com/latest/audit-logging-compliance Configuring storage endpoints https://docs.search-guard.com/latest/audit-logging-storage Audit events field reference https://docs.search-guard.com/latest/audit-logging-reference 10.
  • 15. SEARCH GUARD info@search-guard.com © 2018 floragunn GmbH - All Rights Reserved SEND US A MESSAGE: 15
  • 16. © 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.