Tripwire, profile picture
Uploaded byTripwire
PPTX, PDF11,863 views

My Bro The ELK

The document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze security logs and events. It describes how to ingest logs into Logstash, normalize the data through filtering and parsing, enrich it with threat intelligence and geolocation data, and visualize the results in Kibana. The TARDIS framework is introduced as a way to perform threat analysis, detection, and data intelligence on historical security logs processed through the ELK stack.

Technology
Related topics:
IT Security

Embed presentation

Downloaded 40 times
My Bro The ELK Obtaining Security Context from Security Events Travis Smith tsmith@tripwire.com
• What is the problem? • Who is the Bro? • What is an ELK? • Beefing up the ELK • Making Your Bro the ELK Intelligent • Visualization w/ Kibana • Introducing the TARDIS framework Agenda
• I’m a lumberjack and I’m OK • 10+ years in security • Security Researcher at Tripwire
conn.log dhcp.log dnp3.log dns.log ftp.log http.log irc.log known_services.log modbus.log ius.log smtp.log snmp.log ssh.log ssl.log syslog.log tunnel.log intel.log notice.log
INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+ More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+ More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
Threat Intelligence Made Easy
98 Threat Feeds 800,000+ Indicators Critical Stack Agent
• Utilizing Custom Patterns • GROK Message Filtering • Adding Custom Fields • Adding Geo IP Data • Date Match • Using Translations for Threat Intel Logstash Filtering
filter { grok { match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" } } } Logstash Configuration
filter { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } /opt/logstash/custom_patterns/bro.rule 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Utilize Custom Patterns
filter { if [message] =~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } } Message Filtering 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Remove Capture Groups
filter { if [message] =~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } add_field => [ "rule_id", "291001" ] add_field => [ "Device Type", "IPSIDSDevice" ] add_field => [ "Object", "NetworkTraffic" ] add_field => [ "Action", "General" ] add_field => [ "Status", "Informational" ] } } } Add Custom Fields
filter { …..all normalization code above here…. geoip { source => "evt_dstip" target => "geoip_dst" database => “/etc/logstash/conf.d/GeoLiteCity.dat“ add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][longitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][latitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][city_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][continent_code]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][country_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][postal_code]}" ]} mutate { convert => [ "[geoip_dst][coordinates]", "float"] } } Geo IP New ElasticSearch Template Needed
GeoIP Template Update curl -XGET localhost:9200/_template/logstash {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip_dst":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … curl -XPUT localhost:9200/_template/logstash -d ‘….’
filter { ....all normalization code above here…. .…all GeoIP code here.... date { match => [ "start_time", "UNIX" ] } } Date Match
filter { ....all normalization code above here…. .…all GeoIP code here.... translate { field => "evt_dstip" destination => "tor_exit_IP" dictionary_path => '/etc/logstash/conf.d/torexit.yaml' } } • Run Scripts to update the YAML files on a regular basis • Logstash will check the YAML for updates every 300 seconds – Configurable by adding refresh_interval => numSeconds Threat Intel "162.247.72.201": "YES" "24.187.20.8": "YES" "193.34.117.51": "YES" torexit.yaml
Custom Fields: "Device Type" => "IPSIDSDevice" "Object" => "HTTP" "Action" => "General" "Status" => "Informational" Threat Intel Translations: "tor_exit_IP" => "YES" "malicious_IP" => "YES" Geo IP Data: "country_code2" => "RU" "country_code3" => "RUS" "country_name" => "Russian Federation" "continent_code" => "EU" "city_name" => "Moscow" "postal_code" => "121087" "latitude" => 55.75219999999999 "longitude" => 37.6156 "timezone" => "Europe/Moscow"
• Threat Analysis, Reconnaissance, & Data Intelligence System • Historical exploit/IOC detection • Time Lord of forensic log data • Available at https://github.com/tripwire/tardis • Demo at Arsenal Thursday @ 12:45 The TARDIS Framework
10.10.10.10- - [06/Aug/2015:05:00:38 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd“ 10.10.10.10- - [06/Aug/2015:05:00:39 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:40 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:41 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:42 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:43 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd"
• Use NSM With Log • Security Tools Are Better With Intelligence • Take Integrations to the Next Level With TARDIS Sound Bytes
Travis Smith tsmith@tripwire.com https://github.com/Tripwire/tardis https://github.com/TravisFSmith/MyBroElk Thank You

More Related Content

PDF
"A rootkits writer’s guide to defense" - Michal Purzynski
byPROIDEA
 
PDF
Modern Reconnaissance Phase on APT - protection layer
byShakacon
 
PDF
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
byPROIDEA
 
PPTX
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
byChristopher Gerritz
 
PPTX
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
byChristopher Gerritz
 
PPTX
Purpose Driven Hunt (DerbyCon 2017)
byJared Atkinson
 
PPTX
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
byAll Things Open
 
PPTX
Incident Response for the Work-from-home Workforce
byChristopher Gerritz
 
"A rootkits writer’s guide to defense" - Michal Purzynski
byPROIDEA
 
Modern Reconnaissance Phase on APT - protection layer
byShakacon
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
byPROIDEA
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
byChristopher Gerritz
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
byChristopher Gerritz
 
Purpose Driven Hunt (DerbyCon 2017)
byJared Atkinson
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
byAll Things Open
 
Incident Response for the Work-from-home Workforce
byChristopher Gerritz
 

What's hot

PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
PDF
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
PPT
Malware Analysis Made Simple
byPaul Melson
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
Mobile Analytics mit Elasticsearch und Kibana
byinovex GmbH
 
PPT
Applied Detection and Analysis with Flow Data - SO Con 2014
bychrissanders88
 
PPTX
The Background Noise of the Internet
byAndrew Morris
 
PDF
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
PPTX
Ad, mimikatz, ata and (awe)some evasion techniques
byGuglielmo Scaiola
 
PPT
Fileextraction with suricata
byMrArora Arjuna
 
PPTX
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
byNahidul Kibria
 
PDF
[OPD 2019] Attacking JWT tokens
byOWASP
 
PDF
Web security for developers
bySunny Neo
 
PPTX
Shmoocon Epilogue 2013 - Ruining security models with SSH
byAndrew Morris
 
PPTX
Using Cryptography Properly in Applications
byGreat Wide Open
 
PDF
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
byRootedCON
 
PPTX
Paranoia 2018: A Process is No One
byJared Atkinson
 
PDF
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
PDF
Death of Web App Firewall
byBrian A. McHenry
 
PPTX
Death of WAF - GoSec '15
byBrian A. McHenry
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
Malware Analysis Made Simple
byPaul Melson
 
Detection Rules Coverage
bySunny Neo
 
Mobile Analytics mit Elasticsearch und Kibana
byinovex GmbH
 
Applied Detection and Analysis with Flow Data - SO Con 2014
bychrissanders88
 
The Background Noise of the Internet
byAndrew Morris
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
Ad, mimikatz, ata and (awe)some evasion techniques
byGuglielmo Scaiola
 
Fileextraction with suricata
byMrArora Arjuna
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
byNahidul Kibria
 
[OPD 2019] Attacking JWT tokens
byOWASP
 
Web security for developers
bySunny Neo
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
byAndrew Morris
 
Using Cryptography Properly in Applications
byGreat Wide Open
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
byRootedCON
 
Paranoia 2018: A Process is No One
byJared Atkinson
 
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
Death of Web App Firewall
byBrian A. McHenry
 
Death of WAF - GoSec '15
byBrian A. McHenry
 

Viewers also liked

PDF
Dreaming of IoCs Adding Time Context to Threat Intelligence
byPriyanka Aash
 
PDF
Null Bachaav - May 07 Attack Monitoring workshop.
byPrajal Kulkarni
 
PPTX
Attack monitoring using ElasticSearch Logstash and Kibana
byPrajal Kulkarni
 
PPTX
Automating for NERC CIP-007-5-R1
byTripwire
 
PPTX
Advanced Vulnerability Scoring and Prioritization
byTripwire
 
PPTX
Tripwire IP360 Learning Labs - Scanning the Hard to Reach Places
byTripwire
 
PPTX
Mastering Advanced Security Profiling Language (ASPL)
byTripwire
 
PPTX
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...
byTripwire
 
PDF
"How about no grep and zabbix?". ELK based alerts and metrics.
byVladimir Pavkin
 
PPTX
Network Situational Awareness using Tripwire IP360
byTripwire
 
PPTX
Deploying E.L.K stack w Puppet
byColin Brown
 
PDF
elk_stack_alexander_szalonnas
byAlexander Szalonnas
 
PDF
Elk devops
byIdeato
 
PDF
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
byPuppet
 
PPTX
ELK at LinkedIn - Kafka, scaling, lessons learned
byTin Le
 
PDF
Shipping & Visualize Your Data With ELK
byAdam Chen
 
PPTX
Are You Prepared For More High-Impact Vulnerabilties?
byTripwire
 
PPTX
How to Improve Your Board’s Cyber Security Literacy
byTripwire
 
PDF
Industry Insights from Infosecurity Europe 2016
byTripwire
 
PPTX
5 Habits of Highly Effective Endpoint Threat Protection
byTripwire
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
byPriyanka Aash
 
Null Bachaav - May 07 Attack Monitoring workshop.
byPrajal Kulkarni
 
Attack monitoring using ElasticSearch Logstash and Kibana
byPrajal Kulkarni
 
Automating for NERC CIP-007-5-R1
byTripwire
 
Advanced Vulnerability Scoring and Prioritization
byTripwire
 
Tripwire IP360 Learning Labs - Scanning the Hard to Reach Places
byTripwire
 
Mastering Advanced Security Profiling Language (ASPL)
byTripwire
 
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...
byTripwire
 
"How about no grep and zabbix?". ELK based alerts and metrics.
byVladimir Pavkin
 
Network Situational Awareness using Tripwire IP360
byTripwire
 
Deploying E.L.K stack w Puppet
byColin Brown
 
elk_stack_alexander_szalonnas
byAlexander Szalonnas
 
Elk devops
byIdeato
 
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
byPuppet
 
ELK at LinkedIn - Kafka, scaling, lessons learned
byTin Le
 
Shipping & Visualize Your Data With ELK
byAdam Chen
 
Are You Prepared For More High-Impact Vulnerabilties?
byTripwire
 
How to Improve Your Board’s Cyber Security Literacy
byTripwire
 
Industry Insights from Infosecurity Europe 2016
byTripwire
 
5 Habits of Highly Effective Endpoint Threat Protection
byTripwire
 

Similar to My Bro The ELK

PDF
ciscoliveopensocmtd_vijay_sharma.pdf
byvijays2003vs
 
PDF
Aaron Mildenstein - Using Logstash with Zabbix
byZabbix
 
PDF
Dave Williams - Nagios Log Server - Practical Experience
byNagios
 
PDF
Présentation ELK/SIEM et démo Wazuh
byAurélie Henriot
 
PDF
Security Monitoring for big Infrastructures without a Million Dollar budget
byJuan Berner
 
PDF
ELK: a log management framework
byGiovanni Bechis
 
PPTX
ELK Stack
byPhuc Nguyen
 
PPTX
Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
byForgeRock
 
PPT
Elk presentation 2#3
byuzzal basak
 
PDF
Log analysis with the elk stack
byVikrant Chauhan
 
PPTX
Log management with ELK
byGeert Pante
 
PDF
SecurityPI - Hardening your IoT endpoints in Home.
byLinuxCon ContainerCon CloudOpen China
 
PPTX
Search and analyze data in real time
byRohit Kalsarpe
 
PPT
ELK stack at weibo.com
by琛琳 饶
 
PPTX
Elk with Openstack
byArun prasath
 
PDF
Javantura v3 - ELK – Big Data for DevOps – Maarten Mulders
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
byHernan Costante
 
PDF
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...
byOntico
 
PPTX
The ELK Stack - Get to Know Logs
byGlobalLogic Ukraine
 
PDF
elkstack-161217091231.pdf
byAgusNursidik
 
ciscoliveopensocmtd_vijay_sharma.pdf
byvijays2003vs
 
Aaron Mildenstein - Using Logstash with Zabbix
byZabbix
 
Dave Williams - Nagios Log Server - Practical Experience
byNagios
 
Présentation ELK/SIEM et démo Wazuh
byAurélie Henriot
 
Security Monitoring for big Infrastructures without a Million Dollar budget
byJuan Berner
 
ELK: a log management framework
byGiovanni Bechis
 
ELK Stack
byPhuc Nguyen
 
Customer Intelligence: Using the ELK Stack to Analyze ForgeRock OpenAM Audit ...
byForgeRock
 
Elk presentation 2#3
byuzzal basak
 
Log analysis with the elk stack
byVikrant Chauhan
 
Log management with ELK
byGeert Pante
 
SecurityPI - Hardening your IoT endpoints in Home.
byLinuxCon ContainerCon CloudOpen China
 
Search and analyze data in real time
byRohit Kalsarpe
 
ELK stack at weibo.com
by琛琳 饶
 
Elk with Openstack
byArun prasath
 
Javantura v3 - ELK – Big Data for DevOps – Maarten Mulders
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
byHernan Costante
 
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...
byOntico
 
The ELK Stack - Get to Know Logs
byGlobalLogic Ukraine
 
elkstack-161217091231.pdf
byAgusNursidik
 

More from Tripwire

PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
PPTX
Defending Critical Infrastructure Against Cyber Attacks
byTripwire
 
PPTX
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
byTripwire
 
PDF
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
byTripwire
 
PPTX
Tripwire Energy Working Group Session w/Dale Peterson
byTripwire
 
PPTX
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
byTripwire
 
PDF
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
byTripwire
 
PDF
Data Privacy Day 2022: Tips to Ensure Data Privacy
byTripwire
 
PDF
World Book Day: Cybersecurity’s Quietest Celebration
byTripwire
 
PPTX
Tripwire Energy Working Group: TIV Demo
byTripwire
 
PDF
Key Challenges Facing IT/OT: Hear From The Experts
byTripwire
 
PPTX
Tripwire Energy Working Group: Keynote w/Patrick Miller
byTripwire
 
PPTX
Tripwire Energy Working Group: Customer Session with Chase Cole
byTripwire
 
PDF
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
byTripwire
 
PDF
Tripwire Retail Security 2020 Survey: Key Findings
byTripwire
 
PDF
A Look Back at 2018: The Most Memorable Cyber Moments
byTripwire
 
PDF
Tripwire 2019 Skills Gap Survey: Key Findings
byTripwire
 
PDF
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
byTripwire
 
PDF
The Adventures of Captain Tripwire: Coloring Book!
byTripwire
 
PDF
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
byTripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
Defending Critical Infrastructure Against Cyber Attacks
byTripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
byTripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
byTripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
byTripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
byTripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
byTripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
byTripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
byTripwire
 
Tripwire Energy Working Group: TIV Demo
byTripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
byTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
byTripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
byTripwire
 
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
byTripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
byTripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
byTripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
byTripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
byTripwire
 
The Adventures of Captain Tripwire: Coloring Book!
byTripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
byTripwire
 

Recently uploaded

PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Laravel Up Running, 3rd Edition A Framework for Building Modern PHP Apps (Mat...
byNEXACORE
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PPTX
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Laravel Up Running, 3rd Edition A Framework for Building Modern PHP Apps (Mat...
byNEXACORE
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 

My Bro The ELK

  • 1.
    My Bro TheELK Obtaining Security Context from Security Events Travis Smith tsmith@tripwire.com
  • 2.
    • What isthe problem? • Who is the Bro? • What is an ELK? • Beefing up the ELK • Making Your Bro the ELK Intelligent • Visualization w/ Kibana • Introducing the TARDIS framework Agenda
  • 3.
    • I’m alumberjack and I’m OK • 10+ years in security • Security Researcher at Tripwire
  • 6.
  • 7.
    INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
  • 8.
    INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
  • 11.
  • 12.
    98 Threat Feeds 800,000+Indicators Critical Stack Agent
  • 13.
    • Utilizing CustomPatterns • GROK Message Filtering • Adding Custom Fields • Adding Geo IP Data • Date Match • Using Translations for Threat Intel Logstash Filtering
  • 14.
    filter { grok { match=> { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" } } } Logstash Configuration
  • 15.
    filter { grok { patterns_dir=> "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } /opt/logstash/custom_patterns/bro.rule 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Utilize Custom Patterns
  • 16.
    filter { if [message]=~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } } Message Filtering 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Remove Capture Groups
  • 17.
    filter { if [message]=~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } add_field => [ "rule_id", "291001" ] add_field => [ "Device Type", "IPSIDSDevice" ] add_field => [ "Object", "NetworkTraffic" ] add_field => [ "Action", "General" ] add_field => [ "Status", "Informational" ] } } } Add Custom Fields
  • 18.
    filter { …..all normalizationcode above here…. geoip { source => "evt_dstip" target => "geoip_dst" database => “/etc/logstash/conf.d/GeoLiteCity.dat“ add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][longitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][latitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][city_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][continent_code]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][country_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][postal_code]}" ]} mutate { convert => [ "[geoip_dst][coordinates]", "float"] } } Geo IP New ElasticSearch Template Needed
  • 19.
    GeoIP Template Update curl-XGET localhost:9200/_template/logstash {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip_dst":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … curl -XPUT localhost:9200/_template/logstash -d ‘….’
  • 20.
    filter { ....all normalizationcode above here…. .…all GeoIP code here.... date { match => [ "start_time", "UNIX" ] } } Date Match
  • 21.
    filter { ....all normalizationcode above here…. .…all GeoIP code here.... translate { field => "evt_dstip" destination => "tor_exit_IP" dictionary_path => '/etc/logstash/conf.d/torexit.yaml' } } • Run Scripts to update the YAML files on a regular basis • Logstash will check the YAML for updates every 300 seconds – Configurable by adding refresh_interval => numSeconds Threat Intel "162.247.72.201": "YES" "24.187.20.8": "YES" "193.34.117.51": "YES" torexit.yaml
  • 22.
    Custom Fields: "Device Type"=> "IPSIDSDevice" "Object" => "HTTP" "Action" => "General" "Status" => "Informational" Threat Intel Translations: "tor_exit_IP" => "YES" "malicious_IP" => "YES" Geo IP Data: "country_code2" => "RU" "country_code3" => "RUS" "country_name" => "Russian Federation" "continent_code" => "EU" "city_name" => "Moscow" "postal_code" => "121087" "latitude" => 55.75219999999999 "longitude" => 37.6156 "timezone" => "Europe/Moscow"
  • 25.
    • Threat Analysis,Reconnaissance, & Data Intelligence System • Historical exploit/IOC detection • Time Lord of forensic log data • Available at https://github.com/tripwire/tardis • Demo at Arsenal Thursday @ 12:45 The TARDIS Framework
  • 26.
    10.10.10.10- - [06/Aug/2015:05:00:38-0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd“ 10.10.10.10- - [06/Aug/2015:05:00:39 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:40 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:41 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:42 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:43 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd"
  • 27.
    • Use NSMWith Log • Security Tools Are Better With Intelligence • Take Integrations to the Next Level With TARDIS Sound Bytes
  • 28.

Editor's Notes

  • #5 As the security maturity expands, so does complexity, costs, and data volumes
  • #6 -Typical logs collected are only the tip of the iceberg when it comes to analyzing threat data. Adding in session, packet string, and full packet captures is the best method to truly analyze threats against the organization. -Using a product like bro allows you to either analyze this information in real-time or in a post-mortem manner after a potential attack has occurred
  • #7 -Analyze network traffic in real-time or from packet captures -Application Layer analysis -Brogramming scripts to analyze protocol and application data, looking for suspicious activity -Ability to do SIEM type correlation
  • #8 -Use Logstash (or other LM products like TLC or Splunk) to ingest, normalize, and store data. -44 Inputs -40 Filters -54 Outputs
  • #9 -Use Logstash (or other LM products like TLC or Splunk) to ingest, normalize, and store data. -44 Inputs -40 Filters -54 Outputs
  • #10 -Cool visualizations with kibana to expose key data -Lots of information, but what does it mean
  • #11 -Collection of tons of valuable data, but what do we do with it all? -It’s not big data, it’s obese data -Looking for a needle in a pile of needles
  • #12 -Critical Stack for Bro makes starting out with Threat Intelligence incredibly easy. -Install the agent and automatically pull data that generates bro scripts from threat intel providers
  • #13 Single command to pull from 98 threat feeds which contain over 800k IoC’s
  • #15 -What a basic normalization rule looks like
  • #16 -Take the Oniguruma syntax out of the conf file and put it in a log file for each device in a custom patterns directory. -Makes management of normalization/parsing rules easier -Allows us to utilize add_field to our advantage
  • #17 We’ll need to filter each message to apply the add_field -Take the Oniguruma syntax and remove the column mappings to expose raw regex code
  • #18 -Add custom fields to find relevant data quickly in Kibana -Adding a rule ID will allow us to optimize the normalization engine in logstash by exposing the most commonly parsed logs in your environment
  • #19 -Get a copy of a GeoLiteCity database file and place it on the server -Reference an normalized IP address field in the source field -Create a new field in the target field to place all the GEO IP data in -Choose from a bunch of geo IP fields
  • #21 Not necessary when collecting logs in real time When you read pcap files and normalize the logs, this will take the timestamp from the log file, which bro uses from the PCAP file
  • #22 Use this for tor exit node IP’s, malicious IP’s, command and control servers, file hashes, etc. -Python scripts available to pull data and generate YAML files, only downside is it requires a restart of logstash to use the new YAML files -Translate plugin is a community-maintainted plugin, so you need to install it before adding it to the config file.
  • #24 -With the GEO IP we can now build maps with the data collected from BRO. -We can also start generating reports on known malicious IP’s, file hashes, etc. -Historograms can help pinpoint malicious activity, as seen here by a spike in malicious traffic around 11:25
  • #27 -Take a STIX/Cybox Artifact, convert it into a supported search string, and generate evidence of exloitation/attack from those signatures. -Can take this further, which we do internally by integrating with vulnerability management, FIM, threat intel, etc.