Visualizing Dashboards and ELK SIEM
Welcome to our second article of this series. I encourage you all to check the previous article to have a better understanding of what we are going to discuss here.
The article is divided into these sections:
1- Walk-through ELK SIEM
2- default dashboards
3- Creating your first Dashboards
1-Walk-through ELK SIEM
ELK SIEM was recently added to the elk Stack in the 7.2 release in 25th of June 2019
It is a SIEM solution created by elastic.co to make the life of security analyst much easier and less tedious.
In our solution we decided to create our own SIEM and choose our own dashboard.
But, we believe that it is fundamental to have a look at ELK SIEM first
1.1- Host events section:
First, we will be covering the host section. The host section will enable you to see events that are generating within the endpoint itself.
After clicking on view hosts, you should get something like this. As you can see, we have three hosts connected to this machine:
1 Windows 10.
2 Ubuntu server 18.04.
We have several displayed Visualization each one is displaying different type of events.
For example the one in the middle is showing data about the logins in all of the three machines.
This amount of data you are seeing here has been collected over five days. Thus explaining the large number of failed and successful logins. You will probably have a small number of logs so no worries
1.2- Network events section :
Moving on to the network section, you should be getting something like this. This section will enable you to have an eagle eye on everything that is happening within your network from HTTP /TLS traffic to DNS traffic and event external alerts.
2- Default dashboards :
In order to make life easier for users. The developers of elastic.co have created a default dashboard for each beat officially supported by ELK. Our beats where no exception to this rule. Here I will be taking as example the default dashboards of Packetbeat.
If you have followed the step of the second article correctly. You should have your dashboard already set and waiting for you. So, let get going.
On the left tab of Kibana select the symbol of the dashboard. It is the third one counting from above.
Type the name of the beat in the search tab
If the beat has several modules. A dashboard of each single one of them will be created. But only the one with the active module will be displaying non-empty data.
Select the one with the name of your module.
This is the main dashboard PacketBeat overview.
This is the dashboard of the network flows. It will inform us about the incoming and outgoing packet. IP sources and destination and a lot of useful of information for a security operation center analyst.
3- Creating your first dashboard
3–1- Basic Concepts:
A- Types of dashboards:
These are the various types of visualizations you can use to visualize your data.
for example we have :
- Bar chart
- Map
- Markdown widget
- Pie chart
B- KQL (Kibana Query Language):
Is the language used by kibana to search through the data in an user friendly way. It enables you to check if certain data exists and many other useful features. To know more you can check this link
https://www.elastic.co/guide/en/kibana/current/kuery-query.html
This is an example of a query to search for host with a windows 10 pro system.
C- Filters:
This feature will enable you filter through certain parameters for example hosts name, the code or id of an event, etc. Filters will incredibly improve the investigation phase in terms of time and efforts spent in searching for clues.
D- First Visulaization :
We will create a visualization for MITRE ATT&CK.
First we need to go to.
Dashboard → Create new dashboard→create new →Pie dashboard
Set the type to index pattern then tap the name of your beat.
Press Enter. By now you should be seeing a green donut.
In Buckets on the left, you will find:
- Split slices will split the donut into different
parts depending on the variance of the data.
- Split Chart will create another donut next to.
this one.
We will be using split slices.
In aggregation select terms. We will be visualizing our data depending on a term of our choice. In this case the term will be related to MITRE ATT&CK.
In Winlogbeat the filed that will be providing us with this information is called:
winlog.event_data.RuleName
We will set the count metric in order by to order the events depending on the number of their occurrences.
Enable Group other values in the separate bucket.
This will come handily if the terms that you have chosen have so many different values coming from the beat. It helps you visualize the rest of data as one. Which will gives you an insight of the percentage of rest of events.
Now that we have finished configuring the data tab, let’s move to the options tab
You should realize the following ones:
** Remove the donut shape to have a full circle in the visualization.
** Chose the legend position you like. In this case we will display them on the right.
** Set show values to make them appear next to their slice for easier reading,and keep the rest to default
Truncate determine how much you want to display from the name of the event.
Set the time you want the visualization to start from and then click the blue square.
You should get something similar:
You can also add a filter to your visualization to filter through certain host you would like to check or any parameters that you think are useful for your objective. The visualization will only display data matching the rule placed inside the filter. In this case we will display the MITRE ATT&CK data coming from the host called win10 only.
3–2- Creating your first dashboard:
A dashboard is a collection of many visualization. Your dashboards should be clear easy to understand and with useful and deterministic data. Here is an example of dashboards that we have created from zero for winlogbeat.
Thank you for your time. I hope this article was of use to you. If you want more details about the subject, we recommend that you check the official site.
https://www.elastic.co/guide/en/kibana/current/tutorial-visualizing.html
