Scribd Logo
Upload

Welcome to Scribd!

  • Elastic Siem Fundamentals Additional Resources PDF

    Uploaded by

    eppoxro
    13 views32 pages

    Original Title

    elastic-siem-fundamentals-additional-resources.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views32 pages

    Elastic Siem Fundamentals Additional Resources PDF

    Uploaded by

    eppoxro

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 32

    ELASTIC SIEM FUNDAMENTALS

    An Elastic Training Course

    7.5.1

    elastic.co/training
    ELASTIC SIEM FUNDAMENTALS
    Course: ELASTIC SIEM FUNDAMENTALS

    Version 7.5.1

    © 2016-2020 Elasticsearch BV. All rights reserved. Decompiling, copying, publishing


    and/or distribution without written consent of Elasticsearch BV is strictly prohibited.

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 2
    Elastic SIEM Fundamentals

    LESSON 1
    ELASTIC SIEM UI
    PROBLEM
    NW TAP

    NETFLOW IDS ALERTS NSM LOGS

    DATA
    SERVERS
    > CENTRALIZE > DETECT ANOMALY
    > MINE > VISUALIZE
    > CORRELATE > ANALYZE
    W10S DATA > ALERT

    ANALYST
    CONTAINERS

    DATA

    FIREWALL PROXY
    DNS LOGS
    LOGS LOGS

    Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or


    distributing without written permission is strictly prohibited
    REQUIREMENTS

    ?!

    Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or


    distributing without written permission is strictly prohibited
    REQUIREMENTS

    CORRELATE
    SCALABLE AGGREGATE
    RELIABLE GEO SEARCH
    MAINTAINABLE IP SEARCH

    DISTRIBUTED SEARCH
    SYSTEM ENGINE

    USER
    INTERFACE
    INTUITIVE
    ANALYZE
    VISUALIZE
    CONFIGURE

    Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or 6


    distributing without written permission is strictly prohibited
    ELASTIC STACK OVERVIEW

    INGEST INDEX | QUERY | AGGREGATE EXPLORE | VISUALIZE

    ...
    FILEBEAT PACKETBEAT WINLOGBEAT AUDITBEAT

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 7
    ELASTIC SIEM OVERVIEW

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 8
    Elastic SIEM Fundamentals

    LESSON 1
    REVIEW - ELASTIC SIEM UI
    SUMMARY
    ‣ Being able to centralize, correlate, analyze, and aggregate
    security events from disparate sources is the essence of
    SIEM’s purpose

    ‣ Elastic SIEM is built on top of Elastic stack by providing a


    formal schema, powerful set of UI elements for analyzing
    security events and growing number of pre_built machine
    learning jobs

    ‣ Elastic SIEM Kibana UI includes an overview page, host


    page, network page and timeline tool

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 10
    QUIZ
    1. The three ingest layer components of Elastic Stack that provides network and
    host data integration for Elastic SIEM are Beats, Logstash and _______
    a. Alerting
    b. Elastic Machine Learning
    c. Elastic Endpoint Security
    d. Kibana

    1. Which of the following tabs can be used to investigate uncommon processes?


    a. Overview
    b. Network
    c. Host
    d. Timelines

    1. In Timeline, if you place the element "user.name" : "bgates" directly to the


    right "os.family": "windows" what will the resulting relationship be?
    a. "user.name" : "bgates" AND "os.family": "windows"
    b. No Relation
    c. "user.name" : "bgates" OR "os.family": "windows"
    d. "user.name" : "bgates" XOR "os.family": "windows"

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 11
    Elastic SIEM Fundamentals

    LESSON 1
    LAB - ELASTIC SIEM UI
    Elastic SIEM Fundamentals

    LESSON 2
    GETTING SIEM DATA IN
    SCHEMA

    {
    "ts":
    { "2019-12-16T02:25:02.157",
    "field1": "value 1",
    "ip": "10.10.250.52"
    "ts":
    { "2019-12-16T02:25:02.157",
    … "field1": "value 1",
    "ts": "2019-12-16T02:25:02.157",
    EVENTS

    } {
    … "field1": "value 1",
    }
    "time": "2019-12-16T02:25:02",
    … "field 1": "value 1",
    "source" :
    } … {
    }
    "ip" : "10.10.250.52"
    }

    T
    TRANSFORM

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 14
    ELASTIC COMMON SCHEMA

    A B
    NSM
    FIREWALL
    10.10.10.251 IDS 172.16.32.251

    FIREWALL IDS NSM @timestamp _index

    Source IP (src) source.ip id.orig_h Jun 26, 2019 @ 10:18:08.754 fw_logs

    Jun 26, 2019 @ 10:18:08.765 zeek

    “Show me all the events with Jun 26, 2019 @ 10:18:08.839 suricata

    source ip 10.10.10.251” Jun 26, 2019 @ 10:18:08.982 winlogbeat

    https://github.com/elastic/ecs

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 15
    BEATS

    IDS
    NSM
    FW

    WINLOGBEAT FILEBEAT

    AUDITBEAT PACKETBEAT

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 16
    RIGHT TOOL FOR THE DATA

    DATA

    NETWORK HOST

    PACKETBEAT FILEBEAT AUDITBEAT WINLOGBEAT

    - DNS - ZEEK NSM - SYSTEM


    - TLS - SURICATA IDS - AUDITD
    - OTHER - IPTABLES/UBIQUITI - FILE INTEGRITY
    - COREDNS
    - ENVOY PROXY (K8s)
    - PALO ALTO
    FIREWALL
    - CISCO ASA FIREWALL

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 17
    Elastic SIEM Fundamentals

    LESSON 2
    REVIEW - GETTING SIEM DATA IN
    SUMMARY
    ‣ ECS defines a common set of fields to be used when
    storing event data in Elasticsearch, such as logs and
    metrics

    ‣ All beats can ship data to elasticsearch in ecs format

    ‣ Packetbeat and Filebeat are helpful in ingesting logs


    and network data into Elastic SIEM

    ‣ Auditbeat and Winlogbeat are used to ship host data


    into Elastic SIEM

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 19
    QUIZ
    1. Every event should contain a timestamp.
    a. True
    b. False

    1. Beats installed using .deb or .rpm distribution can be configured


    using the <beat_name>.yml file located in which of the following?
    a. /usr/share/<beat_name>/<beat_name>.cfg
    b. /etc/<beat_name>/<beat_name>.cfg
    c. /etc/<beat_name>/<beat_name>.yml
    d. /home/<user>/<beat_name>/config/<beat_name>.yml

    1. Which command would you use to turn on a filebeat module?


    a. filebeat <module_name> on
    b. filebeat enable <module_name>
    c. filebeat <module_name> enable
    d. filebeat -e <module_name>

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 20
    Elastic SIEM Fundamentals

    LESSON 3
    ANOMALY DETECTION
    ANOMALY DETECTION
    IN A NUTSHELL
    How data normally tends to
    Real-time data behave

    baselines(normal_behavior)
    DATA FEED

    anomalies

    Historical data
    JOB

    Anything outside normal

    functions
    What to look for fields
    influencers

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 22
    OVERVIEW OF PREBUILT JOBS

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 23
    Elastic SIEM Fundamentals

    LESSON 3
    REVIEW - ANOMALY DETECTION
    SUMMARY
    ‣ Anomaly detection can be used to analyze time series
    data by creating accurate baselines of normal behavior
    and identifying anomalous patterns in your dataset

    ‣ The SIEM app comes with prebuilt machine learning


    anomaly detection jobs for automatically detecting
    host and network anomalies

    ‣ To gain clearer insights into real threats, it is possible


    to tune the anomaly results

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 25
    QUIZ
    1. Machine Learning functionality is available throughout the SIEM
    app for which of the following deployments
    a. Basic
    b. Free Trial
    c. Platinum Subscription
    d. Elastic Cloud

    2. Anomalies tab that shows details of detected anomalies is


    available in which of the following pages within the SIEM app?
    a. Overview
    b. Hosts
    c. Network
    d. Timelines

    1. Results of anomaly detection can never be improved.


    a. True
    b. False
    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or
    distributing without written permission is strictly prohibited 26
    Elastic SIEM Fundamentals

    LESSON 3
    LAB - ANOMALY DETECTION
    QUIZ ANSWERS
    QUIZ
    1. The three ingest layer components of Elastic Stack that provides network and
    host data integration for Elastic SIEM are Beats, Logstash and _______
    a. Alerting
    b. Elastic Machine Learning
    c. Elastic Endpoint Security
    d. Kibana

    1. Which of the following tabs can be used to investigate uncommon processes?


    a. Overview
    b. Network
    c. Host
    d. Timelines

    1. In Timeline, if you place the element "user.name" : "bgates" directly to the


    right "os.family": "windows" what will the resulting relationship be?
    a. "user.name" : "bgates" AND "os.family": "windows"
    b. No Relation
    c. "user.name" : "bgates" OR "os.family": "windows"
    d. "user.name" : "bgates" XOR "os.family": "windows"

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 29
    QUIZ
    1. Every event should contain a timestamp.
    a. True
    b. False

    1. Beats installed using .deb or .rpm distribution can be configured


    using the <beat_name>.yml file located in which of the following?
    a. /usr/share/<beat_name>/<beat_name>.cfg
    b. /etc/<beat_name>/<beat_name>.cfg
    c. /etc/<beat_name>/<beat_name>.yml
    d. /home/<user>/<beat_name>/config/<beat_name>.yml

    1. Which command would you use to turn on a filebeat module?


    a. filebeat <module_name> on
    b. filebeat enable <module_name>
    c. filebeat <module_name> enable
    d. filebeat -e <module_name>

    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or


    distributing without written permission is strictly prohibited 30
    QUIZ
    1. Machine Learning functionality is available throughout the SIEM
    app for which of the following deployments
    a. Basic
    b. Free Trial
    c. Platinum Subscription
    d. Elastic Cloud

    2. Anomalies tab that shows details of detected anomalies is


    available in which of the following pages within the SIEM app?
    a. Overview
    b. Hosts
    c. Network
    d. Timelines

    1. Results of anomaly detection can never be improved.


    a. True
    b. False
    Copyright Elasticsearch BV 2016-2020 Copying, publishing and/or
    distributing without written permission is strictly prohibited 31
    Thank You!
    Please complete the online survey.

    You might also like