Creating detection rules in Elastic SIEM App

It has been quite a long time since I wrote my last blog post, as with everything, life gets in the way! But I have been spending some quiet time rebuilding my lab, and I have upgraded my ELK stack to 7.6, and I am totally blown away by how awesome the Elastic SIEM app is. So I thought I would put together a few blog posts about how to use it!

Prerequisites

  • You must be running 7.6 (duh)…
  • You must be running the basic license.
  • You must be running at a minimum basic authentication within your setup, between Kibana, Elastic, Logstash etc.
  • You must be running TLS on Elastic.


Enabling each one of these prereqs takes time, and if you are using your stack just for testing purposes and haven’t set up TLS or auth before, then good luck! You are in the lucky position I was last week, and welcome to 2 days of work…
However once you are done, you are ready to move on to the real good stuff…

The good stuff

We will use an example to aid in the instructions, this example is based on creating a detection for each time that there is a Windows Defender event ID 1116 – Malware Detected entry in my logs.

First you will need to open the Elastic SIEM app, and then click on “Detections”.

Once you are in the detections window, on the right hand side you will find “Manage signal detection rules”.

In this window “Signal detection rules”, you can see all the rules you currently have created, or imported. You can manage whether they are activated rules, and many other configuration changes can be done here.

To create a new rule click on “Create new rule”

Within the “Create new rule” section, the first thing you will need to do is to define the index you wish the rule to point at, and then the query you want the rule to run. In this example as I am splitting Defender into a separate index, I have chosen my “sd-defender” index, and then my query is written in KQL (Kibana query language). This query is set to use the ECS (elastic commond schema) field of event.code and will match when it finds event.code 1116. Once you have built this first part, click on “Continue”.

The 2nd stage of building a rule, is to add some more description to the rule…

Here you can name the rule, and write a description of what it is/does. You also assign a “Severity” from low to critical, and a “Risk score” from 0-100. In this case I have chosen “Severity” = High and “Risk score” of 75. When you have finished in this section, click on “Continue”.

In this section you can also add some “Advanced settings”… Where you can supply some reference materials to the alert, if you created it from a blog post, or if it came from a Sigma rule, you could supply a URL here. You can also add some examples of false positives, and then also enrich the rule with some MITRE ATT&CK TTPS! In this example, we won’t add them. But I will be blogging again soon about how to do this part using Sigma rules!

The last part of rule creation, is the “Schedule rule” section. Here you can setup how often you would like the rule to run, and when it does run, how far back in time should it run. This is interesting because if you have just created a new rule, and you would like to see how it would have performed over the last days of logs, then you can adjust that setting here. When you are done setting up the schedule, you can then choose to simply “Create rule without activating it” or “Create and activate rule”, both options are pretty self explanatory!

Once the rule is created, we can try to provoke it and see how it turns out… If you head back to the “Detections” page of the SIEM app. In my example, I am lucky because it is my lab and there is nothing else going on…

Now we will trigger a malware detected alarm, by downloading the EICAR test file to one of my lab machines.

BINGO!

And here is the alert landing in the “Signals” pane, from here we can then begin investigation. Right now there is not very much information about how these alerts will then make it to the attention of someone not using the SIEM app directly. But the SIEM app has some incredible offering here, for free! I have also added a bonus item on how to extract the alerts out to case management tools, slack, etc etc.

Bonus bonus bonus

If you want to extract the alerts out of the SIEM app, you can use a tried a tested tool “Elastalert”. The SIEM app uses a system index called “.siem-signals-default-00001”. This index can be read via Elastalert and the alerts can make it out to your SOC team!

Building Your Own Blue Team Lab

Introduction

Every blue team member should spend some time investing in building their own lab setup. It can be a great and fun learning experience, where you pickup some “low hanging fruit” skills. Hopefully comíng out with something you will continue to use and develop over the rest of your InfoSec career.

Having your own lab, allows you to quickly test theories and detection methods. It can be adapted to support any usecase you need, your only limit is your own imagination….

How does it look?

The lab is designed to work as follows…. You add an IoC to an event within MISP, this is then distributed to the black list’s on your prevention tools. At the same time, this IoC is used to alert based on logs coming into ElasticSearch. The IoC will be added to an ElastAlert rule, which then takes care of searching back through the ElasticSearch logs for previous activity. ElastAlert needs somewhere to send its alerts to and this is where The Hive comes into play…. Sounds simple right?

Open source is the only way…

The Security Distractions lab is only based on Open Source tools, so your only investment if you decide to build this, will be your own time! It can be used for production with a few modifications…

Over the next few blog posts, we will go into each tool and their integration points. We promise to try to keep it exciting!

But how will I run the lab?

This lab can be built using whatever method you want… We will supply the configuration files for each tool where needed, but it is up to you how it is run. I like to run using VM’s but others are obssessed with Docker. So it is about using whatever you feel most comfortable with. For those planning on using VM’s, the first post will be about VirtualBox, so you can get started…. If you’re using Docker, then ummm…… You’re on your own!

All configuration files will be found over on our GitHub page:- https://github.com/securitydistractions