SlideShare ist ein Scribd-Unternehmen logo

My Bro The ELK

Als PPTX, PDF herunterladen
Tripwire
Tripwire

Slides from Travis Smith Black Hat presentation. August 1 - 6 2015.

Technologie
1 von 28
My Bro The ELK Obtaining Security Context from Security Events Travis Smith tsmith@tripwire.com
• What is the problem? • Who is the Bro? • What is an ELK? • Beefing up the ELK • Making Your Bro the ELK Intelligent • Visualization w/ Kibana • Introducing the TARDIS framework Agenda
• I’m a lumberjack and I’m OK • 10+ years in security • Security Researcher at Tripwire
conn.log dhcp.log dnp3.log dns.log ftp.log http.log irc.log known_services.log modbus.log ius.log smtp.log snmp.log ssh.log ssl.log syslog.log tunnel.log intel.log notice.log
INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+ More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+ More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
Threat Intelligence Made Easy
98 Threat Feeds 800,000+ Indicators Critical Stack Agent
• Utilizing Custom Patterns • GROK Message Filtering • Adding Custom Fields • Adding Geo IP Data • Date Match • Using Translations for Threat Intel Logstash Filtering
filter { grok { match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" } } } Logstash Configuration
filter { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } /opt/logstash/custom_patterns/bro.rule 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Utilize Custom Patterns
filter { if [message] =~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } } Message Filtering 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Remove Capture Groups
filter { if [message] =~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } add_field => [ "rule_id", "291001" ] add_field => [ "Device Type", "IPSIDSDevice" ] add_field => [ "Object", "NetworkTraffic" ] add_field => [ "Action", "General" ] add_field => [ "Status", "Informational" ] } } } Add Custom Fields
filter { …..all normalization code above here…. geoip { source => "evt_dstip" target => "geoip_dst" database => “/etc/logstash/conf.d/GeoLiteCity.dat“ add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][longitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][latitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][city_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][continent_code]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][country_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][postal_code]}" ]} mutate { convert => [ "[geoip_dst][coordinates]", "float"] } } Geo IP New ElasticSearch Template Needed
GeoIP Template Update curl -XGET localhost:9200/_template/logstash {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip_dst":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … curl -XPUT localhost:9200/_template/logstash -d ‘….’
filter { ....all normalization code above here…. .…all GeoIP code here.... date { match => [ "start_time", "UNIX" ] } } Date Match
filter { ....all normalization code above here…. .…all GeoIP code here.... translate { field => "evt_dstip" destination => "tor_exit_IP" dictionary_path => '/etc/logstash/conf.d/torexit.yaml' } } • Run Scripts to update the YAML files on a regular basis • Logstash will check the YAML for updates every 300 seconds – Configurable by adding refresh_interval => numSeconds Threat Intel "162.247.72.201": "YES" "24.187.20.8": "YES" "193.34.117.51": "YES" torexit.yaml
Custom Fields: "Device Type" => "IPSIDSDevice" "Object" => "HTTP" "Action" => "General" "Status" => "Informational" Threat Intel Translations: "tor_exit_IP" => "YES" "malicious_IP" => "YES" Geo IP Data: "country_code2" => "RU" "country_code3" => "RUS" "country_name" => "Russian Federation" "continent_code" => "EU" "city_name" => "Moscow" "postal_code" => "121087" "latitude" => 55.75219999999999 "longitude" => 37.6156 "timezone" => "Europe/Moscow"
• Threat Analysis, Reconnaissance, & Data Intelligence System • Historical exploit/IOC detection • Time Lord of forensic log data • Available at https://github.com/tripwire/tardis • Demo at Arsenal Thursday @ 12:45 The TARDIS Framework
10.10.10.10- - [06/Aug/2015:05:00:38 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd“ 10.10.10.10- - [06/Aug/2015:05:00:39 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:40 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:41 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:42 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:43 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd"
• Use NSM With Log • Security Tools Are Better With Intelligence • Take Integrations to the Next Level With TARDIS Sound Bytes
Travis Smith tsmith@tripwire.com https://github.com/Tripwire/tardis https://github.com/TravisFSmith/MyBroElk Thank You

Empfohlen

Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 

Empfohlen

Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 
Mobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und KibanaMobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und Kibanainovex GmbH
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15Brian A. McHenry
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App FirewallBrian A. McHenry
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesGuglielmo Scaiola
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014Puppet
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnasAlexander Szalonnas
 

Weitere ähnliche Inhalte

Was ist angesagt?

[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 
Mobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und KibanaMobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und Kibanainovex GmbH
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesGuglielmo Scaiola
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 

Was ist angesagt? (20)

[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 
Mobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und KibanaMobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und Kibana
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 

Andere mochten auch

Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014Puppet
 
"How about no grep and zabbix?". ELK based alerts and metrics.
"How about no grep and zabbix?". ELK based alerts and metrics."How about no grep and zabbix?". ELK based alerts and metrics.
"How about no grep and zabbix?". ELK based alerts and metrics.Vladimir Pavkin
 
ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedTin Le
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaPrajal Kulkarni
 
Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.Prajal Kulkarni
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Elk devops
Elk devopsElk devops
Elk devopsIdeato
 
Deploying E.L.K stack w Puppet
Deploying E.L.K stack w PuppetDeploying E.L.K stack w Puppet
Deploying E.L.K stack w PuppetColin Brown
 
Shipping & Visualize Your Data With ELK
Shipping & Visualize Your Data With ELKShipping & Visualize Your Data With ELK
Shipping & Visualize Your Data With ELKAdam Chen
 
Mastering Advanced Security Profiling Language (ASPL)
Mastering Advanced Security Profiling Language (ASPL)Mastering Advanced Security Profiling Language (ASPL)
Mastering Advanced Security Profiling Language (ASPL)Tripwire
 
Tripwire IP360 Learning Labs - Scanning the Hard to Reach Places
Tripwire IP360 Learning Labs - Scanning the Hard to Reach PlacesTripwire IP360 Learning Labs - Scanning the Hard to Reach Places
Tripwire IP360 Learning Labs - Scanning the Hard to Reach PlacesTripwire
 
5 Habits of Highly Effective Endpoint Threat Protection
5 Habits of Highly Effective Endpoint Threat Protection5 Habits of Highly Effective Endpoint Threat Protection
5 Habits of Highly Effective Endpoint Threat ProtectionTripwire
 
How to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security LiteracyHow to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security LiteracyTripwire
 
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...Tripwire
 
Industry Insights from Infosecurity Europe 2016
Industry Insights from Infosecurity Europe 2016Industry Insights from Infosecurity Europe 2016
Industry Insights from Infosecurity Europe 2016Tripwire
 
Advanced Vulnerability Scoring and Prioritization
Advanced Vulnerability Scoring and PrioritizationAdvanced Vulnerability Scoring and Prioritization
Advanced Vulnerability Scoring and PrioritizationTripwire
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Tripwire
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1 Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1Tripwire
 
Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?Tripwire
 

Andere mochten auch (20)

Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
Got Logs? Get Answers with Elasticsearch ELK - PuppetConf 2014
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnas
 
"How about no grep and zabbix?". ELK based alerts and metrics.
"How about no grep and zabbix?". ELK based alerts and metrics."How about no grep and zabbix?". ELK based alerts and metrics.
"How about no grep and zabbix?". ELK based alerts and metrics.
 
ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learned
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and Kibana
 
Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.Null Bachaav - May 07 Attack Monitoring workshop.
Null Bachaav - May 07 Attack Monitoring workshop.
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Elk devops
Elk devopsElk devops
Elk devops
 
Deploying E.L.K stack w Puppet
Deploying E.L.K stack w PuppetDeploying E.L.K stack w Puppet
Deploying E.L.K stack w Puppet
 
Shipping & Visualize Your Data With ELK
Shipping & Visualize Your Data With ELKShipping & Visualize Your Data With ELK
Shipping & Visualize Your Data With ELK
 
Mastering Advanced Security Profiling Language (ASPL)
Mastering Advanced Security Profiling Language (ASPL)Mastering Advanced Security Profiling Language (ASPL)
Mastering Advanced Security Profiling Language (ASPL)
 
Tripwire IP360 Learning Labs - Scanning the Hard to Reach Places
Tripwire IP360 Learning Labs - Scanning the Hard to Reach PlacesTripwire IP360 Learning Labs - Scanning the Hard to Reach Places
Tripwire IP360 Learning Labs - Scanning the Hard to Reach Places
 
5 Habits of Highly Effective Endpoint Threat Protection
5 Habits of Highly Effective Endpoint Threat Protection5 Habits of Highly Effective Endpoint Threat Protection
5 Habits of Highly Effective Endpoint Threat Protection
 
How to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security LiteracyHow to Improve Your Board’s Cyber Security Literacy
How to Improve Your Board’s Cyber Security Literacy
 
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...
Vulnerability Management Reporting Treasures in Tripwire Security Intelligenc...
 
Industry Insights from Infosecurity Europe 2016
Industry Insights from Infosecurity Europe 2016Industry Insights from Infosecurity Europe 2016
Industry Insights from Infosecurity Europe 2016
 
Advanced Vulnerability Scoring and Prioritization
Advanced Vulnerability Scoring and PrioritizationAdvanced Vulnerability Scoring and Prioritization
Advanced Vulnerability Scoring and Prioritization
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1 Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
 
Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?
 

Ähnlich wie My Bro The ELK

amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapalibuildersreviews
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Python Network Programming – Course Applications Guide
Python Network Programming – Course Applications GuidePython Network Programming – Course Applications Guide
Python Network Programming – Course Applications GuideMihai Catalin Teodosiu
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
How Microsoft will MiTM your network
How Microsoft will MiTM your networkHow Microsoft will MiTM your network
How Microsoft will MiTM your networkBrandon DeVault
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Monitoring with Syslog and EventMachine (RailswayConf 2012)
Monitoring with Syslog and EventMachine (RailswayConf 2012)Monitoring with Syslog and EventMachine (RailswayConf 2012)
Monitoring with Syslog and EventMachine (RailswayConf 2012)Wooga
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloYossi Sassi
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented dataEric Sammer
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...in.security Ltd.
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 

Ähnlich wie My Bro The ELK (20)

amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdf
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
Stress test data pipeline
Stress test data pipelineStress test data pipeline
Stress test data pipeline
 
Python Network Programming – Course Applications Guide
Python Network Programming – Course Applications GuidePython Network Programming – Course Applications Guide
Python Network Programming – Course Applications Guide
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
How Microsoft will MiTM your network
How Microsoft will MiTM your networkHow Microsoft will MiTM your network
How Microsoft will MiTM your network
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
Monitoring with Syslog and EventMachine (RailswayConf 2012)
Monitoring with Syslog and EventMachine (RailswayConf 2012)Monitoring with Syslog and EventMachine (RailswayConf 2012)
Monitoring with Syslog and EventMachine (RailswayConf 2012)
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented data
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
SIEM
SIEMSIEM
SIEM
 
Incident Response: SIEM
Incident Response: SIEMIncident Response: SIEM
Incident Response: SIEM
 

Mehr von Tripwire

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughTripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyTripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationTripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportTripwire
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationTripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsTripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksTripwire
 

Mehr von Tripwire (20)

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data Privacy
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase Cole
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest Celebration
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key Findings
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key Findings
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber Moments
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber Attacks
 

Kürzlich hochgeladen

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

My Bro The ELK

  • 1. My Bro The ELK Obtaining Security Context from Security Events Travis Smith tsmith@tripwire.com
  • 2. • What is the problem? • Who is the Bro? • What is an ELK? • Beefing up the ELK • Making Your Bro the ELK Intelligent • Visualization w/ Kibana • Introducing the TARDIS framework Agenda
  • 3. • I’m a lumberjack and I’m OK • 10+ years in security • Security Researcher at Tripwire
  • 4.
  • 5.
  • 7. INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+ More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
  • 8. INPUTS FILTERS OUTPUTS FILE TCP/UDP 40+ More GROK GEOIP TRANSLATE 30+ More ElasticSearch Syslog Email STDOUT STDIN 50+ More DATE
  • 9.
  • 10.
  • 12. 98 Threat Feeds 800,000+ Indicators Critical Stack Agent
  • 13. • Utilizing Custom Patterns • GROK Message Filtering • Adding Custom Fields • Adding Geo IP Data • Date Match • Using Translations for Threat Intel Logstash Filtering
  • 14. filter { grok { match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" } } } Logstash Configuration
  • 15. filter { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } /opt/logstash/custom_patterns/bro.rule 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Utilize Custom Patterns
  • 16. filter { if [message] =~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } } } } Message Filtering 291001 (?<start_time>d{10}.d{6})t(?<evt_srcip>[d.]+)t(?<evt_dstip>[d.]+)t(?<evt_srcport>d+)t… Remove Capture Groups
  • 17. filter { if [message] =~ /^((d{10}.d{6})t([d.]+)([d.]+)t(d+)t(d+)t(w+))/ { grok { patterns_dir => "/opt/logstash/custom_patterns" match => { message => "%{291001}“ } add_field => [ "rule_id", "291001" ] add_field => [ "Device Type", "IPSIDSDevice" ] add_field => [ "Object", "NetworkTraffic" ] add_field => [ "Action", "General" ] add_field => [ "Status", "Informational" ] } } } Add Custom Fields
  • 18. filter { …..all normalization code above here…. geoip { source => "evt_dstip" target => "geoip_dst" database => “/etc/logstash/conf.d/GeoLiteCity.dat“ add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][longitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][latitude]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][city_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][continent_code]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][country_name]}" ] add_field => [ "[geoip_dst][coordinates]", "%{[geoip_dst][postal_code]}" ]} mutate { convert => [ "[geoip_dst][coordinates]", "float"] } } Geo IP New ElasticSearch Template Needed
  • 19. GeoIP Template Update curl -XGET localhost:9200/_template/logstash {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … {"logstash":{ "order":0, "template":"logstash-*", "settings":{ "index.refresh_interval":"5s" }, "mappings":{ "properties":{ "geoip_dst":{ "dynamic":true, "properties":{ "location":{ "type":"geo_point" } }, "type":"object" }, … curl -XPUT localhost:9200/_template/logstash -d ‘….’
  • 20. filter { ....all normalization code above here…. .…all GeoIP code here.... date { match => [ "start_time", "UNIX" ] } } Date Match
  • 21. filter { ....all normalization code above here…. .…all GeoIP code here.... translate { field => "evt_dstip" destination => "tor_exit_IP" dictionary_path => '/etc/logstash/conf.d/torexit.yaml' } } • Run Scripts to update the YAML files on a regular basis • Logstash will check the YAML for updates every 300 seconds – Configurable by adding refresh_interval => numSeconds Threat Intel "162.247.72.201": "YES" "24.187.20.8": "YES" "193.34.117.51": "YES" torexit.yaml
  • 22. Custom Fields: "Device Type" => "IPSIDSDevice" "Object" => "HTTP" "Action" => "General" "Status" => "Informational" Threat Intel Translations: "tor_exit_IP" => "YES" "malicious_IP" => "YES" Geo IP Data: "country_code2" => "RU" "country_code3" => "RUS" "country_name" => "Russian Federation" "continent_code" => "EU" "city_name" => "Moscow" "postal_code" => "121087" "latitude" => 55.75219999999999 "longitude" => 37.6156 "timezone" => "Europe/Moscow"
  • 23.
  • 24.
  • 25. • Threat Analysis, Reconnaissance, & Data Intelligence System • Historical exploit/IOC detection • Time Lord of forensic log data • Available at https://github.com/tripwire/tardis • Demo at Arsenal Thursday @ 12:45 The TARDIS Framework
  • 26. 10.10.10.10- - [06/Aug/2015:05:00:38 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd“ 10.10.10.10- - [06/Aug/2015:05:00:39 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:40 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:41 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:42 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd" 10.10.10.10- - [06/Aug/2015:05:00:43 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 525 "-" "() { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd"
  • 27. • Use NSM With Log • Security Tools Are Better With Intelligence • Take Integrations to the Next Level With TARDIS Sound Bytes

Hinweis der Redaktion

  1. As the security maturity expands, so does complexity, costs, and data volumes
  2. -Typical logs collected are only the tip of the iceberg when it comes to analyzing threat data. Adding in session, packet string, and full packet captures is the best method to truly analyze threats against the organization. -Using a product like bro allows you to either analyze this information in real-time or in a post-mortem manner after a potential attack has occurred
  3. -Analyze network traffic in real-time or from packet captures -Application Layer analysis -Brogramming scripts to analyze protocol and application data, looking for suspicious activity -Ability to do SIEM type correlation
  4. -Use Logstash (or other LM products like TLC or Splunk) to ingest, normalize, and store data. -44 Inputs -40 Filters -54 Outputs
  5. -Use Logstash (or other LM products like TLC or Splunk) to ingest, normalize, and store data. -44 Inputs -40 Filters -54 Outputs
  6. -Cool visualizations with kibana to expose key data -Lots of information, but what does it mean
  7. -Collection of tons of valuable data, but what do we do with it all? -It’s not big data, it’s obese data -Looking for a needle in a pile of needles
  8. -Critical Stack for Bro makes starting out with Threat Intelligence incredibly easy. -Install the agent and automatically pull data that generates bro scripts from threat intel providers
  9. Single command to pull from 98 threat feeds which contain over 800k IoC’s
  10. -What a basic normalization rule looks like
  11. -Take the Oniguruma syntax out of the conf file and put it in a log file for each device in a custom patterns directory. -Makes management of normalization/parsing rules easier -Allows us to utilize add_field to our advantage
  12. We’ll need to filter each message to apply the add_field -Take the Oniguruma syntax and remove the column mappings to expose raw regex code
  13. -Add custom fields to find relevant data quickly in Kibana -Adding a rule ID will allow us to optimize the normalization engine in logstash by exposing the most commonly parsed logs in your environment
  14. -Get a copy of a GeoLiteCity database file and place it on the server -Reference an normalized IP address field in the source field -Create a new field in the target field to place all the GEO IP data in -Choose from a bunch of geo IP fields
  15. Not necessary when collecting logs in real time When you read pcap files and normalize the logs, this will take the timestamp from the log file, which bro uses from the PCAP file
  16. Use this for tor exit node IP’s, malicious IP’s, command and control servers, file hashes, etc. -Python scripts available to pull data and generate YAML files, only downside is it requires a restart of logstash to use the new YAML files -Translate plugin is a community-maintainted plugin, so you need to install it before adding it to the config file.
  17. -With the GEO IP we can now build maps with the data collected from BRO. -We can also start generating reports on known malicious IP’s, file hashes, etc. -Historograms can help pinpoint malicious activity, as seen here by a spike in malicious traffic around 11:25
  18. -Take a STIX/Cybox Artifact, convert it into a supported search string, and generate evidence of exloitation/attack from those signatures. -Can take this further, which we do internally by integrating with vulnerability management, FIM, threat intel, etc.