This is a continuation of the previous story. This time we will look at the Detections tab in Elastic SIEM. Our goal is to automate IOC detection using proven rules. Let’s remind: We installed Elasticsearch + Kibana on one of the VMs. We monitor an Ubuntu (Auditbeat, Filebeat, Packetbeat) and Windows 10 VM (Winlogbeat), although in this story we will focus on the Windows.
How to unlock Detections in Elastic SIEM?
We have to:
- Provide Elasticsearch — Kiban communication over TLS
- Enable xpack.security in Elasticsearch
- Set xpack.encryptedSavedObjects.encryptionKey in Kibana
Securing Elasticsearch
In this case, we have a one-node Elasticsearch cluster, so all we need to do is to add a line at the end of the /etc/elasticsearch/elasticsearch.yml line
xpack.security.enabled: trueand restart the Elasticsearch service
service elasticsearch restartNote: With a normal cluster it will not be so easy. You need to secure communication between…
