Pages

Friday, March 3, 2017

Building a Sysmon Dashboard with an ELK Stack






















Threat Hunting is FINALLY a hot topic, and in the past couple of months the security community has been sharing amazing resources on how to hunt with the help of open source tools. One in particular that has got a lot of attention for endpoint visibility has been Sysmon, and with its latest capabilities added in version 6, hunting even for named pipe pivoting has become easier.

A few projects that I have read recently are awesome, and I highly recommend to take a look at them:



Some of the things that I love about most the projects out there are the different ways how sysmon configs are being put together and how data is being consolidated and presented for hunting campaigns. Therefore, in this post, I will show you how you can also create your own Sysmon dashboard but with the help of an ELK stack. This will help you to tune your initial Sysmon configurations and get a good overview of what you can see and hunt for in your lab. If you haven't yet read my previous series "Setting up a Pentesting... I mean, a Threat Hunting Lab", I recommend you to do it before continuing reading (At least, for the purpose of this post, read and follow the steps in Part 5 & Part 6 in order to be ready to build your dashboard). 




Current Kibana view


If you already have an ELK Stack running and Sysmon logs being forwarded to it, then picture 1 below will look very familiar to you. Even though this view allows you to start running a few queries to create chains of events and detect suspicious activity in your network, it does not give you a high overview of what is actually happening in your environment. I like to know my top events to filter out noise and detect the abnormal. Therefore, I will show you how you can create visualizations of specific events and add them to a dashboard.



Figure 1. Kibana default discover view.





Building a Sysmon Dashboard


Creating Visualizations


To get started click on the option "visualize" on the left panel. Next, you will have two options to choose from:

  • Create New Visualization - Showing different types that you can use to present your data
  • Open a Saved Visualization

Since this is our first visualization, then we will have to select the specific type we want to create. Make sure you review the Kibana User Guide - Creating a Visualization during this section to have a better understanding of each visualization type. 



Figure 2. Visualize options.




I like to use Data Tables because they are really flexible to show long strings of data and large number of events in a small graph. Data Tables  display the raw data of a composed aggregation. Click on Data Table to create one. 



Figure 3. Creating a Data Table.




We are creating all of our visualizations from scratch so select the index that you want to use for it. In my case, I selected my only index, winlogbeat-*.



Figure 4. Creating a Data Table. 




Next, you will get a plain visualization template which you will use to create your own one. One main thing that we need to do is select the data field that we want to use for this table, but first we will have to select a bucket type. The rows of the data table are called buckets. You can define buckets to split the table into rows or to split the table into additional tables [Source]. Select the Split Rows bucket type.  



Figure 5. Creating a Data Table.




Buckets support aggregations. Select the aggregations type "Terms". A terms aggregation enables you to specify the top or bottom n elements of a given field to display, ordered by count of a custom metric [Source]



Figure 6. Creating a Data Table. 




Next, select the field that you want to use for the visualization. For this first exercise, I chose the CommandLine field as shown in figure 8. One important thing to mention is that I use Keyword data fields (Keyword Analyzers) because it returns the entire string as a single token [Source]. For example, I chose event_data.CommandLine.keyword.



Figure 7. Creating a Data Table.





Figure 8. Creating a Data Table.




Then set the number of values that you want to show. The data by default will be ordered "Descending". You can set the size to 25 and it will show you the Top 25 values. Lets set it to 10 for this exercise.



Figure 9. Creating a Data Table. 




Figure 10. Creating a Data Table.




Next, you can also adjust the number of values you want to show per page. This will depend on how much space you want to use with your data table. I always set it to 4 to fit several data tables in one dashboard. 



Figure 11. Creating a Data Table.






Figure 12. Creating Data Table.




Apply the changes to your visualization by clicking on the blue triangle to the right of "options" as shown in figure 13 below. 



Figure 13. Creating a Data Table.




Now you will see events showing on the right side of your visualization console. Four values per page and two pages in the last 15 minutes. 



Figure 14. Creating a Data Table.




Save your visualization by clicking on the option Save. Give it a name and click Save. You will get a dark green confirmation message as shown in figure 18 below.



Figure 15. Saving Data Table.





Figure 16. Saving Data Table.





Figure 17. Saving Data Table.





Figure 18. Saving Data Table.





Creating a new Dashboard


Click Dashboard in the side navigation. If you haven’t previously viewed a dashboard, Kibana displays an empty dashboard [Source]. Click Add  in the menu bar to add your saved visualization to it.



Figure 19. Creating a Dashboard




As you can see, our Top 10 Command Line is the only one available. Click on it and it will get added to your Dashboard.



Figure 20. Creating a Dashboard.




Figure 21. Adding visualization to dashboard.




Next, you can start saving your dashboard with your first visualization by clicking on "Save". Give your dashboard a name and if you want to save it to open always with a specific time range, set the desired time range and click on the "Store time with dashboard" checkbox as shown in figure 26 below.



Figure 22. Saving new dashboard.





Figure 23. Saving new dashboard.





Figure 24. Saving a new dashboard.





Figure 25. Adjusting Time Range for new Dashboard.





Figure 26. Saving dashboard with option "Store time with dashboard".





Figure 27. Saving new dashboard. 





Creating a new visualization for our new dashboard


Let's create a different visualization. Lets select a Pie Chart.


Figure 28. Creating a Pie Chart.





  • Select the data field that you want to use in the visualization
  • Set the number of values to show in the data table
  • Apply Changes



Figure 29. Creating a Pie Chart.




As you can see, in figure 29 above, there is an event id (4656) that does not belong to the Sysmon ones. This is because I am also sending Windows event logs to my ELK stack. An easy fix is just to use the search bar and run a query to show only source_name:"Microsoft-Windows-Sysmon". That will make your visualization to work only with the results of your query which will be only Sysmon logs. 



Figure 30. Creating a Pie Chart.




Next, you can use the options button to change the shape of your graph. I always like to set it to the Donut style. Then, you can save your visualization and add it to your new dashboard the same way how we did it before with our Data table.



Figure 31. Creating a Pie Chart.





How can I exclude specific values in my visualization?


In figure 32 below, my top destination IP value is 172.18.39.103 and the problem with it is that the IP belongs to my own ELK server. Therefore, I need to filter that value out in my visualization. You have 2 options:

  • Add exclusions in your Sysmon Config (Recommended - Best Practice)
  • Create/Apply a filter to you visualization (good exercise for you)



Figure 32. Excluding values in visualization.




For the purpose of this exercise:

  • Click on the value you want to filter out, and it will actually set a filter to only show that value by default
  • Hover over the filter that you just created below the search bar
  • Select the (-) magnifier glass and you will see that the filter turns red which means that the value is now being filtered out



Figure 33. Excluding values in visualization.





Figure 34. Excluding values in visualization.





Figure 35. Excluding values in visualization.





Creating all the needed visualization for our Sysmon Dashboard


Total Sysmon Events - Metric Visualization


By selecting winlogbeat-* index, the Metric Visualization will count all the events in our index. Make sure that if you want only Sysmon logs, you run a query for source_name:"Microsoft-Windows-Sysmon" as shown in figure 36 below.



Figure 36. Sysmon Metrics.





Sysmon Event IDs - Pie Chart Visualization



Figure 37. Sysmon Event IDs.





Registry Event Types - Pie Chart Visualization




Figure 38. Registry Event Types..





Top 10 Granted Access Codes - Pie Chart Visualization 




Figure 39. Granted Access Codes.





Top 10 Destinations -  
Pie Chart Visualization 




Figure 40. Destination IPs.





Top 10 Destination Ports -  Pie Chart Visualization 




Figure 41. Destination Ports.





Top 10 Parent Processes - Data Table Visualization




Figure 42. Parent Processes.





Top 10 Processes - Data Table Visualization




Figure 43. Processes.





Top 10 Command Line - Data Table Visualization




Figure 44. Command Line.





Top 10 Pipe names - Data Table Visualization




Figure 45. Pipe Names.





Top 10 Source Images - Data Table Visualization




Figure 46. Source Images.





Top 25 Images loaded - Data Table Visualization




Figure 47. Images Loaded.





Top 10 Registry Objects - Data Table Visualization




Figure 48. Registry Objects.





Top 10 Files Created - Data Table Visualization




Figure 49. Files Created.





How do I delete visualizations?


  • In the dashboard console click Add and select the option "Manage Visualizations"
  • Click on the checkbox of the visualization as shown in figure 51
  • Select the option "Delete"
  • Confirm that you are deleting the visualization 




Figure 50. Add visualizations console.





Figure 51. Selecting the visualization.





Figure 52. Deleting visualization - Confirmation.





Figure 53. Visualizations.




All the visualizations needed for our Sysmon Dashboard




Figure 54. Visualizations ready.





Saved visualizations added to our Sysmon Dashboard




Figure 55. Sysmon Dashboard.





How do I clean my dashboard or Index?


Stop your Winlogbeat services on your endpoints to stop them from sending logs to your ELK server.



Figure 56. Stopping Winlogbeat service.




On your ELK server delete your index by using the following command:

curl -XDELETE 'localhost:9200/winlogbeat-*?pretty'

https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-delete-index.html 



Figure 57. Deleting Index. .




Refresh your discover view and you dashboard. You will see that there are no records available.



Figure 58. Clean Index.




Figure 59. Clean Dashboard.




Start sending logs back to your ELK Stack


Start your winlogbeat service on your endpoints and refresh your Discover view and Dashboard.



Figure 60. Starting Winlogbeat service.





Figure 61. Discover view.






Final Sysmon Dashboard




Figure 57. Final Sysmon Dashboard.




That's it! In my next posts I will be using the same approach to start creating targeted dashboard hunts for different TTPs. 



Feedback is greatly appreciated!  Thank you.


57 comments:

  1. Your ELK series is fantastic and exactly what I was looking for!!

    ReplyDelete
    Replies
    1. Hey Marcus! Thank you for the feedback man. I am glad to hear that it is helpful. I will be adding some basic data science concepts/techniques to play with the data from Elasticsearch soon :)

      Delete
  2. Great post Roberto! Thanks for creating this. Some feedback: I think these posts may be easier to follow if they were a collection of 1 or more short narrated videos instead.

    ReplyDelete
  3. Thanks for the very interesting article. Will the amount events and data indexed be a problem?

    ReplyDelete
  4. The article is quite appealing and attractive. We are the world's leading database supplier of email lists. We at Pegasi Media Group have with all types of companies of all the sizes and domains to provide you a wide choice with respect to the geographical location and the customer likes and dislikes.Our contact discovery services is very good at finding out the customer information which gives you the idea about what the customer wants.Data Building| B2B List Building Services

    ReplyDelete
  5. Great tutorials! I wish you could add some new ones on how to add for e.g. Bro, Snort or something like that so we have also some NIDS in place.

    Do you plan perhaps on a tutorial like that?
    I have tried following some other ones, but could not configure Bro through Filebeat.. i cannot get data into ElasticSearch, although it recognizes Logstash index pattern, but when I try to query some Bro specific logs - there are no results.

    ReplyDelete
  6. A state of art, Thanks for sharing.

    ReplyDelete
  7. I am often to blogging and i really appreciate your content. The article has really peaks my interest. I am going to bookmark your site and keep checking for new information
    QuickBooks offers several features, one of which is the QuickBooks Multi-User Mode. If you have switched from single-mode to multi-user mode then there is a possibility that multi-user mode may not work and you face the problem of QuickBooks Multi-user Mode Not Working. So than consider QuickBooks Customer Service and get immediate assistance.

    ReplyDelete
  8. I read a many blog post and this post is amazing and lot learn based topic. Thanks for sharing with us.
    The most popular brand of printer used by millions of users is the Brother printer. At this time, the user needs a quality job, quick connectivity, and user-friendly features of the brother printer. It helps to make your job easy and saves you time as well. The most popular problem that usually comes with the printer is the printer in error state issues. When using a brother printer, when your printer stops working and reveals that the printer is in an error state, this issue is called Brother Printer in Error State, which means that the problem is in your printer itself. Don't frustrate yourself. For further assistance, you can contact our Technical Experts for Printer Customer Service. They will provide accurate solutions to your issues at any time.

    ReplyDelete
  9. Some really wondrous work on behalf of the owner of this site, perfectly great subject material.
    How To Download AOL Desktop Gold

    ReplyDelete
  10. When you contact us, we respond quickly and will arrive on-site within 30 minutes or less. We get right to work, employing our proven Water Damage Restoration Service process so that you can get back to enjoying your home or running your business.

    ReplyDelete
  11. When Ketu is placed in different houses of planets, then plays a lot of different and significant roles. Ketu in 3rd house can give both positive and negative results for natives. But in most cases, it is not good as it ruins the relationship and can also lead to bad marriage or delay in marriage. Sometimes, due to this placement, people do evil deeds. If you want a permanent and rigid treatment of this placement, I suggest you to contact Dr. Vinay Bajrangi.

    ReplyDelete
  12. I read your post. I am really thankful for this information. Thanks for sharing with us.
    AT&T Yahoo is a user-friendly mailing platform that is preferred by millions of users across the globe. Yahoo email inside AT&T has many features but sometimes, users may face ATT Email Login issues. To rectify the situation, you can contact professionals to fix the issues. You can reach us immediately for top solutions via the AT&T Yahoo email customer service number.

    ReplyDelete
  13. Welldone information. Thanks for sharing with us.
    If you want to get Free Spin And Coin on coin master then you can join us and spend your quality time playing the coin master game and get free spins and coins with a daily link.

    ReplyDelete
  14. I read your post. It is amazing and helpful information for me. Thanks for sharing with everyone. I am Sofi Vergara, I am working as a tech expert at Yahoo support. I have 3 years of experience in this field. If you have any problems related to yahoo help etc, then please contact me for instant help related to Yahoo email problems.

    ReplyDelete
  15. I read your post. It is amazing and helpful information for me. Are you looking for a solution How to Delete Cache App Activity? Cash App Activity is a record of all transaction activity from sending or receiving the money to your contacts. To delete your cache app activity, you have it in the right place. If you have any questions regarding deleting Cash App transaction history, please contact us at our Cash App customer service.

    ReplyDelete
  16. Business central Plan all your tasks, estimate the cost forecast and indicate the availability of your business resources. In addition, thanks to the integration of the Microsoft Dynamics 365 management modules, the production and resource saving plans will be generated automatically. dynamics 365 finance and operations

    ReplyDelete
  17. Are you planning your next flight travel trip with Allegiant Airlines? Speak to person at Allegiant Air representative. Clients can drop reservations online through the Manage Travel segment of www.allegiantair.com and can drop or make changes to reservations by reaching Allegiant's Reservations Center and talk to a person at allegiant air on this number (702) 505-8888toll-free.

    ReplyDelete
  18. Wondering How to get a Refund from United Airlines? Know United Airlines refund policy, call the experts and process your refund requests.

    ReplyDelete
  19. On the off chance that you ended up booking your trip with Delta Air Lines and need to drop, you're perfectly positioned! Here is all the data you want to explore its 2021 dropping approach and figure out what arrangements apply to your circumstance.

    Delta Airlines Office Jeddah

    Delta Airlines Office Jeddah

    ReplyDelete
  20. Are you planning your next flight travel trip with Allegiant Airlines? Speak to a person at Allegiant Air representative. Clients can drop reservations online through the Manage Travel segment of www.allegiantair.com and can drop or make changes to reservations by reaching Allegiant's Reservations Center and Allegiant Air representative on this number (702) 505-8888 toll-free.

    ReplyDelete
  21. Very informative and impressive post you have written, this is quite interesting and i have went through it completely, an upgraded information is shared, keep sharing such valuable information. Delta 8 buy online

    ReplyDelete
  22. mobile learning services organizations add competencies in their overall learning architecture to increase proficiency and performance in the office.

    ReplyDelete
  23. Dynamics 365 Customer Insights enables the business to build customer segments with simple and powerful tools that facilitate segmentation by any data ingested, KPIs, metrics generated or values ​​obtained from Machine Learning engines .

    ReplyDelete
  24. You will only need to pay the monthly cost of the licenses for each of your employees who access the system, exactly as is already being done with the Office-365 model. NAV to Business Central Upgrade

    ReplyDelete
  25. online distance learning ensures a flexible schedule for learners and educators. Learners can attend lessons at their own pace and time, while educators can teach at their own convenience.

    ReplyDelete
  26. Read this blog to know about the potential benefits of AR and VR development company. These tech solutions offer zero risks, a pleasant experience, and a popular trend in the automobile sector.

    ReplyDelete
  27. We have informed you that Fix My Lappy provides you best Hp Service Center in Noida. They have 3-4 experts with a lot of stock availability for the Noida Region. Assuming that any timetable or call grounds to us for administrations immediately back-end administration individuals started to find a good pace client and as shown by the clients need, they make their timetable?

    ReplyDelete
  28. United airlines manage booking facility works and help you achieve the desired tasks. The question is, how does this service assist you, and what changes can you make to it? They can rapidly make modifications to their itinerary using the united manage booking option. Most crucially, they are able to add certain service upgrades to their initial flight at a very low cost.

    ReplyDelete
  29. Read this blog to know about the potential benefits of AR and VR. These tech solutions offer zero risks, a pleasant experience, and a popular trend in the automobile sector.
    visit here : AR and VR development company

    ReplyDelete
  30. I am somewhat certain I’ll be informed plenty of new stuff right here! Good luck for the following! personality development training

    ReplyDelete
  31. Every time Peoples want some exciting ideas. If you think you are very creative and people really love your post, then you got trustworthy from used.

    irish translate

    ReplyDelete
  32. Microsoft Dynamics 365 Sales is the best platform that enables best-in-class sales automation and the end-to-end management of your company development process.

    ReplyDelete
  33. "Allegiant Airlines Change Flight Policy?

    Allegiant Airlines Is A Low-Cost Carrier Based In The United States, Serving Over 120 Destinations Across The Country. Allegiant Airlines Change Flight If You've Booked A Flight With Allegiant Airlines, You May Need To Make Changes To Your Itinerary At Some Point. The Good News Is That Allegiant Airlines Does Have A Change Flight Policy In Place.
    Allegiant Airlines' Change Flight Policy Allows Passengers To Make Changes To Their Itinerary, Including The Date And Time Of Their Flight, As Well As The Destination, For A Fee. The Fee Varies Depending On The Type Of Fare You Purchased And The Time At Which You Make The Change.
    If You Need To Change Your Allegiant Airlines Flight, You Can Do So Online By Logging Into Your Account On The Airline's Website. Simply Go To The ""Manage Travel"" Section And Follow The Prompts To Make The Changes You Need. If You're Having Trouble Making The Changes Online, You Can Call Allegiant Airlines' Customer Service Center To Speak With A Representative Who Can Assist You.
    "

    ReplyDelete
  34. This post is very interesting and informative thanks for sharing with us such a wonderful post. If you are a student and looking for the best nursing assignment help. Our nursing assignment expert are well-educated and professional experts and complete your assignment on time at very cheap prices.

    ReplyDelete
  35. If you're wondering whether can you bring honey on a plane, this article will provide you with essential information on the subject. Different countries may have different regulations and guidelines, so it's best to check Can you bring honey on a plane and the customs regulations of your destination country before packing honey in your luggage.

    ReplyDelete
  36. Are you struggling with your WordPress assignments and looking for reliable online assistance? Look no further! In this comprehensive guide, we will explore the world of Online WordPress Assignment Help and provide you with valuable insights, tips, and resources to excel in your WordPress projects. Whether you're a beginner or an advanced user, this article will equip you with the necessary tools to tackle any WordPress assignment with confidence.

    ReplyDelete
  37. Agility is essential for success in the modern business environment. Traditional offline employment frequently entails tight, long-term commitments, which makes it difficult for businesses to modify their workforce in response to changing demand. However, outsourcing provides an unmatched level of flexibility. Businesses may quickly scale up or down their teams in accordance with project demands, which enables them to save costs and react quickly to market developments. Businesses have a substantial competitive advantage because to this dynamic personnel management in today's dynamic environment. You can find out more by clicking here!

    ReplyDelete
  38. Assignment help differs from the majority of fields in that there is only one right response, and in that case help with assignment service offers the best resolving issues strategy for you. In order to serve as an outline for students in understanding the process, we produce an answer step by step. Our expertise is in providing online accounting coaching, and our teachers are intelligent and fully comprehend the issues that are raised in your accounting assignments.

    ReplyDelete
  39. Appreciate your well written and long article post. You done really nice work in this article. I hope in future you share more good updates. Now it's time to avail Limo’s limo service West Palm Beach for more information.

    ReplyDelete
  40. Are you curious about the Egg freezing price in delhi? Well, let me tell you, it's quite affordable! The price for this procedure varies depending on the clinic and the services offered, but you can expect to pay around INR 50,000 to INR 1,50,000. Don't worry, though, many clinics offer financing options to make it easier for you to afford. Egg freezing is a great option for women who want to preserve their fertility for the future, and with the reasonable prices in Delhi, it's definitely worth considering.

    ReplyDelete
  41. Your personal experiences really added depth to this article. It's refreshing to read a piece that combines research with personal anecdotes. Thank you for sharing your story with us. atencion a clientes american airlines

    ReplyDelete
  42. Great article! I found the information here very insightful and well-presented. The author has a deep understanding of the topic. Visit https://astrokundli.net for similar content and free astrology services like: free kundli, free horoscope, free kundli milan and more.

    ReplyDelete
  43. Qatar Airways change flight policy is designed to provide passengers with convenience and peace of mind. The clarity in guidelines and the helpful assistance from their customer support team made the transition to new travel dates straightforward. Qatar Airways' commitment to customer satisfaction shines through in their adaptable policies, making it a preferred choice for those who value flexibility in their travel plans."

    ReplyDelete
  44. If you're looking for top-quality natural stone, then look no further than our premium collection. Our stones have been used to create stunning spaces for some of the biggest builders and developers in the USA. When it comes to pricing and value for money, our products are second to none. quartz countertops in houston

    ReplyDelete

  45. Those who are travelling with pets can be accommodated by Lufthansa extensive and flexible Lufthansa pet cargo . Depending on their size and travel needs, dogs are permitted to fly as cargo, checked luggage, or in the cabin on the airline. Larger pets can be carried in the cargo hold, while smaller dogs and cats can fly in the cabin with their owners.

    ReplyDelete
  46. Binge Contact Number Australia (611800595174) to frequently asked questions and expert tips for a seamless experience. A friendly customer support representative will be ready to assist you with any queries or concerns you may have.

    ReplyDelete
  47. The Blue Screen of Death (BSoD), a dreaded sight for every Windows user, has a long and intriguing history. Over the years, it has become synonymous with system crashes and technical malfunctions. In this article, we will delve into the evolution of the Blue Screen of Death, exploring its origins, development, and the impact it has had on the world of computing.
    Visit site :
    The History of the Blue Screen of Death

    ReplyDelete
  48. Soya Bean Chunks Nutritional Value, also known as textured vegetable protein (TVP) or soya chunks, are derived from defatted soy flour, making them a versatile and nutritious alternative to meat. Packed with essential nutrients, these plant-based protein sources offer numerous health benefits. First and foremost, soya bean chunks are rich in high-quality protein, containing all the essential amino acids required by the human body for muscle growth, repair, and overall health. This makes them an excellent choice for vegetarians, vegans, and anyone looking to reduce their intake of animal products while still meeting their protein needs.
    Soya Bean Chunks Nutritional Value

    ReplyDelete
  49. Welcome to the ultimate guide on mastering implied odds poker Whether you're a seasoned player or just starting, understanding implied odds is crucial for success in this dynamic game of skill and strategy. In this comprehensive article, we'll delve into the intricacies of implied odds poker, exploring key concepts, advanced strategies, and practical tips to elevate your gameplay to the next level. Let's dive in!Implied odds poker is a sophisticated strategy that goes beyond the basic odds of winning a hand. It involves assessing the potential future bets and factoring them into the current decision-making process. By understanding implied odds, players can make more informed decisions about whether to call, raise, or fold, ultimately maximizing their profitability over the long term.Mastering implied odds begins with understanding how to calculate them accurately. Unlike pot odds, which consider the current size of the pot relative to the bet size, implied odds take into account the potential size of future bets. This involves estimating the likelihood of winning a hand and predicting the potential profit from future bets if you hit your draw.

    Read more : ofilmywap

    ReplyDelete