您好,欢迎阅读我们有关SOCaaS解决方案中有关警报的新文章。众所周知,任何SOC中的警报在通知响应团队中都起着至关重要的作用。
他们可以中断网络攻击链或跟踪此攻击,具体取决于企业和团队的策略。您可能想知道为什么我们需要包括更多警告。打开发行警报模块还不够吗?这是因为它缺乏输出数量,并且缺乏与Thehive这样的其他解决方案的集成性。我们将向您介绍另一个选择。
所有职位的目录。
本文分为以下几节:
*安装和配置ElastAlert,ElastAlert-Server和Praeco
*创建规则
1- ElastAlert, ElastAlert-Server Praeco:
1.1 :
A-
— Praeco: , Slack, , Telegram, Jira.
Praeco , , , Kibana (KQL).
— ElastAlert — , Elasticsearch. Elasticsearch : . Elasticsearch , , , . , , .
, , .
— Sigma: Sigma — , . , . — , .
B- :
cd /etc
git clone https://github.com/Yelp/elastalert.git
git clone https://github.com/ServerCentral/elastalert-server.git
git clone https://github.com/ServerCentral/praeco.git
URL-: https://github.com/ServerCentral/praeco
1.2- Elastalert:
cd /etc/elastalert
mkdir rules rule_templates
cp config.yaml.example config.yaml
nano config.yaml
elastalert config.yaml :
es_host: localhost
writeback_index: elastalert_status
rules_folder
rules
. python 2.7, 3.6.
A- python3.6 Ubuntu:
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt update
sudo apt install python3.6
B- Python:
sudo update-alternatives — install /usr/bin/python python /usr/bin/python2.7
sudo update-alternatives — install /usr/bin/python python /usr/bin/python3.6
C- Python :
update-alternatives — config python
python3.6
python3.6
D-Install pip3:
sudo apt install python3-pip
E- PyYAML ( 5.1):
pip install PyYAML==5.1
F- elastalert
cd /etc/elastalert
pip3 install “setuptools>=11.3”
python setup.py install
G- :
cd /usr/local/bin/
./elastalert-create-index
ES Host : localhost
ES Port : 9200
Use ssl : t
Verify ssl :f
ES_username: admin ES_password: admin.
.
1.3- API:
API /etc/elastalert-server/config/config.json :
- elastalert elastalertPath:
/etc/elastalert
- elasticsearch es_host: elasticsearch
- writeback_index config.yaml: elastalert_status
A- (No Data
):
, , _type elastalert. 7.x, , _type _doc.
, ( Praeco ) No Data
.
, :
cd /etc/elastalert-server/src/handlers/metadata/
nano get.js
, : «elastalert»,
praeco.
B- Elastalert-Server:
sudo npm install
sudo npm run start
, . - (SSL_verify = False
).
1.4- Praeco:
A- :
cd /etc/praeco/config
nano api.config.json
nano elastalert.yml
B- Praeco:
sudo npm install
export PRAECO_ELASTICSEARCH=localhost
C- BaseRule.cfg:
:
cp /etc/praeco/rules/BaseRule.config /etc/elastalert/rules/
Slack, SMTP Telegram.
URL- Slack Webhook, 2.
cd /etc/elastalert/rules/
nano BaseRule.config
URL- Webhook
D- Praeco:
npm run serve
, http://yourServerIP: 8080.
Praeco
2- :
2.1.- Praeco Slack webhook:
(Rules) -> (Add Rule):
, Open Distro Alerting Tool, .
UNFILTERED .
Close
Slack URL- -, 2, (#test).
Save
, Slack.
:
2.2- ElastAlert TheHive
, Praeco TheHive, elastalert-server.
Elastalert-server, Praeco, , , Praeco.
A- : «User_creation»:
-, Praceo, , URL- HTTP, .
, Save.
B- Thehive:
TheHive, Elastalert-Server
/etc/elastalert/rules
nano User_creation.yml
C. Praeco
Hive
, , Praeco, /etc/elastalert/rules
:
D- TheHive:
2.3- Sigma :
, Sigma , Elastalert.
URL : https://github.com/Neo23x0/sigma.git
A- Sigma
cd ~
git clone https://github.com/Neo23x0/sigma.git
B-
cd ~/sigma/tools
pip3 install -r requirements.txt
( ) ( ):
./sigmac -t elastalert -c winlogbeat ../rules/windows/builtin/win_user_creation.yml
, (Praeco / Elastalert-Server) - .
, ( ) Praeco .
, .
: (Kibana → Discover Interface) , , . , , « ».
2.4- Wazuh theHive:
, , wazuh, wazuh praeco, , Hive:
A. wazuh :
rule.id ( ).
wazuh → Overview → Security events.
B- elastalert-server:
nano /etc/elastalert/wazuh-alert-TEST.yaml
C- :
. , , . .