ELK，来自OpenSource的SIEM，开放发行版：警报

您好，欢迎阅读我们有关SOCaaS解决方案中有关警报的新文章。众所周知，任何SOC中的警报在通知响应团队中都起着至关重要的作用。

他们可以中断网络攻击链或跟踪此攻击，具体取决于企业和团队的策略。您可能想知道为什么我们需要包括更多警告。打开发行警报模块还不够吗？这是因为它缺乏输出数量，并且缺乏与Thehive这样的其他解决方案的集成性。我们将向您介绍另一个选择。

所有职位的目录。

• 介绍。SOC即服务（SOCasS）的基础架构和技术部署
• ELK堆栈-安装和配置
• 走过开放的发行版
• 仪表板和ELK SIEM可视化
• 与WAZUH集成
• 警示
• 制作报告
• 案例管理

本文分为以下几节：

*安装和配置ElastAlert，ElastAlert-Server和Praeco

*创建规则

1- ElastAlert, ElastAlert-Server Praeco:

1.1 :

A-

— Praeco: , Slack, , Telegram, Jira.

Praeco , , , Kibana (KQL).

— ElastAlert — , Elasticsearch. Elasticsearch : . Elasticsearch , , , . , , .

, , .

— Sigma: Sigma — , . , . — , .

B- :

cd /etc
git clone https://github.com/Yelp/elastalert.git
git clone https://github.com/ServerCentral/elastalert-server.git
git clone https://github.com/ServerCentral/praeco.git

URL-: https://github.com/ServerCentral/praeco

1.2- Elastalert:

cd /etc/elastalert
mkdir rules rule_templates
cp config.yaml.example config.yaml
nano config.yaml

elastalert config.yaml :

es_host: localhost

writeback_index: elastalert_status

rules_folder rules

. python 2.7, 3.6.

A- python3.6 Ubuntu:

sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt update
sudo apt install python3.6

B- Python:

sudo update-alternatives — install /usr/bin/python python /usr/bin/python2.7
sudo update-alternatives — install /usr/bin/python python /usr/bin/python3.6

C- Python :

update-alternatives — config python

python3.6

python3.6

D-Install pip3:

sudo apt install python3-pip

E- PyYAML ( 5.1):

pip install PyYAML==5.1

F- elastalert

cd /etc/elastalert
pip3 install “setuptools>=11.3”
python setup.py install

G- :

cd /usr/local/bin/
./elastalert-create-index

ES Host : localhost
ES Port : 9200
Use ssl : t
Verify ssl :f

ES_username: admin ES_password: admin.

.

1.3- API:

API /etc/elastalert-server/config/config.json :

• elastalert elastalertPath: /etc/elastalert
• elasticsearch es_host: elasticsearch
• writeback_index config.yaml: elastalert_status

A- (No Data):

, , _type elastalert. 7.x, , _type _doc.

, ( Praeco ) No Data.

, :

cd /etc/elastalert-server/src/handlers/metadata/
nano get.js

, : «elastalert»,

praeco.

B- Elastalert-Server:

sudo npm install
sudo npm run start

, . - (SSL_verify = False).

1.4- Praeco:

A- :

cd /etc/praeco/config
nano api.config.json

nano elastalert.yml

B- Praeco:

sudo npm install
export PRAECO_ELASTICSEARCH=localhost

C- BaseRule.cfg:

:

cp /etc/praeco/rules/BaseRule.config /etc/elastalert/rules/

Slack, SMTP Telegram.

URL- Slack Webhook, 2.

cd /etc/elastalert/rules/
nano BaseRule.config

URL- Webhook

D- Praeco:

npm run serve

, http://yourServerIP: 8080.

Praeco

2- :

2.1.- Praeco Slack webhook:

(Rules) -> (Add Rule):

, Open Distro Alerting Tool, .

UNFILTERED .

Close

Slack URL- -, 2, (#test).

Save

, Slack.

:

2.2- ElastAlert TheHive

, Praeco TheHive, elastalert-server.

Elastalert-server, Praeco, , , Praeco.

A- : «User_creation»:

-, Praceo, , URL- HTTP, .

, Save.

B- Thehive:

TheHive, Elastalert-Server

/etc/elastalert/rules

nano User_creation.yml

C. Praeco

Hive

, , Praeco, /etc/elastalert/rules:

D- TheHive:

2.3- Sigma :

, Sigma , Elastalert.

URL : https://github.com/Neo23x0/sigma.git

A- Sigma

cd ~
git clone https://github.com/Neo23x0/sigma.git

B-

cd ~/sigma/tools
pip3 install -r requirements.txt

( ) ( ):

./sigmac -t elastalert -c winlogbeat ../rules/windows/builtin/win_user_creation.yml

, (Praeco / Elastalert-Server) - .

, ( ) Praeco .

, .

: (Kibana → Discover Interface) , , . , , « ».

2.4- Wazuh theHive:

, , wazuh, wazuh praeco, , Hive:

A. wazuh :

rule.id ( ).

wazuh → Overview → Security events.

B- elastalert-server:

nano /etc/elastalert/wazuh-alert-TEST.yaml

C- :

. , , . .