Elastic Detection Rule 101
In this blog post, we embark on a journey to demystify the process of creating your very first detection rule. Whether you’re a seasoned security professional or someone taking their first steps into the world of cybersecurity, understanding how to craft effective detection rules is an invaluable skill. We’ll be diving into the realm of Elastic Security, an advanced solution that empowers you to proactively defend your systems against a myriad of threats.
Unveiling the Power of Detection Rules
Detection rules are the cornerstone of any proactive security strategy. They allow you to define conditions that, when met, trigger alerts and notifications about potentially malicious activities. Think of detection rules as your digital sentinels, constantly patrolling your networks and systems to identify anomalies that might indicate a breach or attack.
Creating detection rules enables you to:
Stay Ahead of Threats: By crafting rules tailored to your organization’s specific environment, you can catch suspicious activities before they escalate into full-blown security incidents.
Customize Monitoring: Detection rules are highly customizable, giving you the flexibility to focus on specific behaviors, patterns, or indicators of compromise that are most relevant to your infrastructure.
Automate Responses: Once an alert is triggered by a detection rule, you can set up automated responses to mitigate potential threats swiftly, reducing the risk of damage.
Improve Incident Response: Effective detection rules enhance your incident response capabilities, allowing you to investigate and address security events with greater efficiency.
Navigating Elastic Security
Within the Elastic Security framework, the rule creation process empowers you to craft tailored threat detection and incident response strategies. Here are the distinct categories of rules that you can shape:
- Custom query Rules
- Machine Learning Rules
- Threshold Rules
- Event Correlation Rules
- Indicator Match Rules
- New Terms Rules
Note: refer to this page for more details https://www.elastic.co/guide/en/security/current/rules-ui-create.html
In our blog, today, will use Metasploit to brute force our target machine, and in the target we have Winlogbeat to collect the logs and send it to Easticsearch, we use Kibana to create our detection rule, so the lab environment or the scenario shown bellow
PART I
- Start Metasploit framework
- Use auxiliary/scanner/smb/smb_login
- We need three parameters PASS_FILE + RHOST + SMBUser
Create pass.txt file that contains your passwords, otherwise you can use a large wordlist like “ruckyou”
- Run
Before we dive into the detection rule, as Security Analyst / Incident responder we should have a dashboard to monitor the different type of activities happen on our environment, and one of them is authentication, since out target in this blog is Windows, bellow table from UltimateWindowsSecurity that show the different types of Logon:
Link for more details https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter3
- In Discover Kibana, choose the right index pattern/data view: in our case is winlogbeat-*
- In the search bar search for event.code: “4625” or event.code: “4625”
- You can also create a visualization for it by going to visualization library > create visualization > aggregation based > pie >choose winlogbeat-*
- After that split slices > add filters
- After that > split slices
- Next > term aggregation > user.name
- Save your visualization and add it to your dashboard.
Now we finish with that, let’s create our first detection rule:
- First, go to Security> Alerts > manage rules > Create new rule
- You will see this page
- First >choose Threshold
- After >choose the index pattern winlogbeat-*
- Next >Custom Query event.code: “4625”
- Last >Group by user.name with threshold 5
So the logic here is if we see this event code 4625 which means, failed login, more than 5 times (you can change it to other thresholds) for every user.name, in the last 1 minute (the look-back time will be after this step) as it shows bellow
- After that you give name and description to your detection rules
- Add the Runs time, meaning this rule will be executed every one minute
- Look-back time, which means execute the threshold query on the data that comes last one minute
- Save your detection rule, and on the right side you see Rule Privew it will simulate the detection rule and shows you the result
After running the Metasploit again and scrolling down on the same page you will have this
- Your Detection rule will trigger an Alert right after running SMB attack using Metasploit
You can see the same Alert in the Alerts page
Once you receive your Alert, you start your investigation, and the first step is to acknowledge the Alert(like you assign it to you, in case you working with team)
After acknowledging your Alert, you can create a case for it or add this alert to an exsting case
You add the necessary details for your case
After finishing your investigation, you can Add exceptions to your detection to reduce the False Positives, and also you can tag your Alert
Once the investigation is done, you can close your Alert
You made it ^^
In closing, the realm of Elastic detection rules offers an invaluable toolkit for safeguarding your digital landscape. By crafting and fine-tuning these vigilant guardians, you fortify your organization’s defenses against the ever-evolving tide of cyber threats. As you embark on your journey to master the art of detection rule creation, remember that each rule you design is a proactive step towards a more resilient and secure digital future. Through Elastic’s powerful capabilities and your newfound expertise, you hold the keys to a safer and more secure digital realm.
