Session 3: Security CTRL - SIEM (Elastic SIEM) Walk Through

SEIM Overview

1. SIEM is an acronym for Security information and event management and a general term for tools that aggregate security related logs and information into a format that’s easily searchable and automatically generates alerts.

2. Elastic is an extremely flexible tool with a wide variety of configuration options. SIEM specifically can be tuned in wide variety of ways however the exact details will largely depend on the needs of individual clients. Expedient provides a default configuration and this walk through demonstrates a number of additional features that are client managed. See the following KB page for details of what is and is not managed by Expedient with this product.

3. Like all Elastic based products the policy that is set on each agent determines what data is available for the SIEM module to search. Make sure all of your agents that you want reporting in SIEM are configured with a SIEM profile. See the first walk through video for additional details.

Rules (Detection Rules (SIEM))

1. Detection rules are the heart of SIEM. Elastic works by searching all the data that it ingests. Rules are how you choose exactly what to search for.

2. Rules are found under the Security section in the hamburger menu

   

   1. Expedient will install a default set of rules however there are additional rules available under the “Add Elastic Rules”

      

   2. Not all rules will work as the necessary data isn’t ingested by Expedient by default. For instance there are rules for Okta authentication but the Okta integration necessary to run the rules doesn’t fall under Expedient’s management scope.

3. To see the details of a specific rule or to tweak its settings you can click on the name.

   1. For instance the “Potential PrintNightmare Exploit Registry Modification” rule searches for registry changes related to the exploit. It provides reference URLs that show the details of the exploit being referenced

      

   2. Rules need to be manually enabled by toggling the button in the upper right of the page. Expedient doesn’t know which rules will make sense in your environment so it’s up to each client to enable rules.

   3. Rules can also be edited to add an action if any results are detected. Actions are integrations to various notification services.

      

   4. The simplest example is the email integration. By default it is configured to use Expedient’s 810 Mail Relay. We do not current support other mail relays.

      1. To configure an email alert for a specific rule you have to specify and email address to send to as well s the subject and contents of the message. Both the subject and the message support variables such as date and time that can be added from the blue plus symbol button.

         

4. Rules can be enabled individually or in bulk

   1. By default rules are not enabled besides endpoint protection if the client is subscribed to Endpoint protection. Each rule that is enabled is another search against the data Elastic ingests. There is potential to create performance problems if too many rules are enabled.

   2. To enable multiple rules at once select the check box next to the rule name and select enable from the bulk options menu

      

   3. It’s also possible to configure actions for multiple rules at once to send alerts whenever those rules are triggered.

Dashboards

1. Configuring alerts for email, teams, Slack or some other platform can get cumbersome and there are certainly rules that you don’t necessarily need to be notified about every time an alert comes in. This is where dashboards come in.

   

2. For instance the Overview dashboard shows which rules are currently running, any alerts that have come in, as well as general events that are being logged. In this screenshot there is one rule that detects whenever services are stopped on Windows servers that is currently creating a large volume of alerts.

   

3. Elastic creates default dashboards based on common needs but custom dashboards can also be created by clients if there are specific alerts you want to see the details of. Custom dashboards are not managed by Expedient.

4. Additional documentation on Elastic’s default dashboards is available from Elastic.

Cases & Timelines

1. Cases and Timelines are features in Elastic that are not managed by Expedient but are extremely useful for aggregating potentially related alerts. Both allow you to aggregate alerts into a single location while including all the original details of the alerts and keeping the data easily filterable.

2. For additional information check out Elastic’s Docs pages on Timelines and Cases.