Elasticsearch 7.4 - Snapshot and Restore
The recent 7.4 release of the ELK stack now includes the ability to snapshot (backup) and restore indices from within Kibana as well as manage repositories and policies. In this walkthrough we’ll configure Elasticsearch to snapshot to an Amazon S3 bucket. Note that Azure and Google Cloud are supported as well.
Siemplify SOAR to Elastic Common Schema Mapping
This is a sample mapping of connector, entity, and system fields required by Siemplify to source events in Elasticsearch mapped to the Elastic Common Schema.
Elasticsearch snapshots to Windows share
Siemplify SOAR Overview
I’ve been fortunate to have spent the last few months working with Siemplify and watching it evolve from version 4 to the recently released version 5. Siemplify is a SOAR solution which stands for Security Orchestration, Automation, and Response. It enables case management and the running of Playbooks on incoming alerts, with the goal of reducing the amount of time an analyst must spend on repetitive tasks which can be easily automated. After an enrichment phase the analyst can better make quick, informed decisions as to how to proceed, and can be assured that actions performed are as expected without the possibility of forgetting or missing a step.
High-level PCAP Analysis
PCAP files play a critical role in network troubleshooting and security. When an issue arrises and Developers are pointing at the SysAdmin who are pointing at the Network Admins, a PCAP capture will give you the unbiased answer. Depending on the amount of traffic and length of the capture however, these files can be extremely daunting to look at when first opened. Where do you start in a capture with 200,000 entries?
Open Source SIRP with Elasticsearch and TheHive - Part 6 - Case Management
We now have a working pipeline starting with an alert being triggered at our endpoint, through escalating that alert into TheHive. Once we have an alert we can begin the process of case creation, task assignment, IoC enrichment, and ultimately case closure. Let’s walk through this process in more detail.
Phishing Email Pipeline with imap2thehive
Today I’ll show you how to use imap2thehive to pull emails from a mailbox, extract as many unique observables as possible, and generate a case in TheHive. It won’t be a long post as the author of imap2thehive has done an excellent job with his script and some small configuration changes are all that are required.
WSUS Troubleshooting Steps
Below is the guide I use when troubleshooting a broken WSUS installation. This can manifest as a server console error, the ever popular “it’s just not reporting in”, or through the event log. I’ll walk you through the components of WSUS and how to check and make sure each one is functioning properly.
Enable X-Pack Security for Elasticsearch
At some point, after probably dozens of test Elasticsearch instances, you’ll want to actually deploy a cluster into production. If you’re now responsible for a production cluster you’ll need to protect against credential harvesting and random curl DELETE
queries that can cause all your indexes to disappear. Thus the motivation for purchasing X-Pack.
Cuckoo Sandbox Installation
Cuckoo Sandbox is an open source malware analysis system used to launch files in an isolated environment and observe their behavior. Pass it a URL, executable, office document, pdf, or any file, and it will get launched in an isolated virtual machine where cuckoo can observe it’s process execution, API calls, network access, and all filesystem activity. You’ll then get a report and a threat score based on the observed behavior. Once the analysis is complete the VM restores to a known good snapshot and waits for the next execution.