Ship and centralize in Elasticsearch Ship to Logstash for transformation and parsing Ship to Elastic Cloud Libbeat: API framework to build custom beats 70+ community Beats
sizes, and sources Parse and dynamically transform data Transport data to any output Secure and encrypt data inputs Build your own pipelines Lots of plugins
content from Elastic and community Visualize your Elasticsearch data and navigate the Elastic Stack A distributed, RESTful search and analytics engine Kibana Elasticsearch Security Out-of-the-box solution for security analysts everywhere Logstash Beats Endpoint
Elastic Security ➔ New Filebeat modules for Office 365 and Okta ➔ Filebeat CEF module supports Check Point ➔ Elastic Endpoint Security streams to Logstash ➔ ECS “Mapper” tool made public ➔ SIEM queries support ECS fields ➔ Notifications - Email, Slack, PagerDuty, Webhook ➔ Direct ML integration in detection engine ➔ Expanded prebuilt rules ➔ Prebuilt MITRE Based Protections ➔ Import and export timelines ➔ SIEM rule execution monitoring ➔ New case management workflows ➔ New simple case management workflow integration with ServiceNow® ➔ New Investigation Guide playbooks
a common set of fields and objects to ingest data into Elasticsearch Enables cross-source analysis of diverse data Designed to be extensible ECS is in GA and is being adopted throughout the Elastic Stack Contributions & feedback welcome at https://github.com/elastic/ecs
OOTB and custom rules aligned with MITRE ATT&CK • Scheduled rules run periodically and generate signals • Signals investigated in SIEM app Timeline • Signals can also be used as detection building blocks for more complex detections
a Windows host than standard Windows logging, allowing for easier detection of threats: • File modification events • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names • Records the hash of process image files • Logs process creation with full command line for both current and parent processes • And many more… Enriched configuration file mapped to MITRE ATTACK Matrix : https://github.com/olafhartong/sysmon-modular
Common Knowledge” • A globally-accessible knowledge base of adversary tactics and techniques, categorized into an easily-consumable model • Based on real-world in-the-wild observations of actual adversary behavior • Focus on the adversary and behaviors they exhibit, tools they use, and actions they perform • Community driven, updated by MITRE quarterly based on new things being seen and reported in the wild The common language and de facto standard
Helix Group (https://attack.mitre.org/groups/G0049/) • In the real campaign, the payload was delivered to victims via a phishing e-mail with a word document attached. The document contained several macros that performed a number of adversarial behaviours. • In our Lab a Powershell script replicate the Document Macro exexution
and attached to the DNS Queries to the catch domain. DNS Tunnel HERE GOES THE SCHEMA FOR THE DNS EXFILTRATION!!!! 0468d000b7d1679ED1C50T.baddomain.com baddomain.com Compromised machine