├── License.md ├── dashboards ├── all-kibana.json ├── kibana-network.json └── password-dump-analysis.json ├── documentation ├── 01-basics.html ├── 01-basics.md ├── 02-setup.html ├── 02-setup.md ├── 03-backup-es.html ├── 03-backup-es.md ├── 04-alerting-and-dashboards.html ├── 04-alerting-and-dashboards.md ├── 05-ansible-playbook.html ├── 05-ansible-playbook.md ├── 06-security-testing.html ├── 06-security-testing.md ├── 07-general-best-practices-checklist.html ├── 07-general-best-practices-checklist.md ├── 08-exercise.html ├── 08-exercise.md ├── 09-q-and-a-end.html ├── 09-q-and-a-end.md ├── extras │ ├── alternative-options.html │ ├── alternative-options.md │ ├── elasticsearch-config-checklist.html │ └── elasticsearch-config-checklist.md ├── images │ ├── ELK_basic_setup.png │ ├── apacheregex.png │ ├── appsecco.png │ ├── beats_def.png │ ├── elasticsearch-head-plugin.png │ ├── elasticsearch-hq-plugin.png │ ├── elasticsearch_def.png │ ├── elk_overall.png │ ├── es-c-1.png │ ├── es-c-2.png │ ├── es-c-3.png │ ├── es-c-4.png │ ├── es-c-5.png │ ├── es-c-6.png │ ├── itinfra.png │ ├── k-1.png │ ├── k-10.png │ ├── k-11.png │ ├── k-2.png │ ├── k-3.png │ ├── k-4.png │ ├── k-5.png │ ├── k-6.png │ ├── k-7.png │ ├── k-8.png │ ├── k-9.png │ ├── kibana-attack-dashboard.png │ ├── kibana-ssh-dashboard.png │ ├── kibana-web-dashboard.png │ ├── kibana_def.png │ ├── logstash.png │ ├── logstash_def.png │ ├── monitor.png │ ├── network-dashboard.png │ ├── ninja.png │ ├── ourstructure.pdn │ ├── ourstructure.png │ ├── pentest │ │ ├── BasicAuthOverHTTP-2.png │ │ ├── BasicAuthOverHTTP.png │ │ ├── httpAuth.png │ │ ├── hydrapasscrack.png │ │ ├── hydrasshpasscrack.png │ │ ├── kibana_verbose_error.png │ │ ├── nmapscan.png │ │ └── serviceenum.png │ ├── pwd-analysis.png │ └── setup │ │ ├── hostsfile_win.png │ │ ├── vbox_import_ova.png │ │ └── vbox_import_ova_change_disk_location.png ├── references.html ├── references.md ├── start.html └── start.md ├── elk-ansible-playbook ├── group_vars │ └── all ├── inventory.ini ├── main.yml ├── readme.md └── roles │ ├── common │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── certificates.yml │ │ ├── main.yml │ │ └── nginx.yml │ └── templates │ │ └── nginxdefault.j2 │ ├── elasticsearch │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── curator.yml │ │ ├── esconfig.yml │ │ ├── install.yml │ │ ├── main.yml │ │ └── plugins.yml │ └── templates │ │ ├── curator_snapshot.sh.j2 │ │ └── elasticsearch.yml.j2 │ ├── kibana │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── kibanaconfig.yml │ │ ├── kibanainstall.yml │ │ └── main.yml │ └── templates │ │ └── kibanaconfig.j2 │ └── logstash │ ├── handlers │ └── main.yml │ ├── tasks │ ├── logstashconfig.yml │ ├── logstashinstall.yml │ └── main.yml │ └── templates │ ├── 02-beats-input.conf │ ├── 10-sshlog-filter.conf │ ├── 11-weblog-filter.conf │ ├── 30-elasticsearch-output.conf │ └── filebeat.yml ├── logstash-configs ├── ddos.conf ├── filebeat-web-ssh-logstash-config │ ├── 02-beats-input.conf │ ├── 10-sshlog-filter.conf │ ├── 11-weblog-filter.conf │ └── 30-elasticsearch-output.conf ├── network.conf ├── pwd-dump.conf ├── ssh-log.conf └── web-log.conf ├── readme.md └── vm-content ├── configs ├── filebeat.yml ├── network.conf ├── ssh-log.conf └── web-log.conf ├── dashboards ├── all-kibana.json └── kibana-network.json ├── exercise ├── custom ├── elasticsearch-template.json ├── kibana-network.json └── network.conf └── log-samples ├── access.log ├── ddos.log ├── filebeat.tar.gz └── network.log /License.md: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /dashboards/all-kibana.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "Web-Dashboard", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "Web-Dashboard", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"col\":1,\"id\":\"Web-Attack-Table\",\"panelIndex\":1,\"row\":3,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Web-Attack-Machine\",\"panelIndex\":2,\"row\":3,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Web-Attack-Response\",\"panelIndex\":3,\"row\":1,\"size_x\":5,\"size_y\":2,\"type\":\"visualization\"},{\"id\":\"Web-Attack-Count\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":2,\"size_y\":2,\"col\":6,\"row\":1},{\"id\":\"Web-Attack-Bytes\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":2,\"size_y\":2,\"col\":8,\"row\":1},{\"id\":\"Web-Attack-Description\",\"type\":\"visualization\",\"panelIndex\":6,\"size_x\":3,\"size_y\":2,\"col\":10,\"row\":1},{\"id\":\"WEB\",\"type\":\"search\",\"panelIndex\":7,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":6,\"columns\":[\"clientip\",\"verb\",\"request\",\"response\",\"geoip.country_name\",\"geoip.city_name\",\"useragent.name\",\"useragent.os\"],\"sort\":[\"@timestamp\",\"desc\"]}]", 10 | "optionsJSON": "{\"darkTheme\":false}", 11 | "uiStateJSON": "{\"P-2\":{\"vis\":{\"legendOpen\":false}}}", 12 | "version": 1, 13 | "timeRestore": true, 14 | "timeTo": "now", 15 | "timeFrom": "now-15d/d", 16 | "kibanaSavedObjectMeta": { 17 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 18 | } 19 | } 20 | }, 21 | { 22 | "_id": "SSH-Dashboard", 23 | "_type": "dashboard", 24 | "_source": { 25 | "title": "SSH-Dashboard", 26 | "hits": 0, 27 | "description": "", 28 | "panelsJSON": "[{\"id\":\"SSH-Attack-Count\",\"type\":\"visualization\",\"panelIndex\":1,\"size_x\":4,\"size_y\":2,\"col\":1,\"row\":4},{\"id\":\"SSH-Attack-Description\",\"type\":\"visualization\",\"panelIndex\":2,\"size_x\":4,\"size_y\":2,\"col\":5,\"row\":4},{\"id\":\"SSH-Attack-Details\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":6,\"size_y\":3,\"col\":7,\"row\":1},{\"id\":\"SSH-Attack-Info\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":4,\"size_y\":5,\"col\":9,\"row\":4},{\"id\":\"SSH-Attack-Response\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":6,\"size_y\":3,\"col\":1,\"row\":1},{\"id\":\"SSH\",\"type\":\"search\",\"panelIndex\":6,\"size_x\":8,\"size_y\":3,\"col\":1,\"row\":6,\"columns\":[\"syslog_date\",\"login\",\"username\",\"ip\",\"geoip.country_name\",\"geoip.city_name\"],\"sort\":[\"@timestamp\",\"desc\"]}]", 29 | "optionsJSON": "{\"darkTheme\":false}", 30 | "uiStateJSON": "{}", 31 | "version": 1, 32 | "timeRestore": true, 33 | "timeTo": "now", 34 | "timeFrom": "now-15d/d", 35 | "kibanaSavedObjectMeta": { 36 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}" 37 | } 38 | } 39 | }, 40 | { 41 | "_id": "Attack-Dashboard", 42 | "_type": "dashboard", 43 | "_source": { 44 | "title": "Attack-Dashboard", 45 | "hits": 0, 46 | "description": "", 47 | "panelsJSON": "[{\"col\":10,\"id\":\"Attack-Description\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Attack-Details\",\"panelIndex\":2,\"row\":3,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Attack-Details-ssh\",\"panelIndex\":3,\"row\":6,\"size_x\":5,\"size_y\":3,\"type\":\"visualization\"},{\"col\":6,\"id\":\"Attack-Info-ssh\",\"panelIndex\":4,\"row\":6,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Attack-Machine-Web\",\"panelIndex\":7,\"row\":3,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Attack-Table-Web\",\"panelIndex\":8,\"row\":6,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Attack-Unique-IP\",\"panelIndex\":9,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_type\",\"geoip.ip\",\"login\",\"username\",\"verb\",\"response\",\"useragent.name\",\"useragent.os\",\"geoip.country_name\",\"geoip.city_name\"],\"id\":\"WEB-SSH\",\"panelIndex\":10,\"row\":9,\"size_x\":12,\"size_y\":3,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Attack-Logs\",\"panelIndex\":11,\"row\":1,\"size_x\":6,\"size_y\":2,\"type\":\"visualization\"}]", 48 | "optionsJSON": "{\"darkTheme\":false}", 49 | "uiStateJSON": "{}", 50 | "version": 1, 51 | "timeRestore": true, 52 | "timeTo": "now", 53 | "timeFrom": "now-15d/d", 54 | "kibanaSavedObjectMeta": { 55 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 56 | } 57 | } 58 | }, 59 | { 60 | "_id": "WEB-SSH", 61 | "_type": "search", 62 | "_source": { 63 | "title": "WEB-SSH", 64 | "description": "", 65 | "hits": 0, 66 | "columns": [ 67 | "_type", 68 | "geoip.ip", 69 | "login", 70 | "username", 71 | "verb", 72 | "response", 73 | "useragent.name", 74 | "useragent.os", 75 | "geoip.country_name", 76 | "geoip.city_name" 77 | ], 78 | "sort": [ 79 | "@timestamp", 80 | "desc" 81 | ], 82 | "version": 1, 83 | "kibanaSavedObjectMeta": { 84 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 85 | } 86 | } 87 | }, 88 | { 89 | "_id": "WEB", 90 | "_type": "search", 91 | "_source": { 92 | "title": "WEB", 93 | "description": "", 94 | "hits": 0, 95 | "columns": [ 96 | "clientip", 97 | "verb", 98 | "request", 99 | "response", 100 | "geoip.country_name", 101 | "geoip.city_name", 102 | "useragent.name", 103 | "useragent.os" 104 | ], 105 | "sort": [ 106 | "@timestamp", 107 | "desc" 108 | ], 109 | "version": 1, 110 | "kibanaSavedObjectMeta": { 111 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:weblog\",\"analyze_wildcard\":true}}}" 112 | } 113 | } 114 | }, 115 | { 116 | "_id": "SSH", 117 | "_type": "search", 118 | "_source": { 119 | "title": "SSH", 120 | "description": "", 121 | "hits": 0, 122 | "columns": [ 123 | "syslog_date", 124 | "login", 125 | "username", 126 | "ip", 127 | "geoip.country_name", 128 | "geoip.city_name" 129 | ], 130 | "sort": [ 131 | "@timestamp", 132 | "desc" 133 | ], 134 | "version": 1, 135 | "kibanaSavedObjectMeta": { 136 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"type:sshlog\"}}}" 137 | } 138 | } 139 | }, 140 | { 141 | "_id": "Web-Attack-Response", 142 | "_type": "visualization", 143 | "_source": { 144 | "title": "Web-Attack-Response", 145 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"response\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 146 | "uiStateJSON": "{}", 147 | "description": "", 148 | "savedSearchId": "WEB", 149 | "version": 1, 150 | "kibanaSavedObjectMeta": { 151 | "searchSourceJSON": "{\"filter\":[]}" 152 | } 153 | } 154 | }, 155 | { 156 | "_id": "Web-Attack-Machine", 157 | "_type": "visualization", 158 | "_source": { 159 | "title": "Web-Attack-Machine", 160 | "visState": "{\"title\":\"New Visualization\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"response\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.os\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"OS\"}}],\"listeners\":{}}", 161 | "uiStateJSON": "{}", 162 | "description": "", 163 | "savedSearchId": "WEB", 164 | "version": 1, 165 | "kibanaSavedObjectMeta": { 166 | "searchSourceJSON": "{\"filter\":[]}" 167 | } 168 | } 169 | }, 170 | { 171 | "_id": "Web-Attack-Table", 172 | "_type": "visualization", 173 | "_source": { 174 | "title": "Web-Attack-Table", 175 | "visState": "{\"title\":\"Web-Attack-Table\",\"type\":\"table\",\"params\":{\"perPage\":6,\"showPartialRows\":true,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Hits\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"clientip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Attacker IP\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.city_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"City\"}}],\"listeners\":{}}", 176 | "uiStateJSON": "{}", 177 | "description": "", 178 | "savedSearchId": "WEB", 179 | "version": 1, 180 | "kibanaSavedObjectMeta": { 181 | "searchSourceJSON": "{\"filter\":[]}" 182 | } 183 | } 184 | }, 185 | { 186 | "_id": "Web-Attack-Count", 187 | "_type": "visualization", 188 | "_source": { 189 | "title": "Web-Attack-Count", 190 | "visState": "{\"title\":\"New Visualization\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 191 | "uiStateJSON": "{}", 192 | "description": "", 193 | "savedSearchId": "WEB", 194 | "version": 1, 195 | "kibanaSavedObjectMeta": { 196 | "searchSourceJSON": "{\"filter\":[]}" 197 | } 198 | } 199 | }, 200 | { 201 | "_id": "SSH-Attack-Response", 202 | "_type": "visualization", 203 | "_source": { 204 | "title": "SSH-Attack-Response", 205 | "visState": "{\"title\":\"Web-Attack-Response\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 206 | "uiStateJSON": "{}", 207 | "description": "", 208 | "version": 1, 209 | "kibanaSavedObjectMeta": { 210 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:sshlog\",\"analyze_wildcard\":true}}}" 211 | } 212 | } 213 | }, 214 | { 215 | "_id": "SSH-Attack-Details", 216 | "_type": "visualization", 217 | "_source": { 218 | "title": "SSH-Attack-Details", 219 | "visState": "{\"title\":\"New Visualization\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Usernames\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", 220 | "uiStateJSON": "{}", 221 | "description": "", 222 | "savedSearchId": "SSH", 223 | "version": 1, 224 | "kibanaSavedObjectMeta": { 225 | "searchSourceJSON": "{\"filter\":[]}" 226 | } 227 | } 228 | }, 229 | { 230 | "_id": "SSH-Attack-Info", 231 | "_type": "visualization", 232 | "_source": { 233 | "title": "SSH-Attack-Info", 234 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 235 | "uiStateJSON": "{}", 236 | "description": "", 237 | "savedSearchId": "SSH", 238 | "version": 1, 239 | "kibanaSavedObjectMeta": { 240 | "searchSourceJSON": "{\"filter\":[]}" 241 | } 242 | } 243 | }, 244 | { 245 | "_id": "Web-Attack-Bytes", 246 | "_type": "visualization", 247 | "_source": { 248 | "title": "Web-Attack-Bytes", 249 | "visState": "{\"title\":\"Web-Attack-Bytes\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":\"40\"},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes\",\"customLabel\":\"Bytes\"}}],\"listeners\":{}}", 250 | "uiStateJSON": "{}", 251 | "description": "", 252 | "savedSearchId": "WEB", 253 | "version": 1, 254 | "kibanaSavedObjectMeta": { 255 | "searchSourceJSON": "{\"filter\":[]}" 256 | } 257 | } 258 | }, 259 | { 260 | "_id": "SSH-Attack-Description", 261 | "_type": "visualization", 262 | "_source": { 263 | "title": "SSH-Attack-Description", 264 | "visState": "{\"title\":\"Web-Attack-Description\",\"type\":\"markdown\",\"params\":{\"markdown\":\"# SSH Attack Dashboard\\n### Ninja Level Infrastructure Monitoring\"},\"aggs\":[],\"listeners\":{}}", 265 | "uiStateJSON": "{}", 266 | "description": "", 267 | "version": 1, 268 | "kibanaSavedObjectMeta": { 269 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 270 | } 271 | } 272 | }, 273 | { 274 | "_id": "SSH-Attack-Count", 275 | "_type": "visualization", 276 | "_source": { 277 | "title": "SSH-Attack-Count", 278 | "visState": "{\"title\":\"New Visualization\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 279 | "uiStateJSON": "{}", 280 | "description": "", 281 | "savedSearchId": "SSH", 282 | "version": 1, 283 | "kibanaSavedObjectMeta": { 284 | "searchSourceJSON": "{\"filter\":[]}" 285 | } 286 | } 287 | }, 288 | { 289 | "_id": "Web-Attack-Description", 290 | "_type": "visualization", 291 | "_source": { 292 | "title": "Web-Attack-Description", 293 | "visState": "{\"title\":\"Web-Attack-Description\",\"type\":\"markdown\",\"params\":{\"markdown\":\"# Web Attack Dashboard\\n### Ninja Level Infrastructure Monitoring\"},\"aggs\":[],\"listeners\":{}}", 294 | "uiStateJSON": "{}", 295 | "description": "", 296 | "version": 1, 297 | "kibanaSavedObjectMeta": { 298 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 299 | } 300 | } 301 | }, 302 | { 303 | "_id": "Attack-Logs", 304 | "_type": "visualization", 305 | "_source": { 306 | "title": "Attack-Logs", 307 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Time\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}],\"listeners\":{}}", 308 | "uiStateJSON": "{}", 309 | "description": "", 310 | "savedSearchId": "WEB-SSH", 311 | "version": 1, 312 | "kibanaSavedObjectMeta": { 313 | "searchSourceJSON": "{\"filter\":[]}" 314 | } 315 | } 316 | }, 317 | { 318 | "_id": "Attack-Details-ssh", 319 | "_type": "visualization", 320 | "_source": { 321 | "title": "Attack-Details-ssh", 322 | "visState": "{\"title\":\"SSH-Attack-Details\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Usernames\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", 323 | "uiStateJSON": "{}", 324 | "description": "", 325 | "version": 1, 326 | "kibanaSavedObjectMeta": { 327 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 328 | } 329 | } 330 | }, 331 | { 332 | "_id": "Attack-Table-Web", 333 | "_type": "visualization", 334 | "_source": { 335 | "title": "Attack-Table-Web", 336 | "visState": "{\"title\":\"Web-Attack-Table\",\"type\":\"table\",\"params\":{\"perPage\":6,\"showPartialRows\":true,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Hits\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"clientip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Attacker IP\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.city_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"City\"}}],\"listeners\":{}}", 337 | "uiStateJSON": "{}", 338 | "description": "", 339 | "version": 1, 340 | "kibanaSavedObjectMeta": { 341 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 342 | } 343 | } 344 | }, 345 | { 346 | "_id": "Attack-Info-ssh", 347 | "_type": "visualization", 348 | "_source": { 349 | "title": "Attack-Info-ssh", 350 | "visState": "{\"title\":\"SSH-Attack-Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 351 | "uiStateJSON": "{}", 352 | "description": "", 353 | "version": 1, 354 | "kibanaSavedObjectMeta": { 355 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 356 | } 357 | } 358 | }, 359 | { 360 | "_id": "Attack-Logs-Type", 361 | "_type": "visualization", 362 | "_source": { 363 | "title": "Attack-Logs-Type", 364 | "visState": "{\"title\":\"New Visualization\",\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"overlap\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 365 | "uiStateJSON": "{}", 366 | "description": "", 367 | "savedSearchId": "WEB-SSH", 368 | "version": 1, 369 | "kibanaSavedObjectMeta": { 370 | "searchSourceJSON": "{\"filter\":[]}" 371 | } 372 | } 373 | }, 374 | { 375 | "_id": "Attack-Details", 376 | "_type": "visualization", 377 | "_source": { 378 | "title": "Attack-Details", 379 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 380 | "uiStateJSON": "{}", 381 | "description": "", 382 | "savedSearchId": "WEB-SSH", 383 | "version": 1, 384 | "kibanaSavedObjectMeta": { 385 | "searchSourceJSON": "{\"filter\":[]}" 386 | } 387 | } 388 | }, 389 | { 390 | "_id": "Attack-Unique-IP", 391 | "_type": "visualization", 392 | "_source": { 393 | "title": "Attack-Unique-IP", 394 | "visState": "{\"title\":\"New Visualization\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"geoip.ip\",\"customLabel\":\"Unique IP Count\"}}],\"listeners\":{}}", 395 | "uiStateJSON": "{}", 396 | "description": "", 397 | "savedSearchId": "WEB-SSH", 398 | "version": 1, 399 | "kibanaSavedObjectMeta": { 400 | "searchSourceJSON": "{\"filter\":[]}" 401 | } 402 | } 403 | }, 404 | { 405 | "_id": "Attack-Description", 406 | "_type": "visualization", 407 | "_source": { 408 | "title": "Attack-Description", 409 | "visState": "{\"title\":\"New Visualization\",\"type\":\"markdown\",\"params\":{\"markdown\":\"# Attack Dashboard\\n### Ninja Level Infrastructure Monitoring\"},\"aggs\":[],\"listeners\":{}}", 410 | "uiStateJSON": "{}", 411 | "description": "", 412 | "version": 1, 413 | "kibanaSavedObjectMeta": { 414 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 415 | } 416 | } 417 | }, 418 | { 419 | "_id": "Attack-Machine-Web", 420 | "_type": "visualization", 421 | "_source": { 422 | "title": "Attack-Machine-Web", 423 | "visState": "{\"title\":\"Attack-Machine-Web\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"response\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.os\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"OS\"}}],\"listeners\":{}}", 424 | "uiStateJSON": "{}", 425 | "description": "", 426 | "version": 1, 427 | "kibanaSavedObjectMeta": { 428 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 429 | } 430 | } 431 | } 432 | ] -------------------------------------------------------------------------------- /dashboards/kibana-network.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "Network-Dashboard", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "Network Dashboard", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"col\":1,\"id\":\"Top-N-Destinations\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Top-N-Sources\",\"panelIndex\":2,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Traffic-Applications\",\"panelIndex\":3,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":6,\"id\":\"Traffic-Over-Firewalls\",\"panelIndex\":4,\"row\":4,\"size_x\":7,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Traffic-Over-Time\",\"panelIndex\":5,\"row\":4,\"size_x\":5,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Top-N-Rules\",\"panelIndex\":6,\"row\":7,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Top-N-Users\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":3,\"size_y\":3,\"col\":10,\"row\":7}]", 10 | "optionsJSON": "{\"darkTheme\":false}", 11 | "uiStateJSON": "{\"P-3\":{\"vis\":{\"legendOpen\":true}},\"P-4\":{\"vis\":{\"legendOpen\":false}},\"P-5\":{\"vis\":{\"legendOpen\":true}},\"P-6\":{\"vis\":{\"legendOpen\":false}}}", 12 | "version": 1, 13 | "timeRestore": true, 14 | "timeTo": "2016-07-26T07:00:52.622Z", 15 | "timeFrom": "2016-07-26T06:58:30.000Z", 16 | "kibanaSavedObjectMeta": { 17 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 18 | } 19 | } 20 | }, 21 | { 22 | "_id": "Top-N-Sources", 23 | "_type": "visualization", 24 | "_source": { 25 | "title": "Top N Sources", 26 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SourceAddress\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 27 | "uiStateJSON": "{}", 28 | "description": "", 29 | "version": 1, 30 | "kibanaSavedObjectMeta": { 31 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 32 | } 33 | } 34 | }, 35 | { 36 | "_id": "Top-N-Destinations", 37 | "_type": "visualization", 38 | "_source": { 39 | "title": "Top N Destinations", 40 | "visState": "{\"title\":\"Top N Sources\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"DestinationAddress\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 41 | "uiStateJSON": "{}", 42 | "description": "", 43 | "version": 1, 44 | "kibanaSavedObjectMeta": { 45 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 46 | } 47 | } 48 | }, 49 | { 50 | "_id": "Traffic-Over-Time", 51 | "_type": "visualization", 52 | "_source": { 53 | "title": "Traffic Over Time", 54 | "visState": "{\"title\":\"New Visualization\",\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"overlap\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=tcp\",\"analyze_wildcard\":true}}},\"label\":\"\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=udp\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=icmp\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"Action=allow\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"Action=deny\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}", 55 | "uiStateJSON": "{}", 56 | "description": "", 57 | "version": 1, 58 | "kibanaSavedObjectMeta": { 59 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 60 | } 61 | } 62 | }, 63 | { 64 | "_id": "Traffic-Applications", 65 | "_type": "visualization", 66 | "_source": { 67 | "title": "Traffic Applications", 68 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"Application\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Applications\"}}],\"listeners\":{}}", 69 | "uiStateJSON": "{}", 70 | "description": "", 71 | "version": 1, 72 | "kibanaSavedObjectMeta": { 73 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 74 | } 75 | } 76 | }, 77 | { 78 | "_id": "Traffic-Over-Firewalls", 79 | "_type": "visualization", 80 | "_source": { 81 | "title": "Traffic Over Firewalls", 82 | "visState": "{\"title\":\"Traffic Types\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"SerialNum\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"Action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"Application\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 83 | "uiStateJSON": "{}", 84 | "description": "", 85 | "version": 1, 86 | "kibanaSavedObjectMeta": { 87 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 88 | } 89 | } 90 | }, 91 | { 92 | "_id": "Top-N-Rules", 93 | "_type": "visualization", 94 | "_source": { 95 | "title": "Top N Rules", 96 | "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"Rule\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 97 | "uiStateJSON": "{}", 98 | "description": "", 99 | "version": 1, 100 | "kibanaSavedObjectMeta": { 101 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 102 | } 103 | } 104 | }, 105 | { 106 | "_id": "Top-N-Users", 107 | "_type": "visualization", 108 | "_source": { 109 | "title": "Top N Users", 110 | "visState": "{\"title\":\"Top N Users\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SourceUser\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 111 | "uiStateJSON": "{}", 112 | "description": "", 113 | "version": 1, 114 | "kibanaSavedObjectMeta": { 115 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 116 | } 117 | } 118 | } 119 | ] -------------------------------------------------------------------------------- /dashboards/password-dump-analysis.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "password-dump-analysis", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "password-dump-analysis", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"id\":\"Metric-total-uniq\",\"type\":\"visualization\",\"panelIndex\":1,\"size_x\":3,\"size_y\":4,\"col\":7,\"row\":4},{\"id\":\"pie-top-pass\",\"type\":\"visualization\",\"panelIndex\":2,\"size_x\":4,\"size_y\":3,\"col\":1,\"row\":1},{\"id\":\"pwd-user-count\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":8,\"size_y\":3,\"col\":5,\"row\":1},{\"id\":\"table-pass-count\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":3,\"size_y\":4,\"col\":10,\"row\":4},{\"id\":\"ver-pass-user\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":6,\"size_y\":4,\"col\":1,\"row\":4}]", 10 | "optionsJSON": "{\"darkTheme\":false}", 11 | "uiStateJSON": "{\"P-3\":{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}},\"P-2\":{\"vis\":{\"legendOpen\":true}},\"P-5\":{\"vis\":{\"legendOpen\":false}}}", 12 | "version": 1, 13 | "timeRestore": true, 14 | "timeTo": "now", 15 | "timeFrom": "now-60d", 16 | "kibanaSavedObjectMeta": { 17 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}" 18 | } 19 | } 20 | }, 21 | { 22 | "_id": "pwd-dump-search", 23 | "_type": "search", 24 | "_source": { 25 | "title": "pwd-dump-search", 26 | "description": "", 27 | "hits": 0, 28 | "columns": [ 29 | "username", 30 | "password" 31 | ], 32 | "sort": [ 33 | "@timestamp", 34 | "desc" 35 | ], 36 | "version": 1, 37 | "kibanaSavedObjectMeta": { 38 | "searchSourceJSON": "{\"index\":\"pwd-dump\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 39 | } 40 | } 41 | }, 42 | { 43 | "_id": "pie-top-pass", 44 | "_type": "visualization", 45 | "_source": { 46 | "title": "pie-top-pass", 47 | "visState": "{\"title\":\"New Visualization\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 48 | "uiStateJSON": "{}", 49 | "description": "", 50 | "version": 1, 51 | "kibanaSavedObjectMeta": { 52 | "searchSourceJSON": "{\"index\":\"pwd-dump\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 53 | } 54 | } 55 | }, 56 | { 57 | "_id": "ver-pass-user", 58 | "_type": "visualization", 59 | "_source": { 60 | "title": "ver-pass-user", 61 | "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 62 | "uiStateJSON": "{}", 63 | "description": "", 64 | "version": 1, 65 | "kibanaSavedObjectMeta": { 66 | "searchSourceJSON": "{\"index\":\"pwd-dump\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 67 | } 68 | } 69 | }, 70 | { 71 | "_id": "Metric-total-uniq", 72 | "_type": "visualization", 73 | "_source": { 74 | "title": "Metric-total-uniq", 75 | "visState": "{\"title\":\"Metric-total-uniq\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Passwords\"}},{\"id\":\"2\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"password\",\"customLabel\":\"Unique Passwords\"}}],\"listeners\":{}}", 76 | "uiStateJSON": "{}", 77 | "description": "", 78 | "version": 1, 79 | "kibanaSavedObjectMeta": { 80 | "searchSourceJSON": "{\"index\":\"pwd-dump\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 81 | } 82 | } 83 | }, 84 | { 85 | "_id": "table-pass-count", 86 | "_type": "visualization", 87 | "_source": { 88 | "title": "table-pass-count", 89 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Reuse Count\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"password\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Password\"}}],\"listeners\":{}}", 90 | "uiStateJSON": "{}", 91 | "description": "", 92 | "version": 1, 93 | "kibanaSavedObjectMeta": { 94 | "searchSourceJSON": "{\"index\":\"pwd-dump\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 95 | } 96 | } 97 | }, 98 | { 99 | "_id": "pwd-user-count", 100 | "_type": "visualization", 101 | "_source": { 102 | "title": "pwd-user-count", 103 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"username\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 104 | "uiStateJSON": "{}", 105 | "description": "", 106 | "version": 1, 107 | "kibanaSavedObjectMeta": { 108 | "searchSourceJSON": "{\"index\":\"pwd-dump\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 109 | } 110 | } 111 | } 112 | ] -------------------------------------------------------------------------------- /documentation/01-basics.md: -------------------------------------------------------------------------------- 1 | # Ninja level Infrastructure Monitoring 2 | #### Defensive approach to Security Monitoring & Automation 3 | Defcon24 - Las Vegas
4 | 5 | 6 | 7 | --- 8 | 9 | ## Hello everyone :) 10 | #### Welcome to our awesome workshop! 11 | 12 | --- 13 | 14 | ## SCHEDULE 15 | 16 | Saturday, 6th August 2016
17 | 10:00 - 14:00 18 |
19 | 20 | There will be a 15 minute break at 11:45 AM 21 | 22 | --- 23 | 24 |
25 | Basic overview: 30 min
26 | Setting up the ELK stack (hands on): 75 min
27 | Backing up elasticsearch using curator (hands on): 15 min
28 | Alerting & Advanced dashboards (hands on): 30 min
29 | A note on best practices: 10 min
30 | Penetration testing findings: 10 min
31 | Ansible Playbook for the entire setup: 10 min
32 | Exercise (hands on): 30 min
33 | Q & A 34 | 35 |
36 | 37 | --- 38 | 39 | ### Pre-requisites 40 | 41 | - This workshop is intended for beginner to mid-level, we are expecting that participants are comfortable with basic Linux CLI usage 42 | - Laptop with administrative privileges (to install VirtualBox) 43 | - VirtualBox 44 | - 20GB hard disk space for virtual machines 45 | - Minimum 4 GB RAM 46 | - Enthusiasm to learn cool stuff :) 47 | 48 | --- 49 | 50 | ## Instructions 51 | 1. Please follow the commands and the overall flow as given in the slides 52 | 2. Please direct all questions/queries to me and Madhu 53 | 54 | --- 55 | 56 | ## What will you learn today? 57 | - Infrastructure monitoring by aggregating and analysing logs 58 | - Centralised logging using the ELK stack 59 | - Creating attack pattern dashboards for monitoring 60 | - Exporting and Importing dashboards for reporting and reuse 61 | - Advanced configurations of the ELK stack 62 | 63 | --- 64 | 65 | ## (Bonus) 66 | Best practices and Security Tips 67 | 68 | --- 69 | 70 | ## What we are not covering 71 | - Performance tuning and optimisation for clusters 72 | - Multi cluster configurations 73 | - Custom plugins and scripts for Logstash 74 | 75 | Note: Time constraint + Internet access + Resource constraints 76 | 77 | --- 78 | 79 | ## So what is Ninja Level Infrastructure Monitoring? 80 | 81 | ---- 82 | 83 | ### What is monitoring? 84 | ![](images/monitor.png) 85 | 86 | Note: observe an event and check the progress over a period of time. 87 | 88 | ---- 89 | 90 | ### What is this 'infrastructure' we keep talking about? 91 | >![](images/itinfra.png) 92 | 93 | Note: All your assets in an enterprisey environment. The routers, firewalls, web app servers, linux boxes, ldap servers, database servers etc. 94 | 95 | ---- 96 | 97 | ### What is 'Ninja level'? 98 | >Errrrr.. This was simply added to make this workshop title cooler :) 99 | 100 | ![](images/ninja.png) 101 | 102 | --- 103 | 104 | ## About us 105 | 106 | ---- 107 | 108 | ### Madhu Akula 109 | 110 | - Automation Ninja @Appsecco 111 | - Security & DevOps lover 112 | - Trainer & Speaker 113 | - Acknowledged by more than 200 giant companies like Google, Microsoft, Yahoo, Adobe, etc for finding security vulnerabilities 114 | - Open source contributor 115 | - Never ending learner! 116 | - Twitter: @madhuakula 117 | 118 | ---- 119 | 120 | ### Riyaz Walikar 121 | 122 | - Chief Offensive Security Officer @Appsecco 123 | - Over 9 years of industry experience in breaking infrastructure security and web applications 124 | - Security evangelist, leader for null Bangalore and OWASP chapters 125 | - Trainer/Speaker : BlackHat Asia, BlackHat USA, nullcon Goa, nullcon Delhi, c0c0n, OWASP AppSec USA 126 | - Twitter : @riyazwalikar and @wincmdfu 127 | 128 | Note: As COSO, it is interesting/important to analyze logs for attack patterns, look at real world exploits coming in and map them to give better recommendations to clients
One of the most underrated vulnerabilities out there is OWASP A5 (Security Misconfiguration) -> Sanity Check and logs can help detect. 129 | 130 | ---- 131 | 132 | ### About Appsecco 133 | Enable companies to design, specify, develop and purchase software that is secure 134 | 135 | Work with companies to test existing software they have for security issues and give them the information they need to fix any problems we find 136 | 137 | Ensure that companies can recover from security incidents they suffer and work with them to stop them from reoccurring 138 | 139 | --- 140 | 141 | ### Quick look at the basics of "centralised" logging 142 | 143 | ---- 144 | 145 | ## What are logs? 146 | 147 | - A log (file) is a collection of records or events 148 | - Logs used to be a (often indecipherable) line of text intended for offline human analysis of what went wrong 149 | - Logs are a critical part of any system giving you an insight into the working of a system 150 | 151 | ---- 152 | 153 | ## Why is it boring to work with logs? 154 | - Can be pretty large 155 | - Correlation can be painful 156 | - Others? 157 | 158 | ---- 159 | 160 | ## What is centralised logging? 161 | 162 | - Managing logs and accessing them can get complicated with multiple hosts 163 | - Searching for a particular error across hundreds of log files on hundreds of servers is difficult without good tools 164 | - A common approach to this problem is to setup a centralised logging solution so that multiple logs can be aggregated in a central location 165 | 166 | 167 | ---- 168 | 169 | ### How is it different from traditional logging? 170 | - Logs are collected at a central server 171 | - Parsing becomes simpler since data is accessible at a single location 172 | - A common issue across multiple hosts/services can be identified by correlating specific time frames 173 | 174 | ---- 175 | 176 | ### What are the problems of traditional logging? 177 | 178 | ---- 179 | 180 | #### No Consistency 181 | (it’s difficult to be jack-of-all trades) 182 | 183 | - Difficulty in logging for each application, system, device 184 | - Interpreting various type of logs 185 | - Variation in format makes it challenging to search 186 | - Many types of time formats 187 | 188 | ---- 189 | 190 | #### No Centralisation 191 | (simply put, log data is everywhere) 192 | 193 | - Logs in many locations on various servers 194 | - SSH + GREP don’t scale 195 | 196 | ---- 197 | 198 | #### Accessibility of Log Data 199 | (much of the data is difficult to locate and manage) 200 | 201 | - Access is often difficult 202 | - High expertise to mine data 203 | - Logs can be difficult to find 204 | - Immense size of Log Data 205 | 206 | 207 | --- 208 | 209 | ## The ELK stack 210 | 211 | ---- 212 | 213 | ### Elasticsearch, Logstash and Kibana 214 | Different open source modules working together 215 | 216 | ---- 217 | 218 | - Helps users/admins to collect, analyse and visualise data in (near) real-time 219 | - Each module fits based on your use case and environment 220 | 221 | ---- 222 | 223 | ### Components of the stack 224 | 225 | - Elasticsearch 226 | - Logstash 227 | - Kibana 228 | - (Beats) 229 | 230 | --- 231 | 232 | ##![](images/elasticsearch_def.png) 233 | Ref: https://www.elastic.co/products 234 | 235 | ---- 236 | 237 | ## Elasticsearch 238 | - Distributed and Highly available search engine, written in Java and uses Groovy 239 | - Built on top of Lucene 240 | - Multi Tenant with Multi types and a set of APIs 241 | - Document Oriented providing (near) real time search 242 | 243 | --- 244 | 245 | ## ![](images/logstash_def.png) 246 | Ref: https://www.elastic.co/products 247 | 248 | ---- 249 | 250 | ## Logstash 251 | - Tool for managing events and logs written in Ruby 252 | - Centralised data processing of all types of logs 253 | - Consists of 3 main components 254 | + Input : Passing logs to process them into machine understandable format 255 | + Filter : Set of conditions to perform specific action on a event 256 | + Output : Decision maker for processed events/logs 257 | 258 | --- 259 | 260 | ## ![](images/kibana_def.png) 261 | Ref: https://www.elastic.co/products 262 | 263 | ---- 264 | 265 | ### Kibana 266 | - Powerful front-end dashboard written in JavaScript 267 | - Browser based analytics and search dashboard for Elasticsearch 268 | - Flexible analytics & visualisation platform 269 | - Provides data in the form of charts, graphs, counts, maps, etc. in real-time 270 | 271 | --- 272 | 273 | ## ![](images/beats_def.png) 274 | Ref: https://www.elastic.co/products 275 | 276 | ---- 277 | 278 | ### Beats 279 | - Lightweight shippers for Elasticsearch & Logstash 280 | - Capture all sorts of operational data like logs or network packet data 281 | - It can send logs to either elasticsearch, logstash 282 | 283 | ---- 284 | 285 | - Different kind of beats 286 | + Libbeat : The Go framework for creating new Beats 287 | + Packetbeat : Tap into your wire data 288 | + Filebeat : Lightweight log forwarder to Logstash & Elasticsearch 289 | + Winlogbeat : Sends windows event logs 290 | 291 | ---- 292 | 293 | #### Filebeat 294 | - Lightweight Shipper for Log Data 295 | - Filebeat is an opensource file harvester 296 | - Used to fetch logs files and feed them into logstash 297 | - It has replaced logstash-forwarder 298 | 299 | --- 300 | 301 | ## ELK overview 302 | >![](images/elk_overall.png) 303 | Ref: https://www.elastic.co/products 304 | 305 | --- 306 | 307 | ## A quick history lesson 308 | 309 | ---- 310 | 311 | ### About Elastic 312 | 313 | - `Shay Banon` created Compass in 2004, third version of Compass is the first version of Elasticsearch, released in Feb 2010 314 | - Elasticsearch was founded in 2012, Rashid (Kibana) joined Jan 2013 and Jordan (Logstash) joined in Aug 2013. (elastic.co) 315 | - Combined stack is now called `Elastic Stack` and `X-Pack` 316 | 317 | --- 318 | 319 | ## Terms we should be aware of in context to ELK 320 | 321 | ---- 322 | 323 | ### Node 324 | 325 | > A node is a running instance of elasticsearch which belongs to a cluster. 326 | 327 | ---- 328 | 329 | ### Cluster 330 | 331 | > Cluster is a collection of one or more nodes that together holds your entire data and provides indexing and search capabilities across all nodes. 332 | 333 |
334 | > Nodes must have the same cluster.name to belong to the same cluster. 335 | 336 | ---- 337 | 338 | ### Document 339 | 340 | > A document is a basic unit of information that can be stored and searched. 341 | 342 |
343 | 344 | >It refers to the top-level, or root object that is serialised into JSON and stored in Elasticsearch under a unique ID. 345 | 346 | ---- 347 | 348 | ### Index 349 | 350 | > An index is a collection of documents that have somewhat similar characteristics. It has mappings which define multiple types. 351 | 352 | ---- 353 | 354 | ### Type 355 | 356 | > Within an index, you can define one or more types. A type is a logical category/partition of your index whose semantics are completely up to you. 357 | 358 | ---- 359 | 360 | ### Shard 361 | 362 | > Elasticsearch provides the ability to subdivide an index into multiple pieces called shards since an index can store a large amount of data that can exceed the hardware limits of a single node. 363 | 364 |
365 | > Each shard is in itself a fully-functional and independent "index" that can be hosted on any node in the cluster. 366 | 367 | Note: For eg, a single index of a billion docs taking up 1TB of disk space may not fit on the disk of a single node or may be too slow to serve search requests from a single node alone. 368 | 369 | When you create an index, you can simply define the number of shards that you want. 370 | 371 | ---- 372 | 373 | ### Replica 374 | 375 | >Elasticsearch allows you to make one or more copies of your index’s shards into what are called replica shards, or replicas for short. 376 | 377 | Note: For this reason, it is important to note that a replica shard is never allocated on the same node as the original/primary shard that it was copied from 378 | It provides high availability in case a shard/node fails. Also to scale out your search volume/throughput since searches can be executed on all replicas in parallel 379 | 380 | --- 381 | 382 | ### Snapshot and Restore 383 | 384 | > A copy of the current state and data in a cluster that is saved to a shared repository. 385 | 386 | > Elasticsearch provides a snapshot API to achieve this. 387 | 388 | 389 | ---- 390 | 391 | ### Routing 392 | 393 | > A mechanism in Elasticsearch that identifies which shard a particular document resides in. 394 | 395 | ---- 396 | 397 | ### Near real time 398 | 399 | > Elasticsearch is a near real time search platform. 400 | 401 |
402 | 403 | > What this means is there is a slight latency (normally one second) from the time you index a document until the time it becomes searchable. 404 | 405 | --- 406 | 407 | ### [Setting up the ELK Stack](02-setup.md) -------------------------------------------------------------------------------- /documentation/02-setup.md: -------------------------------------------------------------------------------- 1 | ## Setting up the ELK Stack 2 | ![ELK Basic Setup](images/ELK_basic_setup.png) 3 | 4 | [90 minutes] 5 | 6 | --- 7 | 8 | ### Overall architecture diagram 9 | ![](images/ourstructure.png) 10 | 11 | --- 12 | 13 | ### The Virtual Machine 14 | 15 | ---- 16 | 17 | Import the provided `infra-mon-elk.ova` file into Virtual Box 18 | 19 | ![](images/setup/vbox_import_ova.png) 20 | 21 | ---- 22 | 23 | Change the location of the disk (if you want) 24 | ![](images/setup/vbox_import_ova_change_disk_location.png) 25 | 26 | ---- 27 | 28 | Boot the VM 29 | ``` 30 | user: ninja 31 | password: ninja 32 | ``` 33 | 34 | ---- 35 | 36 | Check your IP address 37 | 38 | ``` 39 | ifconfig 40 | ``` 41 | 42 | ---- 43 | 44 | Check connectivity to the VM **from** your local computer 45 | 46 | ``` 47 | ping 48 | ``` 49 | 50 | ---- 51 | 52 | Add a host entry in your **host machine** 53 | 54 | (use sudo/administrator) 55 | 56 | ``` 57 | 192.168.56.101 elkhost.defcon 58 | ``` 59 | 60 | ``` 61 | notepad %windir%\System32\drivers\etc\hosts 62 | ``` 63 | 64 | ``` 65 | echo "192.168.56.101 elkhost.defcon" | sudo tee --append /etc/hosts 66 | ``` 67 | 68 | ---- 69 | 70 | 71 | ### Installing Java 72 | 73 | - Elasticsearch & Logstash requires Java to run 74 | - The virtual machine already has JAVA installed 75 | 76 | ---- 77 | 78 | ### Installing Java 79 | - The commands below will add the repository and install Java (in case you want to try this out) 80 | 81 | ``` 82 | sudo add-apt-repository -y ppa:webupd8team/java 83 | sudo apt-get update -y 84 | sudo apt-get -y install oracle-java8-installer 85 | ``` 86 | 87 | - Check the JAVA installation version by running the command below 88 | 89 | ``` 90 | java -version 91 | ``` 92 | 93 | --- 94 | 95 | ## Setting up Elasticsearch 96 | (let's get our hands dirty!) 97 | 98 | ---- 99 | 100 |
**PS:** We have provided installer files in the VM `/home/ninja/pkgs` directory 101 |
102 |
103 | **PPS:** We weren't sure of the Internet connectivity here when creating the VM 104 |
105 | 106 | ---- 107 | 108 | ### Installing Elasticsearch 109 | (hands on) 110 | 111 | - Install Elasticsearch by running the command below: 112 | 113 | ``` 114 | sudo dpkg -i /home/ninja/pkgs/elasticsearch.deb 115 | ``` 116 | 117 | Note: since the deb file has already been downloaded. The usual route would be to add the Elasticsearch gpg key, add the Elasticsearch repo to the sources and then the standard apt-update and apt-get install. 118 | 119 | ---- 120 | 121 | - Start Elasticsearch service by running: 122 | 123 | ``` 124 | sudo service elasticsearch start 125 | ``` 126 | 127 | ---- 128 | 129 | - Check whether Elasticsearch is running or not: 130 | 131 | ``` 132 | curl -XGET 'http://localhost:9200' 133 | ``` 134 | 135 | 136 | --- 137 | 138 | ### Elasticsearch configuration 139 | (hands on) 140 | 141 | ---- 142 | 143 | - Some basic configurations to start with: 144 | 145 | ``` 146 | sudo vi /etc/elasticsearch/elasticsearch.yml 147 | ``` 148 | 149 | ---- 150 | 151 | Uncomment the following lines, make the changes as shown below and save the file: 152 | 153 | ---- 154 | 155 |
Cluster name should be unique:
156 | 157 | ``` 158 | cluster.name: elk-defcon 159 | ``` 160 | 161 |
Node name is to identify the node in a cluster:
162 | ``` 163 | node.name: node-1 164 | ``` 165 | 166 |
To avoid memory swapping for Elasticsearch:
167 | ``` 168 | bootstrap.mlockall: true 169 | ``` 170 | 171 |
Access:
172 | ``` 173 | network.host: 0.0.0.0 174 | ``` 175 | 176 | 177 | Note: Cluster name used to connect across nodes.
178 | Node names are mostly hostnames.
179 | To avoid swapping for elasticsearch.
180 | Protect access.
181 | 182 | ---- 183 | 184 |
Restart the Elasticsearch service:
185 | 186 | ``` 187 | sudo service elasticsearch restart 188 | ``` 189 | 190 | ---- 191 | 192 |
Check the Elasticsearch cluster status
193 | 194 | ``` 195 | curl -XGET 'http://localhost:9200/_cluster/health?pretty' 196 | 197 | curl -XGET 'http://localhost:9200/_cluster/state?pretty' 198 | ``` 199 | 200 |
201 |
202 | - `green` - All primary and replica shards are active. 203 | - `yellow` - All primary shards are active, but not all replica shards are active. 204 | - `red` - Not all primary shards are active. 205 |
206 | 207 | --- 208 | 209 | ### Setting up another node 210 | (hands on) 211 | 212 | ####PS: Open another SSH session 213 | 214 | ---- 215 | 216 |
To add another node, we extract the files from the elasticsearch tar zip:
217 | 218 | ``` 219 | tar -xvf /home/ninja/pkgs/elasticsearch-2.3.4.tar.gz -C /home/ninja/pkgs/ 220 | 221 | cd /home/ninja/pkgs/elasticsearch-2.3.4 222 | ``` 223 | 224 |
And edit the config as we did for the previous node:
225 | 226 | ``` 227 | vi config/elasticsearch.yml 228 | ``` 229 | 230 | ---- 231 | 232 |
Add a node name, while keeping the cluster name constant across both the nodes:
233 | ``` 234 | cluster.name: elk-defcon 235 | node.name: node-2 236 | bootstrap.mlockall: true 237 | network.host: 0.0.0.0 238 | ``` 239 | 240 | ---- 241 | 242 |
Start the second node by running the following command:
243 | 244 | ``` 245 | ./bin/elasticsearch 246 | ``` 247 | 248 | Note: We use the same VM to install another node on the side 249 | 250 | ---- 251 | 252 |
Recheck the Elasticsearch cluster status now:
253 | 254 | ``` 255 | curl -XGET 'http://localhost:9200/_cluster/health?pretty' 256 | 257 | curl -XGET 'http://localhost:9200/_cluster/state?pretty' 258 | ``` 259 | 260 | --- 261 | 262 | 263 | ## So What happens in a multi node cluster? 264 | 265 | ---- 266 | 267 | ### Clustering 268 | 269 | > Elasticsearch is built to be always available, and to scale. Scale can come from buying bigger servers (vertical scale, or scaling up) or from buying more servers (horizontal scale, or scaling out). 270 | 271 | Note: We need to start by understanding the word 'Clustering' in context with Elasticsearch 272 | 273 | ---- 274 | 275 | ### An Empty Cluster 276 | 277 | Our cluster with a single node, with no data and no indices: 278 | 279 | ![A cluster with one empty node](images/es-c-1.png) 280 | 281 | - A node is a running instance of Elasticsearch 282 | - A Cluster consists of one or more nodes with the same cluster.name 283 | 284 | Note:By default Elasticsearch will have 5 primary shards and 1 replica shard with cluster name `elasticsearch` and node name as a random Marvel character. 285 | 286 | ---- 287 | 288 | ### Adding index 289 | 290 | - In an empty one-node cluster, we will assign three primary shards and one replica 291 | - There is one replica for all the primary shards 292 | 293 | ![A single-node cluster with an index](images/es-c-2.png) 294 | 295 | Note: Because there is no separate node, the replica shard becomes unassigned. Which is why it is not denoted in this image. 296 | 297 | ---- 298 | 299 | ### Add Failover 300 | 301 | - Running a single node means that you have a single point of failure - there is no redundancy 302 | - We can simply start another node to prevent data loss 303 | 304 | ![A two-node cluster—all primary and replica shards are allocated](images/es-c-3.png) 305 | 306 | ---- 307 | 308 | ### Scale Horizontally 309 | 310 | - One shard each from Node 1 and Node 2 have moved to the new Node 3 311 | 312 | ![A three-node cluster—shards have been reallocated to spread the load](images/es-c-4.png) 313 | Note: This means that the hardware resources (CPU, RAM, I/O) of each node are being shared among fewer shards, allowing each shard to perform better 314 | 315 | ---- 316 | 317 | ### Scale more 318 | 319 | Three primaries and six replicas. This means that we can scale out to a total of nine nodes, again with one shard per node 320 | 321 | ![Increasing the number_of_replicas to 2](images/es-c-5.png) 322 | 323 | Note: This would allow us to triple search performance compared to our original three-node cluster 324 | 325 | ---- 326 | 327 | ### Failover Test 328 | 329 | - A cluster must have a master node in order to function correctly 330 | - When a master node dies, the nodes elect a new master 331 | 332 | ![Cluster after killing one node](images/es-c-6.png) 333 | 334 | --- 335 | 336 | ### Installing Elasticsearch plugins 337 | (hands on) 338 |
339 |
340 | We downloaded the plugins as well: `/home/ninja/plugins/` 341 | 342 | ---- 343 | 344 |
To check the list of installed plugins
345 | 346 | ``` 347 | sudo /usr/share/elasticsearch/bin/plugin list 348 | ``` 349 | 350 |
To install the head plugin from a local file:
351 | 352 | ``` 353 | sudo /usr/share/elasticsearch/bin/plugin install file:/home/ninja/plugins/head.zip 354 | ``` 355 | 356 |
To install the hq plugin from a local file:
357 | 358 | ``` 359 | sudo /usr/share/elasticsearch/bin/plugin install file:/home/ninja/plugins/hq.zip 360 | ``` 361 | 362 | ---- 363 | 364 |
To download and install directly from the Internet repo:
365 | 366 | ``` 367 | sudo /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head 368 | ``` 369 | 370 | --- 371 | 372 | ### Elasticsearch plugins overview 373 | 374 | ---- 375 | 376 | ![](images/elasticsearch-head-plugin.png) 377 | 378 | ---- 379 | 380 | ![](images/elasticsearch-hq-plugin.png) 381 | 382 | Note: We can talk this out with examples. 383 | 384 | --- 385 | 386 | ### Restful APIs over `HTTP` (CURL) 387 | 388 | ``` 389 | curl -X ':///?' -d '' 390 | ``` 391 |
392 | Note: 393 |
394 | `VERB` - The appropriate HTTP method or verb: GET, POST, PUT, HEAD, or DELETE.
395 | `SCHEMA` - Either http or https (if you have an https proxy in front of Elasticsearch.)
396 | `HOST` - The hostname of any node in your Elasticsearch cluster, or localhost for a node on your local machine.
397 | `PORT` - The port running the Elasticsearch HTTP service, which defaults to 9200.
398 | `QUERY_STRING` - Any optional query-string parameters (for example ?pretty will pretty-print the JSON response to make it easier to read.)
399 | `BODY` - A JSON encoded request body (if the request needs one.)
400 | 401 |
402 | 403 | --- 404 | 405 | ### What is CRUD? 406 | 407 | C - Create 408 | R - Retrieve 409 | U - Update 410 | D - Delete 411 | 412 | --- 413 | 414 | ### CRUD operations over Elasticsearch 415 | (hands on) 416 | 417 | ---- 418 | 419 |
Simple Index Creation with XPUT:
420 | 421 | ``` 422 | curl -XPUT 'http://localhost:9200/defcon/' 423 | ``` 424 | 425 |
Add data to your created index:
426 | 427 | ``` 428 | curl -XPUT 'http://localhost:9200/defcon/workshop/1' -d '{"user":"ninja"}' 429 | ``` 430 | 431 |
To check the Index status:
432 | 433 | ``` 434 | curl -XGET 'http://localhost:9200/defcon/?pretty' 435 | ``` 436 | 437 | ---- 438 | 439 |
Automatic doc creation in an index with XPOST:
440 | 441 | ``` 442 | curl -XPOST 'http://localhost:9200/defcon/workshop/' -d '{"user":"ninja"}' 443 | ``` 444 | 445 |
Creating a user profile doc:
446 | 447 | ``` 448 | curl -XPUT 'http://localhost:9200/defcon/workshop/9' -d '{"user":"admin", "role":"tester", "job":"engineer"}' 449 | ``` 450 | 451 |
Update the document:
452 | 453 | ``` 454 | curl -XPOST 'http://localhost:9200/defcon/workshop/9' -d '{"user":"administrator", "role":"tester", "job":"engineer"}' 455 | ``` 456 | 457 | ---- 458 | 459 |
Searching a doc in an index. Create 2 docs:
460 | 461 | ``` 462 | curl -XPOST 'http://localhost:9200/defcon/workshop/' -d '{"user":"abcd", "role":"tester", "job":"engineer"}' 463 | ``` 464 | 465 | ``` 466 | curl -XPOST 'http://localhost:9200/defcon/workshop/' -d '{"user":"abcd", "role":"admin", "job":"engineer"}' 467 | ``` 468 | 469 |
Then search:
470 | 471 | ``` 472 | curl -XGET 'http://localhost:9200/defcon/_search?q=user:abcd&pretty' 473 | ``` 474 | 475 | 476 |
Deleting a doc in an index:
477 | 478 | ``` 479 | curl -XDELETE 'http://localhost:9200/defcon/workshop/1' 480 | ``` 481 | 482 | 483 | --- 484 | 485 | ## Setting up Logstash 486 | 487 | ---- 488 | 489 | ![Logstash Overview](images/logstash.png) 490 | 491 | ---- 492 | 493 | ### Logstash components 494 | 495 | Logstash consists of 3 main components 496 | 497 | - Input: Passing logs to process them into machine understandable format 498 | - Filters: Set of conditionals to perform specific action on a event 499 | - Output: Decision maker for processed events/logs 500 | 501 | ---- 502 | 503 | ### Basic Logstash configuration 504 | 505 | ``` 506 | input { 507 | stdin {} 508 | file {} 509 | ... 510 | } 511 | 512 | filter { 513 | grok {} 514 | date {} 515 | geoip {} 516 | ... 517 | } 518 | 519 | output { 520 | elasticsearch {} 521 | email {} 522 | ... 523 | } 524 | ``` 525 | 526 | ---- 527 | 528 | #### Input 529 | 530 | > An input plugin enables a specific source of events to be read by Logstash. 531 | 532 | - File 533 | - Lumberjack 534 | - S3 535 | - Beats 536 | - Stdin 537 | - Many more. 538 | [https://www.elastic.co/guide/en/logstash/current/input-plugins.html](https://www.elastic.co/guide/en/logstash/current/input-plugins.html) 539 | 540 | ---- 541 | 542 | #### Filter 543 | 544 | > A filter plugin performs intermediary processing on an event. Filters are often applied conditionally depending on the characteristics of the event. 545 | 546 | - CSV 547 | - GeoIP 548 | - Mutate 549 | - Grok 550 | - Many More. 551 | [https://www.elastic.co/guide/en/logstash/current/filter-plugins.html](https://www.elastic.co/guide/en/logstash/current/filter-plugins.html) 552 | 553 | ---- 554 | 555 | #### Output 556 | 557 | > An output plugin sends event data to a particular destination. Outputs are the final stage in the event pipeline. 558 | 559 | - Elasticsearch 560 | - Email 561 | - Stdout 562 | - S3, file 563 | - HTTP 564 | - Many More. 565 | [https://www.elastic.co/guide/en/logstash/current/output-plugins.html](https://www.elastic.co/guide/en/logstash/current/output-plugins.html) 566 | 567 | --- 568 | 569 | ### Installing logstash 570 | (hands on) 571 | 572 | ---- 573 | 574 | To install logstash package run the command below 575 | 576 | ``` 577 | sudo dpkg -i /home/ninja/pkgs/logstash.deb 578 | ``` 579 | 580 | ---- 581 | 582 | ### Basic logstash pipeline 583 | 584 |
A quick test to check your logstash installation:
585 | 586 | ``` 587 | sudo /opt/logstash/bin/logstash -e 'input { stdin {} } output { stdout {} }' 588 | ``` 589 | 590 | --- 591 | 592 | ### A quick primer on Grok filters 593 | 594 | ---- 595 | 596 | - The syntax for a grok pattern is `%{SYNTAX:SEMANTIC}` 597 | - `SYNTAX` is the name of the pattern that will match your text. 598 | - For example: `1337` will be matched by the `NUMBER` pattern, `192.168.123.12` will be matched by the `IP` pattern. 599 | - SEMANTIC is the identifier you give to the piece of text being matched. 600 | E.g. `1337` could be the count and `192.168.123.12` could be a `client` making a request 601 | 602 | ``` 603 | %{NUMBER:count} 604 | %{IP:client} 605 | ``` 606 | 607 | Note: Grok is based on pre created regex patterns 608 | 609 | ---- 610 | 611 | ### Example grok 612 | 613 |
For the following log event:
614 | 615 | ``` 616 | 55.3.244.1 GET /index.html 15824 0.043 617 | ``` 618 | 619 |
This would be the matching grok:
620 | 621 | ``` 622 | %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} 623 | ``` 624 | 625 | 626 | ---- 627 | 628 | #### Consider the following Apache Log Event 629 | 630 |
123.249.19.22 - - [01/Feb/2015:14:12:13 +0000] "GET /manager/html HTTP/1.1" 404 448 "-" "Mozilla/3.0 (compatible; Indy Library)"
631 | 632 | 633 | ---- 634 | 635 | Using a regular expression!! 636 | 637 | ![Apache RegEx](images/apacheregex.png) 638 | 639 | ---- 640 | 641 | Using Grok filter patterns :) 642 | 643 | ``` 644 | %{IPV4} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?)" %{NUMBER:response} (?:%{NUMBER:bytes}|-) 645 | ``` 646 | 647 | ---- 648 | 649 | Things can get even more simpler using an *inbuilt* grok :) :) 650 | 651 | ``` 652 | %{COMBINEDAPACHELOG} 653 | ``` 654 | 655 | ---- 656 | 657 | ### Available Logstash Grok Patterns 658 | - [https://grokdebug.herokuapp.com/patterns](https://grokdebug.herokuapp.com/patterns) 659 | - [http://grokconstructor.appspot.com/](http://grokconstructor.appspot.com/) 660 | - [https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns](https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns) 661 | - [https://github.com/clay584/logstash_configs](https://github.com/clay584/logstash_configs) 662 | 663 | --- 664 | 665 | ### Apache log sample with elasticsearch 666 | (hands on) 667 | 668 | ---- 669 | 670 | Let's parse some Apache logs in elasticsearch using logstash 671 | 672 | ---- 673 | 674 | Create a logstash config file using the following command: 675 | 676 | ``` 677 | sudo vi /etc/logstash/conf.d/apache.conf 678 | ``` 679 | 680 | ---- 681 | 682 | ``` 683 | input { 684 | file { 685 | path => "/home/ninja/log-samples/access.log" 686 | start_position => beginning 687 | ignore_older => 0 688 | } 689 | } 690 | filter { 691 | grok { 692 | match => { "message" => "%{COMBINEDAPACHELOG}"} 693 | } 694 | geoip { 695 | source => "clientip" 696 | } 697 | } 698 | output { 699 | elasticsearch { 700 | hosts => ["localhost:9200"] 701 | index => "apache-logs" 702 | } 703 | #stdout {} 704 | } 705 | ``` 706 | 707 | ---- 708 | 709 | Then provide the config to logstash to start the pipeline 710 | 711 | ``` 712 | sudo /opt/logstash/bin/logstash -f /etc/logstash/conf.d/apache.conf 713 | ``` 714 | 715 | ---- 716 | 717 | Then check the elasticsearch head plugin 718 | 719 | ``` 720 | http://elkhost.defcon:9200/_plugin/head 721 | ``` 722 | 723 | --- 724 | 725 | ## Setting up Kibana 726 | 727 | --- 728 | 729 | > Kibana is an open source analytics and visualization platform designed to work with Elasticsearch. You use Kibana to search, view, and interact with data stored in Elasticsearch indices 730 | 731 | --- 732 | 733 | ### Installing Kibana 734 | (hands on) 735 | 736 | ---- 737 | 738 |
To install the Kibana package, run the command below:
739 | 740 | ``` 741 | sudo dpkg -i /home/ninja/pkgs/kibana.deb 742 | ``` 743 | 744 | ---- 745 | 746 | ### Basic Kibana configuration 747 | 748 | Just for reference, Here is the kibana config file: 749 | 750 | ``` 751 | sudo vi /opt/kibana/config/kibana.yml 752 | ``` 753 | 754 | Note: Kibana works out of the box support with Elasticsearch 755 | 756 | ---- 757 | 758 |
Uncomment and change the server address to access the kibana dashboard
759 | 760 | ``` 761 | server.host: "0.0.0.0" 762 | ``` 763 | 764 |
Then start the kibana service by running
765 | 766 | ``` 767 | sudo service kibana start 768 | ``` 769 | 770 | ---- 771 | 772 | Kibana Dashboard 773 | ``` 774 | http://elkhost.defcon:5601/ 775 | ``` 776 | 777 | --- 778 | 779 | ### Understanding the Kibana UI 780 | 781 | **Index Selection** 782 | 783 | ![](images/k-1.png) 784 | 785 | ---- 786 | 787 | **Adding multiple indices** 788 | 789 | ![](images/k-2.png) 790 | 791 | ---- 792 | 793 | **Discovery** 794 | 795 | ![](images/k-3.png) 796 | 797 | ---- 798 | 799 | **Mapped log in JSON format** 800 | 801 | ![](images/k-4.png) 802 | 803 | ---- 804 | 805 | **Visualize** 806 | 807 | ![](images/k-5.png) 808 | 809 | ---- 810 | 811 | **Selecting the search source** 812 | 813 | ![](images/k-6.png) 814 | 815 | ---- 816 | 817 | **Creating a pie chart** 818 | 819 | ![](images/k-7.png) 820 | 821 | ---- 822 | 823 | **Discover** 824 | 825 | ![](images/k-9.png) 826 | 827 | ---- 828 | 829 | **Status** 830 | 831 | ![](images/k-10.png) 832 | 833 | ---- 834 | 835 | **Import/Export** 836 | 837 | ![](images/k-11.png) 838 | 839 | --- 840 | 841 | Throughout our exercises, did you notice anything missing? 842 | 843 | --- 844 | 845 | ### Securing Elasticsearch & Kibana 846 | 847 | - By default elasticsearch and kibana doesn't have security 848 | - We are setting up basic authentication using `htpasswd` and `nginx` reverse proxy 849 | - The commercial product called `shield` is available from company. 850 | - `Search Guard` is an alternative open source project for `shield`. 851 | 852 | --- 853 | 854 | ### Basic Authentication setup for Elasticsearch & Kibana 855 | (hands on) 856 | 857 | ---- 858 | 859 | Installing `nginx` and `apache2-utils`. 860 | 861 | (It's already installed in the virtual machine) 862 | 863 | ``` 864 | sudo apt-get install nginx apache2-utils -y 865 | ``` 866 | 867 | ---- 868 | 869 | To create basic authentication user and password. 870 | 871 | ``` 872 | sudo htpasswd -c /etc/nginx/htpasswd.users elkadmin 873 | ``` 874 | 875 | 876 | ``` 877 | Password : D3fc0nN!nj@ 878 | Confirm Password : D3fc0nN!nj@ 879 | ``` 880 | 881 | Note:`elkadmin` is the username and password is `D3fc0nN!nj@` 882 | 883 | ---- 884 | 885 |
Then edit the configuration file of nginx using:
886 | 887 | ``` 888 | sudo vi /etc/nginx/sites-available/default 889 | ``` 890 | 891 | ---- 892 | 893 | ``` 894 | server { 895 | listen 80; #for Kibana 896 | 897 | server_name localhost; 898 | 899 | auth_basic "Restricted Access"; 900 | auth_basic_user_file /etc/nginx/htpasswd.users; 901 | 902 | location / { 903 | proxy_pass http://localhost:5601; 904 | proxy_http_version 1.1; 905 | proxy_set_header Upgrade $http_upgrade; 906 | proxy_set_header Connection 'upgrade'; 907 | proxy_set_header Host $host; 908 | proxy_cache_bypass $http_upgrade; 909 | } 910 | } 911 | 912 | server { 913 | listen 8080; #for Elasticsearch 914 | 915 | server_name localhost; 916 | 917 | auth_basic "Restricted Access"; 918 | auth_basic_user_file /etc/nginx/htpasswd.users; 919 | 920 | location / { 921 | proxy_pass http://localhost:9200; 922 | proxy_http_version 1.1; 923 | proxy_set_header Upgrade $http_upgrade; 924 | proxy_set_header Connection 'upgrade'; 925 | proxy_set_header Host $host; 926 | proxy_cache_bypass $http_upgrade; 927 | } 928 | } 929 | ``` 930 | 931 | ---- 932 | 933 |
Restart the nginx service:
934 | 935 | ``` 936 | sudo service nginx restart 937 | ``` 938 | 939 | ---- 940 | 941 |
Open the `elasticsearch.yml` and add a host restriction:
942 | 943 | ``` 944 | sudo vi /etc/elasticsearch/elasticsearch.yml 945 | ``` 946 | 947 |
Restrict ES access to localhost:
948 | 949 | ``` 950 | network.host: localhost 951 | ``` 952 | 953 |
Then restart the service:
954 | 955 | ``` 956 | sudo service elasticsearch restart 957 | ``` 958 | 959 | ---- 960 | 961 |
Add the authentication credentials in Kibana:
962 | 963 | ``` 964 | sudo vi /opt/kibana/config/kibana.yml 965 | ``` 966 | 967 |
Modify the following entry:
968 | 969 | ``` 970 | server.host: "localhost" 971 | ``` 972 | 973 |
Then restart the kibana service:
974 | 975 | ``` 976 | sudo service kibana restart 977 | ``` 978 | 979 | ---- 980 | 981 |
Test the changes in Elasticsearch and Kibana by navigating to:
982 | 983 | ``` 984 | http://elkhost.defcon:80 985 | ``` 986 | 987 | ``` 988 | http://elkhost.defcon:8080 989 | ``` 990 | 991 | --- 992 | 993 | ### [Backing up Elasticsearch using Curator](03-backup-es.md) 994 | 995 | -------------------------------------------------------------------------------- /documentation/03-backup-es.md: -------------------------------------------------------------------------------- 1 | # Backing up Elasticsearch using Curator 2 | [15 minutes] 3 | 4 | --- 5 | 6 | ### What is Curator ? 7 | 8 | > Elasticsearch Curator helps you curate or manage your indices. 9 | > Supports a variety of actions from delete a snapshot to shard allocation routing. 10 | 11 |
12 | 13 | > This is an additional software bundle that you install on top of Elasticsearch. 14 | 15 | --- 16 | 17 | ### Curator Installation 18 | 19 | Curator is already installed in the virtual machine 20 | 21 | ---- 22 | 23 |
To install curator
24 | 25 | ``` 26 | sudo apt-get install python-pip -y 27 | sudo pip install elasticsearch-curator 28 | ``` 29 | 30 | Note: There is an alternate method using apt-get install as well. 31 |
32 | ``` 33 | wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 34 | ``` 35 |
36 | ``` 37 | echo "deb http://packages.elastic.co/curator/3/debian stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list 38 | ``` 39 |
40 | ``` 41 | sudo apt-get update && sudo apt-get install python-elasticsearch-curator -y 42 | ``` 43 | 44 | ---- 45 | 46 | (hands on)
47 |
Create a directory to keep all the backups
48 | 49 | ``` 50 | sudo mkdir -p /var/backups/elasticsearch/ 51 | ``` 52 | 53 | ---- 54 | 55 |
Change the ownership of the directory to
56 | 57 | ``` 58 | sudo chown elasticsearch:elasticsearch -R /var/backups/elasticsearch/ 59 | ``` 60 | 61 | ---- 62 | 63 |
Add the backups path to the elasticsearch configuration
64 | 65 | ``` 66 | sudo vi /etc/elasticsearch/elasticsearch.yml 67 | ``` 68 | 69 | ``` 70 | path.repo: /var/backups/elasticsearch/ 71 | ``` 72 | 73 | ---- 74 | 75 |
Then restart the elasticsearch service
76 | 77 | ``` 78 | sudo service elasticsearch restart 79 | ``` 80 | 81 | ---- 82 | 83 | Stop the second Elasticsearch node that we created earlier 84 | 85 | ---- 86 | 87 |
Before we create backups/restores, we need to create a repo in elasticsearch
88 |
89 |
Run the below command to create a `backup` repository in elasticsearch
90 | 91 | ``` 92 | curl -XPUT 'http://localhost:9200/_snapshot/backup' -d '{ 93 | "type": "fs", 94 | "settings": { 95 | "location": "/var/backups/elasticsearch/", 96 | "compress": true 97 | } 98 | }' 99 | ``` 100 | 101 | ---- 102 | 103 |
To snapshot an index called `apache-logs` into a repository `backup`
104 | 105 | ``` 106 | curator snapshot --name=apache_logs_snapshot --repository backup indices --prefix apache-logs 107 | ``` 108 | 109 | ---- 110 | 111 |
To see all snapshots in the `backup` repository
112 | 113 | ``` 114 | curator show snapshots --repository backup 115 | ``` 116 | 117 | ---- 118 | 119 |
To restore a snapshot from curator
120 | 121 | ``` 122 | curl -XPOST 'http://localhost:9200/_snapshot/backup/apache_logs_snapshot/_restore' 123 | ``` 124 | 125 | --- 126 | 127 | ### Restore some sample logs for creating advanced dashboards 128 | (hands on) 129 | 130 | ---- 131 | 132 |
Unzip the log sample called `filebeat.tar.gz` and move the logs to backups directory
133 | 134 | ``` 135 | sudo tar -xvf /home/ninja/log-samples/filebeat.tar.gz -C /var/backups/elasticsearch/ 136 | ``` 137 | 138 | ---- 139 | 140 |
Check the snapshot name
141 | 142 | ``` 143 | curator show snapshots --repository backup 144 | ``` 145 | 146 | ---- 147 | 148 |
Then use curator to restore the logs to the elasticsearch
149 | 150 | ``` 151 | curl -XPOST 'http://localhost:9200/_snapshot/backup/filebeat_logs_snapshot/_restore' 152 | ``` 153 | 154 | --- 155 | 156 | Check the head plugin to see the updated logs from import 157 | 158 | --- 159 | 160 | ### [Alerting and Advanced Dashboards](04-alerting-and-dashboards.md) -------------------------------------------------------------------------------- /documentation/04-alerting-and-dashboards.md: -------------------------------------------------------------------------------- 1 | # Alerting & Attack patterns dashboard 2 | [30 minutes] 3 | 4 | --- 5 | 6 | ## Alerting 7 | 8 | ---- 9 | 10 | ### What is alerting for ELK stack? 11 | 12 | > We can set up a notification system to let users/admins know that a pattern match has occurred. 13 | 14 | ---- 15 | 16 | ### How is this achieved? 17 | 18 | - Logstash output plugin alerting via (Email, Pager duty, JIRA, etc.) 19 | - Elasticsearch commercial product - Watcher 20 | - An open source alerting for elasticsearch by Yelp called `elastalert` 21 | - Custom scripts 22 | 23 | ---- 24 | 25 | ### Creating an alert for DDoS attack on SSH Logs 26 | (hands on) 27 | 28 | ---- 29 | 30 |
Create a new log configuration using
31 | 32 | ``` 33 | sudo vi /etc/logstash/conf.d/ddos.conf 34 | ``` 35 | 36 | ---- 37 | 38 | ``` 39 | input { 40 | file { 41 | path => '/home/ninja/log-samples/ddos.log' 42 | start_position => "beginning" 43 | ignore_older => 0 44 | } 45 | } 46 | 47 | filter { 48 | 49 | 50 | grok { 51 | add_tag => [ "valid" ] 52 | 53 | match => [ 54 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 55 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: message repeated 2 times: \[ %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 56 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for invalid user %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 57 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} %{WORD:auth_method} for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}" 58 | ] 59 | } 60 | 61 | 62 | mutate { 63 | remove_tag => [ "valid" ] 64 | lowercase => [ "login" ] 65 | } 66 | 67 | 68 | date { 69 | match => [ "syslog_date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] 70 | timezone => "Europe/Helsinki" 71 | } 72 | 73 | geoip { 74 | source => "ip" 75 | } 76 | 77 | throttle { 78 | before_count => 0 79 | after_count => 5 80 | period => 5 81 | key => "%{ip}" 82 | add_tag => "throttled" 83 | } 84 | } 85 | 86 | output { 87 | if "throttled" in [tags] { 88 | email { 89 | subject => "DDoS attack on %{host}" 90 | to => "root" 91 | via => "sendmail" 92 | body => "Alert on %{host} from %{ip} :\n\n%{message}" 93 | #options => { "location" => "/usr/sbin/sendmail" } 94 | 95 | } 96 | } 97 | elasticsearch { 98 | hosts => ["localhost:9200"] 99 | index => "DDoS" 100 | } 101 | } 102 | ``` 103 | 104 | ---- 105 | 106 |
Load the DDoS config file
107 | 108 | ``` 109 | sudo /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ddos.conf 110 | ``` 111 | 112 | ---- 113 | 114 | - Check the mailbox of `root` user 115 | 116 | ``` 117 | sudo -i 118 | 119 | mail 120 | ``` 121 | 122 | ---- 123 | 124 | ### Other options 125 | Elastalert (https://elastalert.readthedocs.io/en/latest/) 126 |
127 |
128 | `Watcher` is another commercial product for alerting on top of Elasticsearch 129 | 130 | --- 131 | 132 | ## Dashboards for Attack Patterns 133 | (hands on) 134 | 135 | Note: We have already imported logs to Elasticsearch using curator.
136 | Now create some advanced dashboards for attack patterns using Kibana 137 | 138 | ---- 139 | 140 | ### Web Attack Dashboard 141 | 142 | ![Web Attack Dashboard](images/kibana-web-dashboard.png) 143 | 144 | ---- 145 | 146 | ### SSH Attack Dashboard 147 | 148 | ![SSH Attack Dashboard](images/kibana-ssh-dashboard.png) 149 | 150 | ---- 151 | 152 | ### Combined Attack Dashboard 153 | 154 | ![Attack Dashboard](images/kibana-attack-dashboard.png) 155 | 156 | --- 157 | 158 | ### Pre-created dashboards 159 | 160 | ---- 161 | 162 | #### Import the JSON which is already existing in your folder 163 | 164 | 1. Go to the kibana settings 165 | 2. Select import 166 | 3. Select the JSON file `/dashboards/all-kibana.json` 167 | 168 | --- 169 | 170 | ### [Ansible Playbook](05-ansible-playbook.md) 171 | 172 | 173 | -------------------------------------------------------------------------------- /documentation/05-ansible-playbook.md: -------------------------------------------------------------------------------- 1 | # Ansible Playbook for the entire setup 2 | [10 minutes] 3 | 4 | 5 | --- 6 | 7 | # What is Ansible? 8 | 9 | > Simple IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs. 10 | 11 | --- 12 | 13 | ## What is an Ansible playbook? 14 | 15 | > playbooks are Ansible's configuration, deployment, and orchestration language (written in YAML). They can describe a policy that you want your remote systems to enforce, or a set of steps in a general IT process. 16 | 17 | --- 18 | 19 | ## A playbook for our setup 20 | 21 | > We created a plug and play ansible playbook, which helps to build and reproduce the same environment within minutes by provisioning in any cloud and stack. 22 | 23 | --- 24 | 25 | 26 | --- 27 | 28 | ### [Penetration Test findings](06-security-testing.md) 29 | -------------------------------------------------------------------------------- /documentation/06-security-testing.md: -------------------------------------------------------------------------------- 1 | # Pentesting the infrastructure 2 | (what does an attacker see?) 3 | 4 | [10 minutes] 5 | 6 | --- 7 | 8 | ## The Why? 9 | A penetration testing exercise was undertaken to check if there was a possibility of gaining unauthorized access to the setup 10 | 11 | --- 12 | 13 | ## Black Box Penetration Testing 14 | 15 | ---- 16 | 17 | ### Port scanning 18 | ![Port scan to discover services](images/pentest/nmapscan.png) 19 | 20 | ---- 21 | 22 | ### Service enumeration 23 | ![Service enumeration scan](images/pentest/serviceenum.png) 24 | 25 | ---- 26 | 27 | ### HTTP basic Auth on ports 80 and 8080 28 | ![HTTP basic Auth](images/pentest/httpAuth.png) 29 | 30 | ---- 31 | 32 | ### Attempted brute force 33 | Multiple dictionaries were tried against the HTTP Basic Auth 34 | ![Hydra HTTP Basic Brute Force](images/pentest/hydrapasscrack.png) 35 | 36 | ---- 37 | 38 | ### Attempted brute force 39 | Multiple dictionaries were tried against SSH as well 40 | ![Hydra SSH Brute Force](images/pentest/hydrasshpasscrack.png) 41 | 42 | --- 43 | 44 | ## Grey Box Penetration Testing 45 | App credentials were provided 46 | 47 | ---- 48 | 49 | ### Verbose Errors 50 | ![Verbose Kibana stack traces](images/pentest/kibana_verbose_error.png) 51 | 52 | ---- 53 | 54 | ### Credential Leakage through MiTM 55 | 56 | ![Request Response having the Basic Auth header](images/pentest/BasicAuthOverHTTP.png) 57 | 58 | ---- 59 | 60 | ![MITM decoded password](images/pentest/BasicAuthOverHTTP-2.png) 61 | 62 | ---- 63 | 64 | Drop us a note if you want the complete pentest report

65 | riyaz@appsecco.com 66 | 67 | --- 68 | 69 | ### [Exercises](08-exercise.md) -------------------------------------------------------------------------------- /documentation/07-general-best-practices-checklist.md: -------------------------------------------------------------------------------- 1 | # General Best Practice 2 | 3 | ### Elasticsearch Best Practice 4 | - set `$ES_HEAP_SIZE` env var to 1/2 of RAM (but < 32GB) 5 | - Disable memory swapping by enabling `bootstrap.mlockall` 6 | - Set user's file `ulimit` to `unlimited` (Need reboot to check) 7 | - You can check with an API call as well `/_nodes/process` 8 | - Use the default configuration and make small changes as required 9 | - Multicast is great, but when you are going to production make sure to use `Unicast` discovery mode 10 | - To eliminate the "Split-brain" problem use 3 lower resource master-eligible nodes in larger cluster environments (dedicated) 11 | - You don't need beefy machines, simple machines are ok due to the distributed nature of elasticsearch 12 | - Add lightweight client nodes (no data) 13 | - Use Snapshot and Restore. This is very useful (but different from `replication`) 14 | 15 | --- 16 | 17 | ### Logstash Best Practice 18 | 19 | - Watch out for Grok Filter data (GREEDYDATA) as they use a lot of resources especially CPU and Memory. Try to get as specific as possible 20 | - Test your configuration with `-e` `input{...}... output{...}` 21 | - Use `-b` flag to send bulk requests to elasticsearch 22 | - Use `-w` flag to utilise multiple cores. This is especially useful for multi core and bulk processing 23 | - Use the generator input for benchmarking (https://github.com/matejzero/logstash-benchmark) and to understand performance and optimisation metrics 24 | - If something goes wrong try `-- debug` for more detailed output (don't forgot to turn this off when you are done) 25 | 26 | --- 27 | 28 | ### Kibana Best Practice 29 | 30 | - Tune Queries in elasticsearch for maximum performance 31 | - Configuring number of threads in pool 32 | - Save and Export dashboards as a JSON File for reuse 33 | - Deploy a proxy so that you can do basic authentication and other load balancing services 34 | - While Kibana is an exploration tool, make sure you watch out for over-eager users affecting performance 35 | 36 | --- 37 | 38 | ### Production 39 | 40 | - Access Control / Security 41 | - use nginx/apache to setup basic authentication 42 | - You can block `POST` / `PUT` / `DELETE` operations 43 | - Disable Scripting (Version < 1.2) 44 | `script.disable_dynamic: true` 45 | - Disable destructive actions 46 | `action.destructive_requires_name: true` 47 | - Use aliases to allow users access to subsets of indices 48 | 49 | --- 50 | 51 | - VM vs Metal 52 | - VM's are convenient (Auto scaling, no management, etc) 53 | - Bare metal is generally more configurable and higher in performance 54 | - Metal can utilize SSD's 55 | - Cloud VM's can suffer from `noisy neighbors` 56 | - But you should start using what you're most familiar with! 57 | 58 | --- 59 | 60 | - Disks 61 | - Spinning disk's are cheaper per GB 62 | - SSDs have better IOPS 63 | - SSDs are cheaper wrt: IOPS 64 | - SSD manufacturing tolerance can vary (vendor based) 65 | - SAN / NAS can work, if IOPS are sufficient (throughput, iops, etc) 66 | - Don't necessarily need RAID, ES handles redundancy 67 | - But striping can help with performance 68 | - You can use shards and replicas in ES 69 | 70 | --- 71 | 72 | ### Security 73 | 74 | - Harden the base server with traditional security techniques 75 | - Use SSH key for login 76 | - Remove root login 77 | - Use randomly generated passwords 78 | ``` 79 | openssl rand -base64 24 80 | ``` 81 | - Enable the host firewall and allow only connections from specific IPs 82 | - Use SSL certificates and enable HTTPS for Elasticsearch, Logstash & Kibana (E.g.: Lets encrypt) 83 | - Use search guard for granular permissions and role based authentication for ELK (Shield is an alternative) 84 | 85 | --- 86 | 87 | ### Monitoring Services 88 | 89 | - Enable service level monitoring for Elasticsearch, Logstash and Kibana 90 | - Use monit (or) uptime robot for monitoring services (you can also use Icinga} -------------------------------------------------------------------------------- /documentation/08-exercise.md: -------------------------------------------------------------------------------- 1 | # ELK - Exercise with network logs 2 | [30 minutes] 3 | 4 | --- 5 | 6 | ## Stack Flow 7 | 8 | #### CSV firewall log(network.log) -> logstash(network.conf) -> elasticsearch -> kibana(kibana-network.json) 9 | 10 | ---- 11 | 12 | - `network.log` file is at `/home/ninja/log-samples/network.log` 13 | - `network.conf` file is at `/home/ninja/exercise/network.conf` for logstash configuration 14 | - Build your own dashboard using the log data 15 | - We created one. If you want to use, import the `/dashboards/kibana-network.json` 16 | - Happy ELK! 17 | 18 | --- 19 | 20 | ![Network Dashboard](images/network-dashboard.png) 21 | 22 | --- 23 | 24 | Note: ELK can also be used to do other amazing things like correlate password dumps for example and give a visual statistical model of the data contained in the dump. 25 |
26 | There is a list of user names and passwords at `/home/ninja/log-samples/pwd-dump.txt`. As and additional exercise, create a dashboard using this file and build statistical dashboard. 27 | 28 | --- 29 | 30 | ### [Q & A](09-q-and-a-end.md) -------------------------------------------------------------------------------- /documentation/09-q-and-a-end.md: -------------------------------------------------------------------------------- 1 | # Q & A 2 | 3 | @madhuakula
4 | @riyazwalikar
5 | @appseccouk
6 | 7 | -------------------------------------------------------------------------------- /documentation/extras/alternative-options.md: -------------------------------------------------------------------------------- 1 | # Alternatives 2 | 3 | ### Alternatives to the components 4 | 5 | Given the large environment of available tools to standardise and correlate logs, we can often create a setup using other components that talk to each other. 6 | 7 | - [fluentd](http://www.fluentd.org/) is an alternative for logstash 8 | - [Grafana](http://grafana.org/) is an alternative for Kibana 9 | - [Druid](http://druid.io/) is a high-performance, column-oriented, distributed data store as an alternative Elasticsearch 10 | 11 | ### Full stack alternatives 12 | - [Riemann](http://riemann.io/) aggregates events from servers and applications with a powerful stream processing language. 13 | - [Graylog](https://www.graylog.org/) 14 | -------------------------------------------------------------------------------- /documentation/extras/elasticsearch-config-checklist.md: -------------------------------------------------------------------------------- 1 | # elasticsearch.yml 2 | 3 | 4 | **Elasticsearch Configuration** 5 | 6 | - By default `elasticsearch.yml` comes with out of the box support with default settings. It doesn't need to be changed too much 7 | - By default the configuration file contains all the required template items. Using there is the best way to start to build a production level Elasticsearch 8 | 9 | 10 | **Cluster Name** 11 | 12 | - Do not forget to give your production cluster a name as this is used to discover and auto-join other nodes 13 | - Don’t reuse the same cluster names in different environments otherwise you might end up with nodes joining the wrong cluster 14 | - For instance you could use logging-dev, logging-stage and logging-prod for the development, staging, and production clusters 15 | 16 | ``` 17 | cluster: 18 | name: 19 | ``` 20 | 21 | `cluster.name: elasticsearch_netmon_prod` 22 | 23 | 24 | **Node Name** 25 | 26 | - You may also want to change the default node name for each node to something like the display hostname 27 | - By default Elasticsearch will randomly pick a Marvel character name from a list of around 3000 names when your node starts up if you haven't choosen a name 28 | 29 | ``` 30 | node: 31 | name: 32 | ``` 33 | 34 | 35 | - The hostname of the machine is provided in the environment variable `HOSTNAME` 36 | - If on your machine you only run a single Elasticsearch node for that cluster you can set the node name to the hostname using the `${...}`` notation 37 | 38 | ``` 39 | node: 40 | name: ${HOSTNAME} 41 | ``` 42 | 43 | `node.name: elasticnetstack-6` 44 | 45 | 46 | **Node Rack** 47 | 48 | - This is used to specify special attributes like the location of the rack where the node is located 49 | - It also appears in the JSON for Elasticsearch 50 | 51 | ``` 52 | node.rack: r1 53 | ``` 54 | 55 | 56 | **Paths** 57 | 58 | - In production use you will almost certainly want to change paths for data and log files 59 | 60 | ``` 61 | path: 62 | logs: /var/log/elasticsearch 63 | data: /var/data/elasticsearch 64 | conf: /usr/local/etc/elasticsearch 65 | ``` 66 | 67 | 68 | **Memory** 69 | 70 | - This is one of the key components of Elasticsearch 71 | - Most operating systems try to use as much memory as possible for file system caches and eagerly swap out unused application memory, possibly resulting in the Elasticsearch process being swapped 72 | - Swapping is very bad for performance and for node stability, so it should be avoided at all costs 73 | 74 | - Disable swap 75 | + The simplest option is to completely disable swap 76 | + Usually Elasticsearch is the only service running on a box and its memory usage is controlled by the ES_HEAP_SIZE environment variable. There should be no need to have swap enabled 77 | + On Linux systems, you can disable swap temporarily by running: `sudo swapoff -a` 78 | + To disable it permanently, you will need to edit the `/etc/fstab` file and comment out any lines that contain the word `swap` 79 | 80 | - Configure swappiness 81 | + The second option is to ensure that the sysctl value vm.swappiness is set to 0. This reduces the kernel’s tendency to swap and should not lead to swapping under normal circumstances while still allowing the whole system to swap in emergency conditions 82 | 83 | > From kernel version 3.5-rc1 and above a swappiness of 0 will cause the OOM killer to kill the process instead of allowing swapping. You will need to set swappiness to 1 to still allow swapping in emergencies 84 | 85 | - mlockall 86 | + The third option is to use `mlockall` on Linux/Unix systems preventing any Elasticsearch memory from being swapped out 87 | 88 | ``` 89 | bootstrap.mlockall: true 90 | ``` 91 | 92 | > mlockall might cause the JVM or shell session to exit if it tries to allocate more memory than is available! 93 | 94 | `curl http://localhost:9200/_nodes/process?pretty` 95 | 96 | - The most probable reason, on Linux/Unix systems, is that the user running Elasticsearch doesn’t have permission to lock memory 97 | - This can be granted by running `ulimit -l unlimited` as root before starting Elasticsearch 98 | 99 | 100 | **Network** 101 | 102 | - Elasticsearch binds to localhost only by default 103 | - Set the bind address to a specific IP (IPv4 or IPv6) 104 | - This is one of the most simple and best way to protect the data accessing by other users from elasticsearch 105 | - You can use an IP address, hostname or an array of any combination of these 106 | 107 | ``` 108 | network.host: 127.0.0.1 109 | ``` 110 | 111 | - You can also specify a custom port based on your use case 112 | 113 | ``` 114 | http.port: 9200 115 | ``` 116 | 117 | 118 | **Discovery** 119 | 120 | - Elasticsearch is a peer to peer based system, nodes communicate with one another directly if operations are delegated / broadcast 121 | - In order to join a cluster, a node needs to know the hostname or IP address of at least some of the other nodes in the cluster 122 | - This setting provides the initial list of other nodes that this node will try to contact, it accepts IP addresses or hostnames 123 | - Defaults to `["127.0.0.1", "[::1]"]` 124 | 125 | ``` 126 | discovery.zen.ping.unicast.hosts: ["host1", "host2"] 127 | ``` 128 | 129 | - All the main APIs (index, delete, search) do not communicate with the master node 130 | - The responsibility of the master node is to maintain the global cluster state and act if nodes join or leave the cluster by reassigning shards 131 | - Each time a cluster state is changed the state is made known to the other nodes in the cluster 132 | - To prevent "split brain" by configuring as the smallest possible majority of nodes to be master (total number of (nodes / 2 )+ 1) 133 | 134 | ``` 135 | discovery.zen.minimum_master_nodes: 3 136 | ``` 137 | 138 | - Example configuration 139 | 140 | ``` 141 | discovery.zen.minimum_master_nodes: 5 142 | discovery.zen.ping.unicast.hosts: 10.64.14.66,10.64.3.249,10.9.248.64,100.64.15.128,10.9.240.151,10.9.212.223,10.65.9.238,10.65.3.43 143 | discovery.zen.ping.multicast.enabled: false 144 | ``` 145 | 146 | 147 | **Gateway** 148 | 149 | - The local gateway module stores the cluster state and shard data across full cluster restarts 150 | - This must be set on every data node in the cluster 151 | 152 | ``` 153 | gateway.recover_after_nodes: 3 154 | ``` 155 | 156 | > These settings only take effect on a full cluster restart 157 | 158 | 159 | **Various-Other** 160 | 161 | - Disable starting multiple nodes on a single system 162 | 163 | ``` 164 | node.max_local_storage_nodes: 1 165 | ``` 166 | 167 | - Require explicit names when deleting indexes 168 | - This prevents accidental deletion since explicit names are now required 169 | 170 | ``` 171 | action.destructive_requires_name: true 172 | ``` 173 | 174 | - To setup master and data nodes 175 | - This is helpful when you are building a cluster for production 176 | 177 | ``` 178 | node.master: true 179 | node.data: true 180 | ``` 181 | 182 | - Index related configuration changes 183 | - To predefine each index shard, by default elasticsearch creates 5 primary shards 184 | 185 | ``` 186 | index.number_of_shards: 5 187 | ``` 188 | 189 | - This setting is to define the shard replica 190 | - One of the most important configuration settings for High Availability environments 191 | - This can be used to take a backup within elasticsearch using the shard functionality 192 | 193 | ``` 194 | index.number_of_replicas: 1 195 | ``` 196 | 197 | - This is to dynamically auto update the elastic search indexes 198 | - Which helps in performance best practice 199 | 200 | ``` 201 | index.mapper.dynamic: true 202 | ``` 203 | 204 | - This is a default setting in elasticsearch which helps to create an index automatically based on the logstash output 205 | 206 | ``` 207 | action.auto_create_index: true 208 | ``` 209 | 210 | - This disables the ability to delete all indexes at a single time 211 | 212 | ``` 213 | action.disable_delete_all_indices: true 214 | ``` 215 | 216 | 217 | ### Example configuration samples 218 | 219 | https://gist.github.com/zsprackett/8546403 220 | 221 | https://joinup.ec.europa.eu/svn/opencities/tags/opencities-core/release-3.4.3/core-module/src/main/resources/elasticsearch.yml 222 | 223 | ### References 224 | 225 | https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html -------------------------------------------------------------------------------- /documentation/images/ELK_basic_setup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/ELK_basic_setup.png -------------------------------------------------------------------------------- /documentation/images/apacheregex.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/apacheregex.png -------------------------------------------------------------------------------- /documentation/images/appsecco.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/appsecco.png -------------------------------------------------------------------------------- /documentation/images/beats_def.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/beats_def.png -------------------------------------------------------------------------------- /documentation/images/elasticsearch-head-plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/elasticsearch-head-plugin.png -------------------------------------------------------------------------------- /documentation/images/elasticsearch-hq-plugin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/elasticsearch-hq-plugin.png -------------------------------------------------------------------------------- /documentation/images/elasticsearch_def.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/elasticsearch_def.png -------------------------------------------------------------------------------- /documentation/images/elk_overall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/elk_overall.png -------------------------------------------------------------------------------- /documentation/images/es-c-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/es-c-1.png -------------------------------------------------------------------------------- /documentation/images/es-c-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/es-c-2.png -------------------------------------------------------------------------------- /documentation/images/es-c-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/es-c-3.png -------------------------------------------------------------------------------- /documentation/images/es-c-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/es-c-4.png -------------------------------------------------------------------------------- /documentation/images/es-c-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/es-c-5.png -------------------------------------------------------------------------------- /documentation/images/es-c-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/es-c-6.png -------------------------------------------------------------------------------- /documentation/images/itinfra.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/itinfra.png -------------------------------------------------------------------------------- /documentation/images/k-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-1.png -------------------------------------------------------------------------------- /documentation/images/k-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-10.png -------------------------------------------------------------------------------- /documentation/images/k-11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-11.png -------------------------------------------------------------------------------- /documentation/images/k-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-2.png -------------------------------------------------------------------------------- /documentation/images/k-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-3.png -------------------------------------------------------------------------------- /documentation/images/k-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-4.png -------------------------------------------------------------------------------- /documentation/images/k-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-5.png -------------------------------------------------------------------------------- /documentation/images/k-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-6.png -------------------------------------------------------------------------------- /documentation/images/k-7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-7.png -------------------------------------------------------------------------------- /documentation/images/k-8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-8.png -------------------------------------------------------------------------------- /documentation/images/k-9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/k-9.png -------------------------------------------------------------------------------- /documentation/images/kibana-attack-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/kibana-attack-dashboard.png -------------------------------------------------------------------------------- /documentation/images/kibana-ssh-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/kibana-ssh-dashboard.png -------------------------------------------------------------------------------- /documentation/images/kibana-web-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/kibana-web-dashboard.png -------------------------------------------------------------------------------- /documentation/images/kibana_def.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/kibana_def.png -------------------------------------------------------------------------------- /documentation/images/logstash.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/logstash.png -------------------------------------------------------------------------------- /documentation/images/logstash_def.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/logstash_def.png -------------------------------------------------------------------------------- /documentation/images/monitor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/monitor.png -------------------------------------------------------------------------------- /documentation/images/network-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/network-dashboard.png -------------------------------------------------------------------------------- /documentation/images/ninja.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/ninja.png -------------------------------------------------------------------------------- /documentation/images/ourstructure.pdn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/ourstructure.pdn -------------------------------------------------------------------------------- /documentation/images/ourstructure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/ourstructure.png -------------------------------------------------------------------------------- /documentation/images/pentest/BasicAuthOverHTTP-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/BasicAuthOverHTTP-2.png -------------------------------------------------------------------------------- /documentation/images/pentest/BasicAuthOverHTTP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/BasicAuthOverHTTP.png -------------------------------------------------------------------------------- /documentation/images/pentest/httpAuth.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/httpAuth.png -------------------------------------------------------------------------------- /documentation/images/pentest/hydrapasscrack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/hydrapasscrack.png -------------------------------------------------------------------------------- /documentation/images/pentest/hydrasshpasscrack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/hydrasshpasscrack.png -------------------------------------------------------------------------------- /documentation/images/pentest/kibana_verbose_error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/kibana_verbose_error.png -------------------------------------------------------------------------------- /documentation/images/pentest/nmapscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/nmapscan.png -------------------------------------------------------------------------------- /documentation/images/pentest/serviceenum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pentest/serviceenum.png -------------------------------------------------------------------------------- /documentation/images/pwd-analysis.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/pwd-analysis.png -------------------------------------------------------------------------------- /documentation/images/setup/hostsfile_win.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/setup/hostsfile_win.png -------------------------------------------------------------------------------- /documentation/images/setup/vbox_import_ova.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/setup/vbox_import_ova.png -------------------------------------------------------------------------------- /documentation/images/setup/vbox_import_ova_change_disk_location.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/documentation/images/setup/vbox_import_ova_change_disk_location.png -------------------------------------------------------------------------------- /documentation/references.md: -------------------------------------------------------------------------------- 1 | https://www.elastic.co 2 | 3 | https://www.elastic.co/videos 4 | 5 | http://logz.io/blog 6 | 7 | https://www.loggly.com/blog/ 8 | 9 | http://kibana.logstash.es/ 10 | 11 | https://github.com/clay584 12 | 13 | http://www.slideshare.net/akashm/checklistforsecuringlinuxwebserverin10stepsorless 14 | 15 | http://jasonwilder.com/blog/2012/01/03/centralized-logging/ 16 | 17 | https://qbox.io/blog/welcome-to-the-elk-stack-elasticsearch-logstash-kibana 18 | 19 | https://www.peerlyst.com/posts/security-monitoring-and-attack-detection-with-elasticsearch-logstash-and-kibana-martin-boller 20 | 21 | http://www.slideshare.net/prajalkulkarni/attack-monitoring-using-elasticsearch-logstash-and-kibana 22 | 23 | https://ruin.io/2015/elk-in-production/ 24 | 25 | https://blog.codecentric.de/en/2014/05/elasticsearch-indexing-performance-cheatsheet/ 26 | 27 | http://elasticsearch-cheatsheet.jolicode.com/ 28 | 29 | http://joelabrahamsson.com/elasticsearch-101/ 30 | 31 | http://hadooptutorials.co.in/tutorials/elasticsearch/real-time-alerting-using-elasticsearch-watcher.html 32 | 33 | https://speakerdeck.com/untergeek/a-deeper-look-at-the-elk-stack-elasticsearch-logstash-and-kibana 34 | 35 | http://www.elasticsearchtutorial.com/basic-elasticsearch-concepts.html 36 | 37 | http://blog.scottlogic.com/2014/12/19/elk-3-things-i-wish-id-known.html 38 | 39 | https://thepracticalsysadmin.com/performance-tuning-elk-stack/ -------------------------------------------------------------------------------- /documentation/start.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /documentation/start.md: -------------------------------------------------------------------------------- 1 | ### [Welcome](01-basics.md) -------------------------------------------------------------------------------- /elk-ansible-playbook/group_vars/all: -------------------------------------------------------------------------------- 1 | remote_user_login_name: madhuakula 2 | server_domain_name: elk.site.cloud.com 3 | basic_auth_kibana_username: kiabnasiteadminelk 4 | basic_auth_kibana_password: E1kP@S$w0rd@643Vn324 5 | basic_auth_es_username: essiteadminelk 6 | basic_auth_es_password: E1GgnogPO4kP@S$w0rd@643Vn324 7 | elasticsearch_host_address: localhost -------------------------------------------------------------------------------- /elk-ansible-playbook/inventory.ini: -------------------------------------------------------------------------------- 1 | [all] 2 | 123.123.123.123 3 | -------------------------------------------------------------------------------- /elk-ansible-playbook/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ELK stack installation 3 | hosts: all 4 | remote_user: '{{ remote_user_login_name }}' 5 | become: yes 6 | 7 | roles: 8 | - common 9 | - elasticsearch 10 | - logstash 11 | - kibana -------------------------------------------------------------------------------- /elk-ansible-playbook/readme.md: -------------------------------------------------------------------------------- 1 | # E:L:K Stack Ansible Playbook 2 | 3 | --- 4 | 5 | ### To run playbook 6 | 7 | - Please do necessary changes to the variables and inventory files and run the below command. 8 | 9 | ``` 10 | ansible-playbook main.yml -i inventory.ini --user=madhuakula --ask-sudo-pass -vvv 11 | ``` 12 | 13 | -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/common/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart nginx 3 | service: name=nginx state=restarted -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/common/tasks/certificates.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: creating certs directory 3 | file: path=/etc/pki/tls/{{ item }} state=directory mode=0755 4 | 5 | items: 6 | - certs 7 | - private 8 | 9 | - name: generating openssl certificates for logstash using domain name 10 | raw: "openssl req -subj '/CN={{ server_domain_name }}/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt" -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: oracle java license accept 3 | debconf: name='oracle-java8-installer' question='shared/accepted-oracle-license-v1-1' value='true' vtype='select' 4 | 5 | - name: adding apt repo for oracle java 6 | apt_repository: repo='ppa:webupd8team/java' state=present update_cache=yes 7 | 8 | - name: install java wget nginx apache2 and utils 9 | apt: name={{ item }} state=present update_cache=yes 10 | 11 | with_items: 12 | - oracle-java8-installer 13 | - nginx 14 | - apache2-utils 15 | - python-pip 16 | - git 17 | - python-passlib 18 | 19 | 20 | #- include: certificates.yml 21 | - include: nginx.yml -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/common/tasks/nginx.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Htpasswd generation for kibana 3 | #command: htpasswd -c /etc/nginx/htpasswd.users 4 | htpasswd: path=/etc/nginx/htpasswd-kibana.users name={{ basic_auth_kibana_username }} password={{ basic_auth_kibana_password }} owner=root group=root mode=0644 5 | 6 | - name: Htpasswd generation for elasticsearch 7 | htpasswd: path=/etc/nginx/htpasswd-es.users name={{ basic_auth_es_username }} password={{ basic_auth_es_password }} owner=root group=root mode=0644 8 | 9 | - name: Nginx Virtualhost configuration 10 | action: template src=templates/nginxdefault.j2 dest=/etc/nginx/sites-available/default 11 | 12 | notify: 13 | - restart nginx -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/common/templates/nginxdefault.j2: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | 4 | server_name localhost; 5 | 6 | auth_basic "Restricted Access"; 7 | auth_basic_user_file /etc/nginx/htpasswd-kibana.users; 8 | 9 | location / { 10 | proxy_pass http://localhost:5601; 11 | proxy_http_version 1.1; 12 | proxy_set_header Upgrade $http_upgrade; 13 | proxy_set_header Connection 'upgrade'; 14 | proxy_set_header Host $host; 15 | proxy_cache_bypass $http_upgrade; 16 | } 17 | } 18 | 19 | server { 20 | listen 8080; 21 | 22 | server_name localhost; 23 | 24 | auth_basic "Restricted Access"; 25 | auth_basic_user_file /etc/nginx/htpasswd-es.users; 26 | 27 | location / { 28 | proxy_pass http://localhost:9200; 29 | proxy_http_version 1.1; 30 | proxy_set_header Upgrade $http_upgrade; 31 | proxy_set_header Connection 'upgrade'; 32 | proxy_set_header Host $host; 33 | proxy_cache_bypass $http_upgrade; 34 | } 35 | } -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/defaults/main.yml: -------------------------------------------------------------------------------- 1 | elasticsearch_cluster_name: company-elasticsearch-cloud-prod 2 | elasticsearch_node_name: elk-node-all 3 | bootstrap_mlock_value: true 4 | network_host_info: localhost 5 | back_path_repo: /var/backups/elasticsearch -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: start elasticsearch 3 | service: name=elasticsearch state=started 4 | 5 | - name: restart elasticsearch 6 | service: name=elasticsearch state=restarted -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/tasks/curator.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: adding elasticsearch gpg key for curator 3 | apt_key: url=https://packages.elastic.co/GPG-KEY-elasticsearch state=present 4 | 5 | - name: adding curator debian package to the repository 6 | apt_repository: repo='deb http://packages.elastic.co/curator/3/debian stable main' state=present 7 | 8 | - name: installating the curator 9 | apt: name={{ item }} state=present update_cache=yes 10 | 11 | with_items: 12 | - python-elasticsearch-curator 13 | 14 | notify: 15 | - restart elasticsearch 16 | 17 | - name: creating backups directory for elasticsearch indexes snapshots 18 | file: path='/var/backups/elasticsearch/' state=directory group=elasticsearch owner=elasticsearch 19 | 20 | - name: copying curator snapshot backup script 21 | action: template src=templates/curator_snapshot.sh.j2 dest=/tmp/curator_snapshot.sh mode=0755 22 | 23 | #- name: executing curator backup snapshot script 24 | # shell: /tmp/curator_snapshot.sh >> curator_snapshot_exec.log 25 | -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/tasks/esconfig.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: elasticsearch.yml configuration changes 3 | action: template src=templates/elasticsearch.yml.j2 dest=/etc/elasticsearch/elasticsearch.yml 4 | 5 | #- name: limits.conf tuning 6 | # lineinfile: dest=/etc/security/limits.conf line="{{ item }}" 7 | # with_items: 8 | # - 'elasticsearch soft nofile 32000' 9 | # - 'elasticsearch hard nofile 32000' 10 | 11 | notify: 12 | - restart elasticsearch -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: adding elasticsearch gpg key for elasticsearch 3 | apt_key: url=https://packages.elastic.co/GPG-KEY-elasticsearch state=present 4 | 5 | - name: adding the elasticsearch debain repository 6 | apt_repository: repo='deb https://packages.elastic.co/elasticsearch/2.x/debian stable main' state=present 7 | 8 | - name: installing elasticsearch 9 | apt: name={{ item }} state=present update_cache=yes 10 | 11 | with_items: 12 | - elasticsearch 13 | 14 | # Run sudo update-rc.d elasticsearch defaults 95 10 15 | - name: adding into the startup programs 16 | service: name=elasticsearch enabled=yes 17 | 18 | notify: 19 | - start elasticsearch -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: install.yml 3 | - include: esconfig.yml 4 | - include: plugins.yml 5 | - include: curator.yml -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/tasks/plugins.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: installing elasticsearch plugins 3 | command: /usr/share/elasticsearch/bin/plugin install {{ item }} 4 | 5 | with_items: 6 | - mobz/elasticsearch-head 7 | - royrusso/elasticsearch-HQ 8 | 9 | ignore_errors: true -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/templates/curator_snapshot.sh.j2: -------------------------------------------------------------------------------- 1 | curl -XPUT 'http://localhost:9200/_snapshot/backup' -d '{ 2 | "type": "fs", 3 | "settings": { 4 | "location": "/var/backups/elasticsearch/", 5 | "compress": true 6 | } 7 | }' -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/elasticsearch/templates/elasticsearch.yml.j2: -------------------------------------------------------------------------------- 1 | # ======================== Elasticsearch Configuration ========================= 2 | # 3 | # NOTE: Elasticsearch comes with reasonable defaults for most settings. 4 | # Before you set out to tweak and tune the configuration, make sure you 5 | # understand what are you trying to accomplish and the consequences. 6 | # 7 | # The primary way of configuring a node is via this file. This template lists 8 | # the most important settings you may want to configure for a production cluster. 9 | # 10 | # Please see the documentation for further information on configuration options: 11 | # 12 | # 13 | # ---------------------------------- Cluster ----------------------------------- 14 | # 15 | # Use a descriptive name for your cluster: 16 | # 17 | cluster.name: "{{ elasticsearch_cluster_name }}" 18 | # 19 | # ------------------------------------ Node ------------------------------------ 20 | # 21 | # Use a descriptive name for the node: 22 | # 23 | node.name: "{{ elasticsearch_node_name }}" 24 | # 25 | # Add custom attributes to the node: 26 | # 27 | # node.rack: r1 28 | # 29 | # ----------------------------------- Paths ------------------------------------ 30 | # 31 | # Path to directory where to store the data (separate multiple locations by comma): 32 | # 33 | # path.data: /path/to/data 34 | # 35 | # Path to log files: 36 | # 37 | # path.logs: /path/to/logs 38 | # 39 | # ----------------------------------- Memory ----------------------------------- 40 | # 41 | # Lock the memory on startup: 42 | # 43 | bootstrap.mlockall: {{ bootstrap_mlock_value }} 44 | # 45 | # Make sure that the `ES_HEAP_SIZE` environment variable is set to about half the memory 46 | # available on the system and that the owner of the process is allowed to use this limit. 47 | # 48 | # Elasticsearch performs poorly when the system is swapping the memory. 49 | # 50 | # ---------------------------------- Network ----------------------------------- 51 | # 52 | # Set the bind address to a specific IP (IPv4 or IPv6): 53 | # 54 | network.host: {{ network_host_info }} 55 | # 56 | # Set a custom port for HTTP: 57 | # 58 | # http.port: 9200 59 | # 60 | # For more information, see the documentation at: 61 | # 62 | # 63 | # --------------------------------- Discovery ---------------------------------- 64 | # 65 | # Pass an initial list of hosts to perform discovery when new node is started: 66 | # The default list of hosts is ["127.0.0.1", "[::1]"] 67 | # 68 | # discovery.zen.ping.unicast.hosts: ["host1", "host2"] 69 | # 70 | # Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1): 71 | # 72 | # discovery.zen.minimum_master_nodes: 3 73 | # 74 | # For more information, see the documentation at: 75 | # 76 | # 77 | # ---------------------------------- Gateway ----------------------------------- 78 | # 79 | # Block initial recovery after a full cluster restart until N nodes are started: 80 | # 81 | # gateway.recover_after_nodes: 3 82 | # 83 | # For more information, see the documentation at: 84 | # 85 | # 86 | # ---------------------------------- Various ----------------------------------- 87 | # 88 | # Disable starting multiple nodes on a single system: 89 | # 90 | # node.max_local_storage_nodes: 1 91 | # 92 | # Require explicit names when deleting indices: 93 | # 94 | # action.destructive_requires_name: true 95 | 96 | #------------------------------- Custom configuration ------------------------------- 97 | 98 | path.repo: {{ back_path_repo }} -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/kibana/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: start kibana 3 | service: name=kibana state=started 4 | 5 | - name: Restart Kibana 6 | service: name=kibana state=restarted 7 | 8 | - name: Restart Nginx 9 | service: name=nginx state=restarted 10 | 11 | - name: Restart Elasticsearch 12 | service: name=elasticsearch state=restarted 13 | -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/kibana/tasks/kibanaconfig.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Kibana configuration file tweaking 3 | action: template src=templates/kibanaconfig.j2 dest=/opt/kibana/config/kibana.yml 4 | 5 | notify: 6 | - Restart Kibana 7 | - Restart Nginx 8 | - Restart Elasticsearch 9 | -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/kibana/tasks/kibanainstall.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: adding elasticsearch gpg key for kibana 3 | apt_key: url=https://packages.elastic.co/GPG-KEY-elasticsearch state=present 4 | 5 | - name: adding logstash to debian kibana 6 | apt_repository: repo='deb http://packages.elastic.co/kibana/4.5/debian stable main' state=present 7 | 8 | - name: installing kibana 9 | apt: name={{ item }} state=present update_cache=yes 10 | 11 | with_items: 12 | - kibana 13 | 14 | - name: adding kibana to startup programs 15 | # Run sudo update-rc.d kibana defaults 95 10 16 | service: name=kibana enabled=yes 17 | 18 | notify: 19 | - start kibana -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/kibana/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: kibanainstall.yml 3 | - include: kibanaconfig.yml -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/kibana/templates/kibanaconfig.j2: -------------------------------------------------------------------------------- 1 | # Kibana is served by a back end server. This controls which port to use. 2 | # server.port: 5601 3 | 4 | # The host to bind the server to. 5 | server.host: "{{ elasticsearch_host_address }}" 6 | 7 | # If you are running kibana behind a proxy, and want to mount it at a path, 8 | # specify that path here. The basePath can't end in a slash. 9 | # server.basePath: "" 10 | 11 | # The maximum payload size in bytes on incoming server requests. 12 | # server.maxPayloadBytes: 1048576 13 | 14 | # The Elasticsearch instance to use for all your queries. 15 | # elasticsearch.url: "http://localhost:9200" 16 | 17 | # preserve_elasticsearch_host true will send the hostname specified in `elasticsearch`. If you set it to false, 18 | # then the host you use to connect to *this* Kibana instance will be sent. 19 | # elasticsearch.preserveHost: true 20 | 21 | # Kibana uses an index in Elasticsearch to store saved searches, visualizations 22 | # and dashboards. It will create a new index if it doesn't already exist. 23 | # kibana.index: ".kibana" 24 | 25 | # The default application to load. 26 | # kibana.defaultAppId: "discover" 27 | 28 | # If your Elasticsearch is protected with basic auth, these are the user credentials 29 | # used by the Kibana server to perform maintenance on the kibana_index at startup. Your Kibana 30 | # users will still need to authenticate with Elasticsearch (which is proxied through 31 | # the Kibana server) 32 | # elasticsearch.username: "admin" 33 | # elasticsearch.password: "admin" 34 | 35 | # SSL for outgoing requests from the Kibana Server to the browser (PEM formatted) 36 | # server.ssl.cert: /path/to/your/server.crt 37 | # server.ssl.key: /path/to/your/server.key 38 | 39 | # Optional setting to validate that your Elasticsearch backend uses the same key files (PEM formatted) 40 | # elasticsearch.ssl.cert: /path/to/your/client.crt 41 | # elasticsearch.ssl.key: /path/to/your/client.key 42 | 43 | # If you need to provide a CA certificate for your Elasticsearch instance, put 44 | # the path of the pem file here. 45 | # elasticsearch.ssl.ca: /path/to/your/CA.pem 46 | 47 | # Set to false to have a complete disregard for the validity of the SSL 48 | # certificate. 49 | # elasticsearch.ssl.verify: true 50 | 51 | # Time in milliseconds to wait for elasticsearch to respond to pings, defaults to 52 | # request_timeout setting 53 | # elasticsearch.pingTimeout: 1500 54 | 55 | # Time in milliseconds to wait for responses from the back end or elasticsearch. 56 | # This must be > 0 57 | # elasticsearch.requestTimeout: 30000 58 | 59 | # Time in milliseconds for Elasticsearch to wait for responses from shards. 60 | # Set to 0 to disable. 61 | # elasticsearch.shardTimeout: 0 62 | 63 | # Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying 64 | # elasticsearch.startupTimeout: 5000 65 | 66 | # Set the path to where you would like the process id file to be created. 67 | # pid.file: /var/run/kibana.pid 68 | 69 | # If you would like to send the log output to a file you can set the path below. 70 | # logging.dest: stdout 71 | 72 | # Set this to true to suppress all logging output. 73 | # logging.silent: false 74 | 75 | # Set this to true to suppress all logging output except for error messages. 76 | # logging.quiet: false 77 | 78 | # Set this to true to log all events, including system usage information and all requests. 79 | # logging.verbose: false 80 | -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: start logstash 3 | service: name=logstash state=started 4 | 5 | - name: Restart Logstash 6 | service: name=logstash state=restarted -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/tasks/logstashconfig.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: logstash configuration file tweaking 3 | action: template src=templates/{{ item.src }} dest=/etc/logstash/conf.d/{{ item.dst }} 4 | 5 | with_items: 6 | - { src: '02-beats-input.conf', dst: '02-beats-input.conf' } 7 | - { src: '10-sshlog-filter.conf', dst: '10-sshlog-filter.conf' } 8 | - { src: '11-weblog-filter.conf', dst: '11-weblog-filter.conf' } 9 | - { src: '30-elasticsearch-output.conf', dst: '10-elasticsearch-output.conf' } 10 | 11 | #- name: logstash configuration test 12 | # command: /opt/logstash/bin/logstash -f /etc/logstash/conf.d/{{ item }} --configtest 13 | 14 | # with_items: 15 | # - logstash-auth-log.conf 16 | # - logstash-apache-log.conf 17 | 18 | #- name: forward the logstash configuration 19 | # command: /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ 20 | 21 | notify: 22 | - Restart Logstash -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/tasks/logstashinstall.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: adding elasticsearch gpg key for logstash 3 | apt_key: url=https://packages.elastic.co/GPG-KEY-elasticsearch state=present 4 | 5 | - name: adding logstash to debian repository 6 | apt_repository: repo='deb https://packages.elastic.co/logstash/2.3/debian stable main' state=present 7 | 8 | - name: installing logstash 9 | apt: name={{ item }} state=present update_cache=yes 10 | 11 | with_items: 12 | - logstash 13 | 14 | - name: adding logstash to startup programs 15 | # Run sudo update-rc.d logstash defaults 95 10 16 | service: name=logstash enabled=yes 17 | 18 | notify: 19 | - start logstash -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: logstashinstall.yml 3 | - include: logstashconfig.yml -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/templates/02-beats-input.conf: -------------------------------------------------------------------------------- 1 | input { 2 | beats { 3 | port => 5044 4 | ssl => true 5 | ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" 6 | ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" 7 | } 8 | } -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/templates/10-sshlog-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [type] == "sshlog" { 3 | grok { 4 | add_tag => [ "valid" ] 5 | 6 | match => [ 7 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 8 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: message repeated 2 times: \[ %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 9 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for invalid user %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 10 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} %{WORD:auth_method} for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}" 11 | ] 12 | } 13 | 14 | if "valid" not in [tags] { 15 | drop { } 16 | } 17 | 18 | mutate { 19 | remove_tag => [ "valid" ] 20 | lowercase => [ "login" ] 21 | } 22 | 23 | 24 | date { 25 | match => [ "syslog_date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] 26 | timezone => "Europe/Helsinki" 27 | } 28 | 29 | geoip { 30 | source => "ip" 31 | } 32 | } 33 | } -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/templates/11-weblog-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [type] == "weblog" { 3 | grok { 4 | match => { 5 | "message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}' 6 | } 7 | } 8 | 9 | date { 10 | match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ] 11 | locale => en 12 | } 13 | 14 | geoip { 15 | source => "clientip" 16 | } 17 | 18 | useragent { 19 | source => "agent" 20 | target => "useragent" 21 | } 22 | } 23 | } -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/templates/30-elasticsearch-output.conf: -------------------------------------------------------------------------------- 1 | output { 2 | elasticsearch { 3 | hosts => ["localhost:9200"] 4 | #sniffing => true 5 | manage_template => false 6 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 7 | document_type => "%{[@metadata][type]}" 8 | } 9 | } -------------------------------------------------------------------------------- /elk-ansible-playbook/roles/logstash/templates/filebeat.yml: -------------------------------------------------------------------------------- 1 | filebeat: 2 | prospectors: 3 | - 4 | paths: 5 | - /var/log/auth.log 6 | # - /var/log/syslog 7 | # - /var/log/*.log 8 | 9 | document_type: sshlog 10 | 11 | - 12 | paths: 13 | - /var/log/nginx/access.log 14 | 15 | document_type: weblog 16 | 17 | registry_file: /var/lib/filebeat/registry 18 | 19 | output: 20 | logstash: 21 | hosts: ["elk_server_private_ip:5044"] 22 | bulk_max_size: 1024 23 | 24 | tls: 25 | certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"] 26 | 27 | shipper: 28 | 29 | logging: 30 | files: 31 | rotateeverybytes: 10485760 # = 10MB -------------------------------------------------------------------------------- /logstash-configs/ddos.conf: -------------------------------------------------------------------------------- 1 | input { 2 | file { 3 | path => "/home/ninja/log-samples/ddos.log" 4 | start_position => "beginning" 5 | ignore_older => 0 6 | } 7 | } 8 | 9 | filter { 10 | 11 | 12 | grok { 13 | add_tag => [ "valid" ] 14 | 15 | match => [ 16 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 17 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: message repeated 2 times: \[ %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 18 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for invalid user %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 19 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} %{WORD:auth_method} for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}" 20 | ] 21 | } 22 | 23 | mutate { 24 | remove_tag => [ "valid" ] 25 | lowercase => [ "login" ] 26 | } 27 | 28 | 29 | date { 30 | match => [ "syslog_date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] 31 | timezone => "Europe/Helsinki" 32 | } 33 | 34 | geoip { 35 | source => "ip" 36 | } 37 | 38 | throttle { 39 | before_count => 0 40 | after_count => 5 41 | period => 5 42 | key => "%{ip}" 43 | add_tag => "throttled" 44 | } 45 | } 46 | 47 | output { 48 | if "throttled" in [tags] { 49 | email { 50 | subject => "DDoS attack on %{host}" 51 | to => "root" 52 | via => "sendmail" 53 | body => "Alert on %{host} from %{ip} :\n\n%{message}" 54 | #options => { "location" => "/usr/sbin/sendmail" } 55 | 56 | } 57 | } 58 | elasticsearch { 59 | hosts => ["localhost:9200"] 60 | index => "DDoS" 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /logstash-configs/filebeat-web-ssh-logstash-config/02-beats-input.conf: -------------------------------------------------------------------------------- 1 | input { 2 | beats { 3 | port => 5044 4 | ssl => true 5 | ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" 6 | ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" 7 | } 8 | } -------------------------------------------------------------------------------- /logstash-configs/filebeat-web-ssh-logstash-config/10-sshlog-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [type] == "sshlog" { 3 | grok { 4 | add_tag => [ "valid" ] 5 | 6 | match => [ 7 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 8 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: message repeated 2 times: \[ %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 9 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for invalid user %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 10 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} %{WORD:auth_method} for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}" 11 | ] 12 | } 13 | 14 | if "valid" not in [tags] { 15 | drop { } 16 | } 17 | 18 | mutate { 19 | remove_tag => [ "valid" ] 20 | lowercase => [ "login" ] 21 | } 22 | 23 | 24 | date { 25 | match => [ "syslog_date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] 26 | timezone => "Europe/Helsinki" 27 | } 28 | 29 | geoip { 30 | source => "ip" 31 | } 32 | } 33 | } -------------------------------------------------------------------------------- /logstash-configs/filebeat-web-ssh-logstash-config/11-weblog-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [type] == "weblog" { 3 | grok { 4 | match => { 5 | "message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}' 6 | } 7 | } 8 | 9 | date { 10 | match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ] 11 | locale => en 12 | } 13 | 14 | geoip { 15 | source => "clientip" 16 | } 17 | 18 | useragent { 19 | source => "agent" 20 | target => "useragent" 21 | } 22 | } 23 | } -------------------------------------------------------------------------------- /logstash-configs/filebeat-web-ssh-logstash-config/30-elasticsearch-output.conf: -------------------------------------------------------------------------------- 1 | output { 2 | elasticsearch { 3 | hosts => ["localhost:9200"] 4 | #sniffing => true 5 | manage_template => false 6 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 7 | document_type => "%{[@metadata][type]}" 8 | } 9 | } -------------------------------------------------------------------------------- /logstash-configs/network.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/network.log" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | csv { 15 | 16 | columns => [ "PaloAltoDomain","ReceiveTime","SerialNum","Type","Threat-ContentType","ConfigVersion","GenerateTime","SourceAddress","DestinationAddress","NATSourceIP","NATDestinationIP","Rule","SourceUser","DestinationUser","Application","VirtualSystem","SourceZone","DestinationZone","InboundInterface","OutboundInterface","LogAction","TimeLogged","SessionID","RepeatCount","SourcePort","DestinationPort","NATSourcePort","NATDestinationPort","Flags","IPProtocol","Action","Bytes","BytesSent","BytesReceived","Packets","StartTime","ElapsedTimeInSec","Category","Padding","seqno","actionflags","SourceCountry","DestinationCountry","cpadding","pkts_sent","pkts_received" ] 17 | 18 | } 19 | } 20 | 21 | output { 22 | 23 | elasticsearch { 24 | 25 | index => "network-logs" 26 | 27 | } 28 | 29 | #stdout { codec => rubydebug } 30 | 31 | } -------------------------------------------------------------------------------- /logstash-configs/pwd-dump.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/pwd-dump.txt" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | csv { 15 | 16 | columns => [ "username","password" ] 17 | 18 | } 19 | } 20 | 21 | output { 22 | 23 | elasticsearch { 24 | 25 | index => "pwd-dump" 26 | 27 | } 28 | 29 | #stdout { codec => rubydebug } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /logstash-configs/ssh-log.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/auth.log" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | grok { 15 | add_tag => [ "valid" ] 16 | 17 | match => [ 18 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 19 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: message repeated 2 times: \[ %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 20 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for invalid user %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 21 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} %{WORD:auth_method} for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}" 22 | ] 23 | } 24 | 25 | if "valid" not in [tags] { 26 | drop { } 27 | } 28 | 29 | mutate { 30 | remove_tag => [ "valid" ] 31 | lowercase => [ "login" ] 32 | } 33 | 34 | 35 | date { 36 | match => [ "syslog_date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] 37 | timezone => "Europe/Helsinki" 38 | } 39 | 40 | geoip { 41 | source => "ip" 42 | } 43 | 44 | } 45 | 46 | 47 | output { 48 | elasticsearch { 49 | hosts => ["localhost:9200"] 50 | index => "ssh-log" 51 | } 52 | } -------------------------------------------------------------------------------- /logstash-configs/web-log.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/access.log" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | grok { 15 | match => { 16 | "message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}' 17 | } 18 | } 19 | 20 | date { 21 | match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ] 22 | locale => en 23 | } 24 | 25 | geoip { 26 | source => "clientip" 27 | } 28 | 29 | useragent { 30 | source => "agent" 31 | target => "useragent" 32 | } 33 | 34 | } 35 | 36 | 37 | output { 38 | elasticsearch { 39 | hosts => ["localhost:9200"] 40 | index => "web-log" 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Defcon24 - Ninja Level Infrastructure Monitoring Workshop 2 | 3 | This repository contains all the presentation, documentation and the configuration, sample logs, ansible playbook, customized dashboards and more. 4 | 5 | - Here is the workshop details, which we ([Madhu Akula](https://github.com/madhuakula) & [Riyaz Walikar](https://github.com/riyazwalikar)) presented at Defcon24. [https://defcon.org/html/defcon-24/dc-24-workshops.html#Akula](https://defcon.org/html/defcon-24/dc-24-workshops.html#Akula) 6 | 7 | - Brief blog post about the release on [Medium](https://medium.com/@riyazwalikar/releasing-the-contents-of-our-ninja-level-infrastructure-monitoring-defcon24-workshop-140518beb47d) 8 | 9 | - Read the documentation by navigating to `documentation/start.md` 10 | 11 | **Contents** 12 | 13 | - *documentation* : Complete step by step documentation & presentation details 14 | - *dashboards* : Includes all customized dashboards for the kibana 15 | - *elk-ansible-playbook* : ansible playbook to setup the stack 16 | - *logstash-configs* : logstash configuration files 17 | - *vm-content* : all the files in the virtual machine (logs, configurations, etc) 18 | 19 | **Note** 20 | 21 | We have added some additonal modules presented at [All Day DevOps](https://github.com/appsecco/alldaydevops-aism) and DevOps Days India conference. Updated step by step documentation and virtual machines are avilable at [https://github.com/appsecco/nullblr-bachaav-aismd](https://github.com/appsecco/nullblr-bachaav-aismd) 22 | -------------------------------------------------------------------------------- /vm-content/configs/filebeat.yml: -------------------------------------------------------------------------------- 1 | filebeat: 2 | prospectors: 3 | - 4 | paths: 5 | - /var/log/auth.log 6 | # - /var/log/syslog 7 | # - /var/log/*.log 8 | 9 | document_type: sshlog 10 | 11 | - 12 | paths: 13 | - /var/log/access.log 14 | 15 | document_type: weblog 16 | 17 | registry_file: /var/lib/filebeat/registry 18 | 19 | output: 20 | logstash: 21 | hosts: ["logstash_server_private_ip:5044"] 22 | bulk_max_size: 1024 23 | 24 | tls: 25 | certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"] 26 | 27 | shipper: 28 | 29 | logging: 30 | files: 31 | rotateeverybytes: 10485760 # = 10MB 32 | -------------------------------------------------------------------------------- /vm-content/configs/network.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/network.log" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | csv { 15 | 16 | columns => [ "PaloAltoDomain","ReceiveTime","SerialNum","Type","Threat-ContentType","ConfigVersion","GenerateTime","SourceAddress","DestinationAddress","NATSourceIP","NATDestinationIP","Rule","SourceUser","DestinationUser","Application","VirtualSystem","SourceZone","DestinationZone","InboundInterface","OutboundInterface","LogAction","TimeLogged","SessionID","RepeatCount","SourcePort","DestinationPort","NATSourcePort","NATDestinationPort","Flags","IPProtocol","Action","Bytes","BytesSent","BytesReceived","Packets","StartTime","ElapsedTimeInSec","Category","Padding","seqno","actionflags","SourceCountry","DestinationCountry","cpadding","pkts_sent","pkts_received" ] 17 | 18 | } 19 | } 20 | 21 | output { 22 | 23 | elasticsearch { 24 | 25 | index => "network-logs" 26 | 27 | } 28 | 29 | #stdout { codec => rubydebug } 30 | 31 | } -------------------------------------------------------------------------------- /vm-content/configs/ssh-log.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/auth.log" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | grok { 15 | add_tag => [ "valid" ] 16 | 17 | match => [ 18 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 19 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: message repeated 2 times: \[ %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 20 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for invalid user %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}", 21 | "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} %{WORD:auth_method} for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}" 22 | ] 23 | } 24 | 25 | if "valid" not in [tags] { 26 | drop { } 27 | } 28 | 29 | mutate { 30 | remove_tag => [ "valid" ] 31 | lowercase => [ "login" ] 32 | } 33 | 34 | 35 | date { 36 | match => [ "syslog_date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] 37 | timezone => "Europe/Helsinki" 38 | } 39 | 40 | geoip { 41 | source => "ip" 42 | } 43 | 44 | } 45 | 46 | 47 | output { 48 | elasticsearch { 49 | hosts => ["localhost:9200"] 50 | index => "ssh-log" 51 | } 52 | } -------------------------------------------------------------------------------- /vm-content/configs/web-log.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/access.log" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | grok { 15 | match => { 16 | "message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}' 17 | } 18 | } 19 | 20 | date { 21 | match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ] 22 | locale => en 23 | } 24 | 25 | geoip { 26 | source => "clientip" 27 | } 28 | 29 | useragent { 30 | source => "agent" 31 | target => "useragent" 32 | } 33 | 34 | } 35 | 36 | 37 | output { 38 | elasticsearch { 39 | hosts => ["localhost:9200"] 40 | index => "web-log" 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /vm-content/dashboards/all-kibana.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "Web-Dashboard", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "Web-Dashboard", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"col\":1,\"id\":\"Web-Attack-Table\",\"panelIndex\":1,\"row\":3,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Web-Attack-Machine\",\"panelIndex\":2,\"row\":3,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Web-Attack-Response\",\"panelIndex\":3,\"row\":1,\"size_x\":5,\"size_y\":2,\"type\":\"visualization\"},{\"id\":\"Web-Attack-Count\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":2,\"size_y\":2,\"col\":6,\"row\":1},{\"id\":\"Web-Attack-Bytes\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":2,\"size_y\":2,\"col\":8,\"row\":1},{\"id\":\"Web-Attack-Description\",\"type\":\"visualization\",\"panelIndex\":6,\"size_x\":3,\"size_y\":2,\"col\":10,\"row\":1},{\"id\":\"WEB\",\"type\":\"search\",\"panelIndex\":7,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":6,\"columns\":[\"clientip\",\"verb\",\"request\",\"response\",\"geoip.country_name\",\"geoip.city_name\",\"useragent.name\",\"useragent.os\"],\"sort\":[\"@timestamp\",\"desc\"]}]", 10 | "optionsJSON": "{\"darkTheme\":false}", 11 | "uiStateJSON": "{\"P-2\":{\"vis\":{\"legendOpen\":false}}}", 12 | "version": 1, 13 | "timeRestore": true, 14 | "timeTo": "now", 15 | "timeFrom": "now-15d/d", 16 | "kibanaSavedObjectMeta": { 17 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 18 | } 19 | } 20 | }, 21 | { 22 | "_id": "SSH-Dashboard", 23 | "_type": "dashboard", 24 | "_source": { 25 | "title": "SSH-Dashboard", 26 | "hits": 0, 27 | "description": "", 28 | "panelsJSON": "[{\"id\":\"SSH-Attack-Count\",\"type\":\"visualization\",\"panelIndex\":1,\"size_x\":4,\"size_y\":2,\"col\":1,\"row\":4},{\"id\":\"SSH-Attack-Description\",\"type\":\"visualization\",\"panelIndex\":2,\"size_x\":4,\"size_y\":2,\"col\":5,\"row\":4},{\"id\":\"SSH-Attack-Details\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":6,\"size_y\":3,\"col\":7,\"row\":1},{\"id\":\"SSH-Attack-Info\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":4,\"size_y\":5,\"col\":9,\"row\":4},{\"id\":\"SSH-Attack-Response\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":6,\"size_y\":3,\"col\":1,\"row\":1},{\"id\":\"SSH\",\"type\":\"search\",\"panelIndex\":6,\"size_x\":8,\"size_y\":3,\"col\":1,\"row\":6,\"columns\":[\"syslog_date\",\"login\",\"username\",\"ip\",\"geoip.country_name\",\"geoip.city_name\"],\"sort\":[\"@timestamp\",\"desc\"]}]", 29 | "optionsJSON": "{\"darkTheme\":false}", 30 | "uiStateJSON": "{}", 31 | "version": 1, 32 | "timeRestore": true, 33 | "timeTo": "now", 34 | "timeFrom": "now-15d/d", 35 | "kibanaSavedObjectMeta": { 36 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}" 37 | } 38 | } 39 | }, 40 | { 41 | "_id": "Attack-Dashboard", 42 | "_type": "dashboard", 43 | "_source": { 44 | "title": "Attack-Dashboard", 45 | "hits": 0, 46 | "description": "", 47 | "panelsJSON": "[{\"col\":10,\"id\":\"Attack-Description\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Attack-Details\",\"panelIndex\":2,\"row\":3,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Attack-Details-ssh\",\"panelIndex\":3,\"row\":6,\"size_x\":5,\"size_y\":3,\"type\":\"visualization\"},{\"col\":6,\"id\":\"Attack-Info-ssh\",\"panelIndex\":4,\"row\":6,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Attack-Machine-Web\",\"panelIndex\":7,\"row\":3,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Attack-Table-Web\",\"panelIndex\":8,\"row\":6,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Attack-Unique-IP\",\"panelIndex\":9,\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_type\",\"geoip.ip\",\"login\",\"username\",\"verb\",\"response\",\"useragent.name\",\"useragent.os\",\"geoip.country_name\",\"geoip.city_name\"],\"id\":\"WEB-SSH\",\"panelIndex\":10,\"row\":9,\"size_x\":12,\"size_y\":3,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Attack-Logs\",\"panelIndex\":11,\"row\":1,\"size_x\":6,\"size_y\":2,\"type\":\"visualization\"}]", 48 | "optionsJSON": "{\"darkTheme\":false}", 49 | "uiStateJSON": "{}", 50 | "version": 1, 51 | "timeRestore": true, 52 | "timeTo": "now", 53 | "timeFrom": "now-15d/d", 54 | "kibanaSavedObjectMeta": { 55 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 56 | } 57 | } 58 | }, 59 | { 60 | "_id": "WEB-SSH", 61 | "_type": "search", 62 | "_source": { 63 | "title": "WEB-SSH", 64 | "description": "", 65 | "hits": 0, 66 | "columns": [ 67 | "_type", 68 | "geoip.ip", 69 | "login", 70 | "username", 71 | "verb", 72 | "response", 73 | "useragent.name", 74 | "useragent.os", 75 | "geoip.country_name", 76 | "geoip.city_name" 77 | ], 78 | "sort": [ 79 | "@timestamp", 80 | "desc" 81 | ], 82 | "version": 1, 83 | "kibanaSavedObjectMeta": { 84 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 85 | } 86 | } 87 | }, 88 | { 89 | "_id": "WEB", 90 | "_type": "search", 91 | "_source": { 92 | "title": "WEB", 93 | "description": "", 94 | "hits": 0, 95 | "columns": [ 96 | "clientip", 97 | "verb", 98 | "request", 99 | "response", 100 | "geoip.country_name", 101 | "geoip.city_name", 102 | "useragent.name", 103 | "useragent.os" 104 | ], 105 | "sort": [ 106 | "@timestamp", 107 | "desc" 108 | ], 109 | "version": 1, 110 | "kibanaSavedObjectMeta": { 111 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:weblog\",\"analyze_wildcard\":true}}}" 112 | } 113 | } 114 | }, 115 | { 116 | "_id": "SSH", 117 | "_type": "search", 118 | "_source": { 119 | "title": "SSH", 120 | "description": "", 121 | "hits": 0, 122 | "columns": [ 123 | "syslog_date", 124 | "login", 125 | "username", 126 | "ip", 127 | "geoip.country_name", 128 | "geoip.city_name" 129 | ], 130 | "sort": [ 131 | "@timestamp", 132 | "desc" 133 | ], 134 | "version": 1, 135 | "kibanaSavedObjectMeta": { 136 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"type:sshlog\"}}}" 137 | } 138 | } 139 | }, 140 | { 141 | "_id": "Web-Attack-Response", 142 | "_type": "visualization", 143 | "_source": { 144 | "title": "Web-Attack-Response", 145 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"response\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 146 | "uiStateJSON": "{}", 147 | "description": "", 148 | "savedSearchId": "WEB", 149 | "version": 1, 150 | "kibanaSavedObjectMeta": { 151 | "searchSourceJSON": "{\"filter\":[]}" 152 | } 153 | } 154 | }, 155 | { 156 | "_id": "Web-Attack-Machine", 157 | "_type": "visualization", 158 | "_source": { 159 | "title": "Web-Attack-Machine", 160 | "visState": "{\"title\":\"New Visualization\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"response\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.os\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"OS\"}}],\"listeners\":{}}", 161 | "uiStateJSON": "{}", 162 | "description": "", 163 | "savedSearchId": "WEB", 164 | "version": 1, 165 | "kibanaSavedObjectMeta": { 166 | "searchSourceJSON": "{\"filter\":[]}" 167 | } 168 | } 169 | }, 170 | { 171 | "_id": "Web-Attack-Table", 172 | "_type": "visualization", 173 | "_source": { 174 | "title": "Web-Attack-Table", 175 | "visState": "{\"title\":\"Web-Attack-Table\",\"type\":\"table\",\"params\":{\"perPage\":6,\"showPartialRows\":true,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Hits\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"clientip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Attacker IP\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.city_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"City\"}}],\"listeners\":{}}", 176 | "uiStateJSON": "{}", 177 | "description": "", 178 | "savedSearchId": "WEB", 179 | "version": 1, 180 | "kibanaSavedObjectMeta": { 181 | "searchSourceJSON": "{\"filter\":[]}" 182 | } 183 | } 184 | }, 185 | { 186 | "_id": "Web-Attack-Count", 187 | "_type": "visualization", 188 | "_source": { 189 | "title": "Web-Attack-Count", 190 | "visState": "{\"title\":\"New Visualization\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 191 | "uiStateJSON": "{}", 192 | "description": "", 193 | "savedSearchId": "WEB", 194 | "version": 1, 195 | "kibanaSavedObjectMeta": { 196 | "searchSourceJSON": "{\"filter\":[]}" 197 | } 198 | } 199 | }, 200 | { 201 | "_id": "SSH-Attack-Response", 202 | "_type": "visualization", 203 | "_source": { 204 | "title": "SSH-Attack-Response", 205 | "visState": "{\"title\":\"Web-Attack-Response\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 206 | "uiStateJSON": "{}", 207 | "description": "", 208 | "version": 1, 209 | "kibanaSavedObjectMeta": { 210 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:sshlog\",\"analyze_wildcard\":true}}}" 211 | } 212 | } 213 | }, 214 | { 215 | "_id": "SSH-Attack-Details", 216 | "_type": "visualization", 217 | "_source": { 218 | "title": "SSH-Attack-Details", 219 | "visState": "{\"title\":\"New Visualization\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Usernames\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", 220 | "uiStateJSON": "{}", 221 | "description": "", 222 | "savedSearchId": "SSH", 223 | "version": 1, 224 | "kibanaSavedObjectMeta": { 225 | "searchSourceJSON": "{\"filter\":[]}" 226 | } 227 | } 228 | }, 229 | { 230 | "_id": "SSH-Attack-Info", 231 | "_type": "visualization", 232 | "_source": { 233 | "title": "SSH-Attack-Info", 234 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 235 | "uiStateJSON": "{}", 236 | "description": "", 237 | "savedSearchId": "SSH", 238 | "version": 1, 239 | "kibanaSavedObjectMeta": { 240 | "searchSourceJSON": "{\"filter\":[]}" 241 | } 242 | } 243 | }, 244 | { 245 | "_id": "Web-Attack-Bytes", 246 | "_type": "visualization", 247 | "_source": { 248 | "title": "Web-Attack-Bytes", 249 | "visState": "{\"title\":\"Web-Attack-Bytes\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":\"40\"},\"aggs\":[{\"id\":\"1\",\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"bytes\",\"customLabel\":\"Bytes\"}}],\"listeners\":{}}", 250 | "uiStateJSON": "{}", 251 | "description": "", 252 | "savedSearchId": "WEB", 253 | "version": 1, 254 | "kibanaSavedObjectMeta": { 255 | "searchSourceJSON": "{\"filter\":[]}" 256 | } 257 | } 258 | }, 259 | { 260 | "_id": "SSH-Attack-Description", 261 | "_type": "visualization", 262 | "_source": { 263 | "title": "SSH-Attack-Description", 264 | "visState": "{\"title\":\"Web-Attack-Description\",\"type\":\"markdown\",\"params\":{\"markdown\":\"# SSH Attack Dashboard\\n### Ninja Level Infrastructure Monitoring\"},\"aggs\":[],\"listeners\":{}}", 265 | "uiStateJSON": "{}", 266 | "description": "", 267 | "version": 1, 268 | "kibanaSavedObjectMeta": { 269 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 270 | } 271 | } 272 | }, 273 | { 274 | "_id": "SSH-Attack-Count", 275 | "_type": "visualization", 276 | "_source": { 277 | "title": "SSH-Attack-Count", 278 | "visState": "{\"title\":\"New Visualization\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", 279 | "uiStateJSON": "{}", 280 | "description": "", 281 | "savedSearchId": "SSH", 282 | "version": 1, 283 | "kibanaSavedObjectMeta": { 284 | "searchSourceJSON": "{\"filter\":[]}" 285 | } 286 | } 287 | }, 288 | { 289 | "_id": "Web-Attack-Description", 290 | "_type": "visualization", 291 | "_source": { 292 | "title": "Web-Attack-Description", 293 | "visState": "{\"title\":\"Web-Attack-Description\",\"type\":\"markdown\",\"params\":{\"markdown\":\"# Web Attack Dashboard\\n### Ninja Level Infrastructure Monitoring\"},\"aggs\":[],\"listeners\":{}}", 294 | "uiStateJSON": "{}", 295 | "description": "", 296 | "version": 1, 297 | "kibanaSavedObjectMeta": { 298 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 299 | } 300 | } 301 | }, 302 | { 303 | "_id": "Attack-Logs", 304 | "_type": "visualization", 305 | "_source": { 306 | "title": "Attack-Logs", 307 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Time\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}],\"listeners\":{}}", 308 | "uiStateJSON": "{}", 309 | "description": "", 310 | "savedSearchId": "WEB-SSH", 311 | "version": 1, 312 | "kibanaSavedObjectMeta": { 313 | "searchSourceJSON": "{\"filter\":[]}" 314 | } 315 | } 316 | }, 317 | { 318 | "_id": "Attack-Details-ssh", 319 | "_type": "visualization", 320 | "_source": { 321 | "title": "Attack-Details-ssh", 322 | "visState": "{\"title\":\"SSH-Attack-Details\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Usernames\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", 323 | "uiStateJSON": "{}", 324 | "description": "", 325 | "version": 1, 326 | "kibanaSavedObjectMeta": { 327 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 328 | } 329 | } 330 | }, 331 | { 332 | "_id": "Attack-Table-Web", 333 | "_type": "visualization", 334 | "_source": { 335 | "title": "Attack-Table-Web", 336 | "visState": "{\"title\":\"Web-Attack-Table\",\"type\":\"table\",\"params\":{\"perPage\":6,\"showPartialRows\":true,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Hits\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"clientip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Attacker IP\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.city_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"City\"}}],\"listeners\":{}}", 337 | "uiStateJSON": "{}", 338 | "description": "", 339 | "version": 1, 340 | "kibanaSavedObjectMeta": { 341 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 342 | } 343 | } 344 | }, 345 | { 346 | "_id": "Attack-Info-ssh", 347 | "_type": "visualization", 348 | "_source": { 349 | "title": "Attack-Info-ssh", 350 | "visState": "{\"title\":\"SSH-Attack-Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Login\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"login\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 351 | "uiStateJSON": "{}", 352 | "description": "", 353 | "version": 1, 354 | "kibanaSavedObjectMeta": { 355 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 356 | } 357 | } 358 | }, 359 | { 360 | "_id": "Attack-Logs-Type", 361 | "_type": "visualization", 362 | "_source": { 363 | "title": "Attack-Logs-Type", 364 | "visState": "{\"title\":\"New Visualization\",\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"overlap\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 365 | "uiStateJSON": "{}", 366 | "description": "", 367 | "savedSearchId": "WEB-SSH", 368 | "version": 1, 369 | "kibanaSavedObjectMeta": { 370 | "searchSourceJSON": "{\"filter\":[]}" 371 | } 372 | } 373 | }, 374 | { 375 | "_id": "Attack-Details", 376 | "_type": "visualization", 377 | "_source": { 378 | "title": "Attack-Details", 379 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.country_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 380 | "uiStateJSON": "{}", 381 | "description": "", 382 | "savedSearchId": "WEB-SSH", 383 | "version": 1, 384 | "kibanaSavedObjectMeta": { 385 | "searchSourceJSON": "{\"filter\":[]}" 386 | } 387 | } 388 | }, 389 | { 390 | "_id": "Attack-Unique-IP", 391 | "_type": "visualization", 392 | "_source": { 393 | "title": "Attack-Unique-IP", 394 | "visState": "{\"title\":\"New Visualization\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":60},\"aggs\":[{\"id\":\"1\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"geoip.ip\",\"customLabel\":\"Unique IP Count\"}}],\"listeners\":{}}", 395 | "uiStateJSON": "{}", 396 | "description": "", 397 | "savedSearchId": "WEB-SSH", 398 | "version": 1, 399 | "kibanaSavedObjectMeta": { 400 | "searchSourceJSON": "{\"filter\":[]}" 401 | } 402 | } 403 | }, 404 | { 405 | "_id": "Attack-Description", 406 | "_type": "visualization", 407 | "_source": { 408 | "title": "Attack-Description", 409 | "visState": "{\"title\":\"New Visualization\",\"type\":\"markdown\",\"params\":{\"markdown\":\"# Attack Dashboard\\n### Ninja Level Infrastructure Monitoring\"},\"aggs\":[],\"listeners\":{}}", 410 | "uiStateJSON": "{}", 411 | "description": "", 412 | "version": 1, 413 | "kibanaSavedObjectMeta": { 414 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 415 | } 416 | } 417 | }, 418 | { 419 | "_id": "Attack-Machine-Web", 420 | "_type": "visualization", 421 | "_source": { 422 | "title": "Attack-Machine-Web", 423 | "visState": "{\"title\":\"Attack-Machine-Web\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"response\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"useragent.os\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"OS\"}}],\"listeners\":{}}", 424 | "uiStateJSON": "{}", 425 | "description": "", 426 | "version": 1, 427 | "kibanaSavedObjectMeta": { 428 | "searchSourceJSON": "{\"filter\":[],\"index\":\"filebeat-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 429 | } 430 | } 431 | } 432 | ] -------------------------------------------------------------------------------- /vm-content/dashboards/kibana-network.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "Network-Dashboard", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "Network Dashboard", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"col\":1,\"id\":\"Top-N-Destinations\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Top-N-Sources\",\"panelIndex\":2,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Traffic-Applications\",\"panelIndex\":3,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":6,\"id\":\"Traffic-Over-Firewalls\",\"panelIndex\":4,\"row\":4,\"size_x\":7,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Traffic-Over-Time\",\"panelIndex\":5,\"row\":4,\"size_x\":5,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Top-N-Rules\",\"panelIndex\":6,\"row\":7,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Top-N-Users\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":3,\"size_y\":3,\"col\":10,\"row\":7}]", 10 | "optionsJSON": "{\"darkTheme\":false}", 11 | "uiStateJSON": "{\"P-3\":{\"vis\":{\"legendOpen\":true}},\"P-4\":{\"vis\":{\"legendOpen\":false}},\"P-5\":{\"vis\":{\"legendOpen\":true}},\"P-6\":{\"vis\":{\"legendOpen\":false}}}", 12 | "version": 1, 13 | "timeRestore": true, 14 | "timeTo": "2016-07-26T07:00:52.622Z", 15 | "timeFrom": "2016-07-26T06:58:30.000Z", 16 | "kibanaSavedObjectMeta": { 17 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 18 | } 19 | } 20 | }, 21 | { 22 | "_id": "Top-N-Sources", 23 | "_type": "visualization", 24 | "_source": { 25 | "title": "Top N Sources", 26 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SourceAddress\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 27 | "uiStateJSON": "{}", 28 | "description": "", 29 | "version": 1, 30 | "kibanaSavedObjectMeta": { 31 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 32 | } 33 | } 34 | }, 35 | { 36 | "_id": "Top-N-Destinations", 37 | "_type": "visualization", 38 | "_source": { 39 | "title": "Top N Destinations", 40 | "visState": "{\"title\":\"Top N Sources\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"DestinationAddress\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 41 | "uiStateJSON": "{}", 42 | "description": "", 43 | "version": 1, 44 | "kibanaSavedObjectMeta": { 45 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 46 | } 47 | } 48 | }, 49 | { 50 | "_id": "Traffic-Over-Time", 51 | "_type": "visualization", 52 | "_source": { 53 | "title": "Traffic Over Time", 54 | "visState": "{\"title\":\"New Visualization\",\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"overlap\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=tcp\",\"analyze_wildcard\":true}}},\"label\":\"\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=udp\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=icmp\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"Action=allow\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"Action=deny\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}", 55 | "uiStateJSON": "{}", 56 | "description": "", 57 | "version": 1, 58 | "kibanaSavedObjectMeta": { 59 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 60 | } 61 | } 62 | }, 63 | { 64 | "_id": "Traffic-Applications", 65 | "_type": "visualization", 66 | "_source": { 67 | "title": "Traffic Applications", 68 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"Application\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Applications\"}}],\"listeners\":{}}", 69 | "uiStateJSON": "{}", 70 | "description": "", 71 | "version": 1, 72 | "kibanaSavedObjectMeta": { 73 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 74 | } 75 | } 76 | }, 77 | { 78 | "_id": "Traffic-Over-Firewalls", 79 | "_type": "visualization", 80 | "_source": { 81 | "title": "Traffic Over Firewalls", 82 | "visState": "{\"title\":\"Traffic Types\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"SerialNum\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"Action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"Application\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 83 | "uiStateJSON": "{}", 84 | "description": "", 85 | "version": 1, 86 | "kibanaSavedObjectMeta": { 87 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 88 | } 89 | } 90 | }, 91 | { 92 | "_id": "Top-N-Rules", 93 | "_type": "visualization", 94 | "_source": { 95 | "title": "Top N Rules", 96 | "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"Rule\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 97 | "uiStateJSON": "{}", 98 | "description": "", 99 | "version": 1, 100 | "kibanaSavedObjectMeta": { 101 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 102 | } 103 | } 104 | }, 105 | { 106 | "_id": "Top-N-Users", 107 | "_type": "visualization", 108 | "_source": { 109 | "title": "Top N Users", 110 | "visState": "{\"title\":\"Top N Users\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SourceUser\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 111 | "uiStateJSON": "{}", 112 | "description": "", 113 | "version": 1, 114 | "kibanaSavedObjectMeta": { 115 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 116 | } 117 | } 118 | } 119 | ] -------------------------------------------------------------------------------- /vm-content/exercise/custom: -------------------------------------------------------------------------------- 1 | #custom 2 | NASPORT [\w]{3}[0-9]+ 3 | COMMAND (.*) 4 | PAMESSAGE .*,TRAFFIC,.* 5 | PADATETIME %{SYSLOGTIMESTAMP}|%{TIMESTAMP_ISO8601} 6 | 7 | CISCOPROG (?:%[\w._/-]+) 8 | CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{WORD})? 9 | CISCOBASE (?:%{NUMBER:counter})?: (?:%{SYSLOGHOST:logsource}: )?(:?\*)?%{CISCOTIMESTAMP:device_timestamp}: (?:%{CISCOPROG:program}:)? 10 | 11 | CISCOLINE %{CISCOBASE} %{GREEDYDATA:message} 12 | ASA %ASA- 13 | FACILITY [A-Z0-9]+[^-]|[A-Z0-9]+[^-]-[A-Z0-9]+[^-] 14 | SEVERITY [0,1,2,3,4,5,6,7] 15 | MNEMONIC [A-Z0-9]+[^:] 16 | CISCOFACSEVMNEM %%{FACILITY:facility}-%{SEVERITY:severity}-%{MNEMONIC:mnemonic}: 17 | IPPROTOCOL (tcp|udp|icmp) 18 | -------------------------------------------------------------------------------- /vm-content/exercise/elasticsearch-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "template" : "logstash-*", 3 | "settings" : { 4 | "index.refresh_interval" : "5s" 5 | }, 6 | "mappings" : { 7 | "_default_" : { 8 | "_all" : {"enabled" : true}, 9 | "dynamic_templates" : [ { 10 | "message_field" : { 11 | "match" : "message", 12 | "match_mapping_type" : "string", 13 | "mapping" : { 14 | "type" : "string", "index" : "analyzed", "omit_norms" : true 15 | } 16 | } 17 | }, { 18 | "string_fields" : { 19 | "match" : "*", 20 | "match_mapping_type" : "string", 21 | "mapping" : { 22 | "type" : "string", "index" : "analyzed", "omit_norms" : true, 23 | "fields" : { 24 | "raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256} 25 | } 26 | } 27 | } 28 | } ], 29 | "properties" : { 30 | "@version": { "type": "string", "index": "not_analyzed" }, 31 | "geoip" : { 32 | "type" : "object", 33 | "dynamic": true, 34 | "path": "full", 35 | "properties" : { 36 | "location" : { "type" : "geo_point", "lat_lon" : true, "geohash" : true } 37 | } 38 | }, 39 | "SourceGeo" : { 40 | "type" : "object", 41 | "dynamic": true, 42 | "path": "full", 43 | "properties" : { 44 | "location" : { "type" : "geo_point", "lat_lon" : true, "geohash" : true } 45 | } 46 | }, 47 | "DestinationGeo" : { 48 | "type" : "object", 49 | "dynamic": true, 50 | "path": "full", 51 | "properties" : { 52 | "location" : { "type" : "geo_point", "lat_lon" : true, "geohash" : true } 53 | } 54 | } 55 | } 56 | } 57 | } 58 | } -------------------------------------------------------------------------------- /vm-content/exercise/kibana-network.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "Network-Dashboard", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "Network Dashboard", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"col\":1,\"id\":\"Top-N-Destinations\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Top-N-Sources\",\"panelIndex\":2,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Traffic-Applications\",\"panelIndex\":3,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":6,\"id\":\"Traffic-Over-Firewalls\",\"panelIndex\":4,\"row\":4,\"size_x\":7,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Traffic-Over-Time\",\"panelIndex\":5,\"row\":4,\"size_x\":5,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Top-N-Rules\",\"panelIndex\":6,\"row\":7,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Top-N-Users\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":3,\"size_y\":3,\"col\":10,\"row\":7}]", 10 | "optionsJSON": "{\"darkTheme\":false}", 11 | "uiStateJSON": "{\"P-3\":{\"vis\":{\"legendOpen\":true}},\"P-4\":{\"vis\":{\"legendOpen\":false}},\"P-5\":{\"vis\":{\"legendOpen\":true}},\"P-6\":{\"vis\":{\"legendOpen\":false}}}", 12 | "version": 1, 13 | "timeRestore": true, 14 | "timeTo": "2016-07-26T07:00:52.622Z", 15 | "timeFrom": "2016-07-26T06:58:30.000Z", 16 | "kibanaSavedObjectMeta": { 17 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 18 | } 19 | } 20 | }, 21 | { 22 | "_id": "Top-N-Sources", 23 | "_type": "visualization", 24 | "_source": { 25 | "title": "Top N Sources", 26 | "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SourceAddress\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 27 | "uiStateJSON": "{}", 28 | "description": "", 29 | "version": 1, 30 | "kibanaSavedObjectMeta": { 31 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 32 | } 33 | } 34 | }, 35 | { 36 | "_id": "Top-N-Destinations", 37 | "_type": "visualization", 38 | "_source": { 39 | "title": "Top N Destinations", 40 | "visState": "{\"title\":\"Top N Sources\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"DestinationAddress\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 41 | "uiStateJSON": "{}", 42 | "description": "", 43 | "version": 1, 44 | "kibanaSavedObjectMeta": { 45 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 46 | } 47 | } 48 | }, 49 | { 50 | "_id": "Traffic-Over-Time", 51 | "_type": "visualization", 52 | "_source": { 53 | "title": "Traffic Over Time", 54 | "visState": "{\"title\":\"New Visualization\",\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"overlap\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=tcp\",\"analyze_wildcard\":true}}},\"label\":\"\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=udp\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"IPProtocol=icmp\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"Action=allow\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"Action=deny\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}", 55 | "uiStateJSON": "{}", 56 | "description": "", 57 | "version": 1, 58 | "kibanaSavedObjectMeta": { 59 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 60 | } 61 | } 62 | }, 63 | { 64 | "_id": "Traffic-Applications", 65 | "_type": "visualization", 66 | "_source": { 67 | "title": "Traffic Applications", 68 | "visState": "{\"title\":\"New Visualization\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"Application\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Applications\"}}],\"listeners\":{}}", 69 | "uiStateJSON": "{}", 70 | "description": "", 71 | "version": 1, 72 | "kibanaSavedObjectMeta": { 73 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 74 | } 75 | } 76 | }, 77 | { 78 | "_id": "Traffic-Over-Firewalls", 79 | "_type": "visualization", 80 | "_source": { 81 | "title": "Traffic Over Firewalls", 82 | "visState": "{\"title\":\"Traffic Types\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"SerialNum\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"Action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"Application\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 83 | "uiStateJSON": "{}", 84 | "description": "", 85 | "version": 1, 86 | "kibanaSavedObjectMeta": { 87 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 88 | } 89 | } 90 | }, 91 | { 92 | "_id": "Top-N-Rules", 93 | "_type": "visualization", 94 | "_source": { 95 | "title": "Top N Rules", 96 | "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"GenerateTime\",\"interval\":\"s\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"Rule\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 97 | "uiStateJSON": "{}", 98 | "description": "", 99 | "version": 1, 100 | "kibanaSavedObjectMeta": { 101 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 102 | } 103 | } 104 | }, 105 | { 106 | "_id": "Top-N-Users", 107 | "_type": "visualization", 108 | "_source": { 109 | "title": "Top N Users", 110 | "visState": "{\"title\":\"Top N Users\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SourceUser\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 111 | "uiStateJSON": "{}", 112 | "description": "", 113 | "version": 1, 114 | "kibanaSavedObjectMeta": { 115 | "searchSourceJSON": "{\"index\":\"network-logs\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 116 | } 117 | } 118 | } 119 | ] -------------------------------------------------------------------------------- /vm-content/exercise/network.conf: -------------------------------------------------------------------------------- 1 | input { 2 | 3 | file { 4 | 5 | path => "/home/ninja/log-samples/network.log" 6 | start_position => "beginning" 7 | ignore_older => 0 8 | 9 | } 10 | } 11 | 12 | filter { 13 | 14 | csv { 15 | 16 | columns => [ "PaloAltoDomain","ReceiveTime","SerialNum","Type","Threat-ContentType","ConfigVersion","GenerateTime","SourceAddress","DestinationAddress","NATSourceIP","NATDestinationIP","Rule","SourceUser","DestinationUser","Application","VirtualSystem","SourceZone","DestinationZone","InboundInterface","OutboundInterface","LogAction","TimeLogged","SessionID","RepeatCount","SourcePort","DestinationPort","NATSourcePort","NATDestinationPort","Flags","IPProtocol","Action","Bytes","BytesSent","BytesReceived","Packets","StartTime","ElapsedTimeInSec","Category","Padding","seqno","actionflags","SourceCountry","DestinationCountry","cpadding","pkts_sent","pkts_received" ] 17 | 18 | } 19 | } 20 | 21 | output { 22 | 23 | elasticsearch { 24 | 25 | index => "network-logs" 26 | 27 | } 28 | 29 | #stdout { codec => rubydebug } 30 | 31 | } -------------------------------------------------------------------------------- /vm-content/log-samples/ddos.log: -------------------------------------------------------------------------------- 1 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 2 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 3 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 4 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 5 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 6 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 7 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 8 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 9 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 10 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 11 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 12 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 13 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 14 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 15 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 16 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 17 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 18 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 19 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 20 | Jul 20 12:30:43 app-corp-prod sshd[10951]: Failed password for root from 111.111.111.111 port 33832 ssh2 21 | -------------------------------------------------------------------------------- /vm-content/log-samples/filebeat.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/appsecco/defcon24-infra-monitoring-workshop/6416500d61b04bb9505208a67dd82cc669883a04/vm-content/log-samples/filebeat.tar.gz --------------------------------------------------------------------------------