Detection Engine has been built into SIEM since Elastic Stack 7.6. We can create Detection rules to detect the events we are interested in. With the release of Elastic Security 7.6, Elastic SIEM saw 92 threat hunting and Security analysis detection rules consistent with MITRE ATT&CK. We have also introduced signals in Elastic SIEM that display risk and severity scores based on these detection rules to enable effective analyst classification. In the previous article, “Getting Started with Elastic Security,” I showed how to import the integrated rules and have them detect the events we’re interested in.
In today’s article, I’ll show you how to use Kibana to create a rule we’re interested in and have it detect the events we care about.
The preparatory work
Before today’s exercise, I need you to read my previous article:
1) Elastic: Start with Elastic Security
We installed the Elastic Stack and Endpoint Agent as required in this article. One thing to note is that we do not need to launch all Detection rules. In today’s exercise, we will use our own rules to check the events we are interested in. Start the Elastic Stack and Endpoint Agent. We can see some statistics in Kibana:
2) Elasticsearch: EQL start – Use EQL to detect threats
You need to have some basic understanding of EQL. We will use EQL to create rules.
Create rules
In today’s exercise, we will create a rule to check that the following commands are executed in order, and that all commands must be executed within 60 seconds:
cmd.exe
powershell.exe
tasklist.exe
whoami.exe
Copy the code
While this may not be an actual security threat pattern, our focus is on how to use Detection Engine to capture such events.
Familiarize yourself with EQL queries
As shown above, you can see the data in Elastic Security. But how do we query the data generated by the Endpoint? Let’s open up Fleet’s user interface:
Up here, you can see that there are different categories of data. Above we can see file, library, Process, security and so on data. For our query today, we only care about the data in the process. Note that the above data is stored in the Data Stream. If you are not familiar with Data Stream, please read my previous article “Data Stream for Index lifecycle management”. So again, how do we query this data?
Go back to Kibana Dev Tools and type the following command:
GET _cat/indices/.ds-logs*
Copy the code
The above command displays the indexes of all data streams that start with.ds-logs. The command above shows the result:
Ds-logs-end.events.file-default-000001 LMIy0CQ3Q82gfuZ2D9q3Kg 1 1 6744 0 3.7 MB 3.7 MB Yellow Open Metricbeat-default-000001 zsfj15WOQa-8irLTX0Jovw 1 1 5852 0 2.3 MB 2.3 MB Yellow Open Security-default-000001 dcWxxEQLTbi4cl6kyB1Qnw 1 1 309 0 330.8 KB 330.8 KB Yellow Open Ds-logs-elastic_agent-default-000001 1HTTM0FsSD6qzGIsvbJ3jg 1 1 400 0 135.8 KB 135.8 KB Yellow Open Library-default-000001 xAK3DVcTRqKqLkp0qN7BqA 1 1 1528 0 732.3 KB 732.3 KB Yellow Open .DS-logs-endpoint.events.net workdefault-000001 k9mKZeczSdOa5a5Eq9o_ug 1 1 6939 0 3.8 MB 3.8 MB YELLOW Open Process-default-000001 gxoc-BPysNE66PBJlCFJAW 1 1 2775 0 2.4 MB 2.4 MB Yellow Open Filebeat -default-000001 1we0Dap9TL26M7wnO85NYw 1 1 1020 0 253.3 KB 253.3 KB Yellow Open Ds-logs-end.events.registrie-default-000001 cLdDs8gIS466z18dJntoRA 11 11280 0 4.5 MB 4.5 MBCopy the code
In our case, we are interested in index.ds-logs-endpoint.events.process-default, whose category is process. How do we access this index? We can read “An Introduction to the Elastic Data Stream Naming Scheme”, and of course you can read my previous article “Data Stream in Index Lifecycle Management”. We can access the data stream as follows:
GET logs-endpoint.events.process-default/_search
Copy the code
The above query will display documents such as the following:
"hits" : [ { "_index" : ".ds-logs-endpoint.events.process-default-000001", "_type" : "_doc", "_id" : "WCqzYXcB - nE6Q - 9 knnfu", "_score" : 1.0, "_source" : {" agent ": {" id" : "91F6a6B3-bd71-a788-164C-7654C511c46b ", "type" : "endpoint", "version" : "7.10.1"}, "process" : {"Ext" : { "ancestry" : [ "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTg0OC0xMzI1NTA4OTY2Ni44MTg3MDUyMDA=", "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTYzMi0xMzI1NTA4OTY2Ni41NTc2MTgwMDA=", "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTQ5Ni0xMzI1NTA4OTY2NC40NTk5NDAxMDA=" ], "code_signature" : [ { "trusted" : true, "subject_name" : "Microsoft Windows", "exists" : true, "status" : "trusted" } ] }, "parent" : { "args" : [ """C:\WINDOWS\system32\svchost.exe""", "-k", "DcomLaunch", "-p" ], "name" : "svchost.exe", "pid" : 848, "args_count" : 4, "entity_id" : "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTg0OC0xMzI1NTA4OTY2Ni44MTg3MDUyMDA=", "command_line" : """C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p""", "executable" : """C:\Windows\System32\svchost.exe""" }, "pid" : 10064, "entity_id" : "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTEwMDY0LTEzMjU2NTM4NDk5LjU5MDQ5NzIwMA==", "executable" : """C:\Windows\System32\backgroundTaskHost.exe""", "args" : [ """C:\WINDOWS\system32\backgroundTaskHost.exe""", "-ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca" ], "code_signature" : { "trusted" : true, "subject_name" : "Microsoft Windows", "exists" : true, "status" : "trusted" }, "pe" : { "original_file_name" : "backgroundTaskHost.exe" }, "exit_code" : 1, "name" : "backgroundTaskHost.exe", "args_count" : 2, "command_line" : "\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca", "hash" : { "sha1" : "dc27f57a3ba5d13b476b1fd0872b8972744a01f8", "sha256" : "74b3323405cdfb85cfc9d5c1cd29c816c80361df154801e44f14863c9058906e", "md5" : "e22e7bd6b146bde93dc48643b772d8bb" } }, "message" : "Endpoint process event", "@timestamp" : "2021-01-31T03:48:24.1748839z "," ecS ": {"version" : "1.5.0"}, "data_stream" : {"namespace" : "default", "type" : "logs", "dataset" : "endpoint.events.process" }, "elastic" : { "agent" : { "id" : "4fe0da01-7f95-4c82-8cf9-4cc450230d0b" } }, "host" : { "hostname" : "XIAOGUOLIU4110", "os" : { "Ext" : { "variant" : }, "kernel" : "1903 (10.0.18362.720)", "name" : "Windows", "family" : "Windows", "version" : "1903 (10.0.18362.720)", "Platform" : "Windows ", "Full" : "Windows 10 Pro 1903 (10.0.18362.720)" [" 10.211.55.3 fdb2:2 ", "c26: f4e4:0:31 c8:34 c0:2 a8f: a3fc", "c26 fdb2:2: f4e4:0: ad95:2 fc3: a5ef: 1 db3", "Fe80: : 31 c8:34 c0:2 a8f: a3fc", "127.0.0.1," : : "1", "name" : "XIAOGUOLIU4110", "id" : "66a55086-f72c-45a3-beb9-787695051365", "mac" : [ "00:1c:42:a7:28:57" ], "architecture" : "x86_64" }, "event" : {" Sequence ": 197142, "ingested" : "2021-02-02T07:44:57.011354Z"," Created ":" 2021-01-31T03:48:24.1748839z ", "kind" : "event", "module" : "endpoint", "action" : "end", "id" : "M+Htx0X7Ic+Imf8A++++/ofq", "category" : [ "process" ], "type" : [ "end" ], "dataset" : "endpoint.events.process" }, "user" : { "domain" : "XIAOGUOLIU4110", "name" : "liuxg", "id" : "S-1-5-21-3773714537-4116087099-697591026-1000" } } }Copy the code
As shown above, the category of this document is Process. In Windows Powershell, type cmd.exe as follows:
We performed the following EQL query in Kibana:
GET logs-endpoint.events.process-default/_eql/search
{
"query": """
process where process.name == "cmd.exe"
"""
}
Copy the code
Above, we query for Process against category, and we can see the following query result:
"hits" : { "total" : { "value" : 10, "relation" : "eq" }, "events" : [ { "_index" : ".ds-logs-endpoint.events.process-default-000001", "_id" : "FSqzYXcB-nE6Q-9kisWC", "_source" : { "agent" : { "id" : "91F6a6B3-bd71-a788-164C-7654C511c46b ", "type" : "endpoint", "version" : "7.10.1"}, "process" : {"Ext" : { "ancestry" : [ "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTE2MjQ0LTEzMjU2NTM4MjY5LjIyNTA1NDUwMA==", "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTEyMTItMTMyNTUwODk2NjcuMzMxODk3OTAw", "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTYzMi0xMzI1NTA4OTY2Ni41NTc2MTgwMDA=", "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTQ5Ni0xMzI1NTA4OTY2NC40NTk5NDAxMDA=" ], "code_signature" : [ { "trusted" : true, "subject_name" : "Microsoft Windows", "exists" : true, "status" : "trusted" } ], "token" : { "integrity_level_name" : "system", "elevation_level" : "default" } }, "args" : [ """C:\WINDOWS\system32\cmd.exe""", "/c", """C:\WINDOWS\system32\wusa.exe""", "" "C: \ Program Files \ CUAssistant \ Download \ windows10.0 - kb4592449 - x64_aa193efa8432018464d6173c497ce3de71a581e2. Msu ", "" "/quiet", "/norestart" ], "parent" : { "args" : [ """C:\Program Files\CUAssistant\culauncher.exe""" ], "name" : "culauncher.exe", "pid" : 16244, "args_count" : 1, "entity_id" : "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTE2MjQ0LTEzMjU2NTM4MjY5LjIyNTA1NDUwMA==", "command_line" : "\"C:\\Program Files\\CUAssistant\\culauncher.exe\"", "executable" : """C:\Program Files\CUAssistant\culauncher.exe""" }, "code_signature" : { "trusted" : true, "subject_name" : "Microsoft Windows", "exists" : true, "status" : "trusted" }, "pe" : { "original_file_name" : "Cmd.Exe" }, "name" : "cmd.exe", "pid" : 17676, "args_count" : 6, "entity_id" : "OTFmNmE2YjMtYmQ3MS1hNzg4LTE2NGMtNzY1NGM1MTFjNDZiLTE3Njc2LTEzMjU2NTM4Mzc4LjQzNzc0ODMwMA==", "command_line" : """C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\wusa.exe "C:\Program Files \ CUAssistant \ Download \ windows10.0 - kb4592449 - x64_aa193efa8432018464d6173c497ce3de71a581e2. Msu/quiet/norestart "" "", "executable" : """C:\Windows\System32\cmd.exe""", "hash" : { "sha1" : "8dca9749cd48d286950e7a9fa1088c937cbccad4", "sha256" : "ff79d3c4a0b7eb191783c323ab8363ebd1fd10be58d8bcc96b07067743ca81d5", "md5" : "d7ab69fad18d4a643d84a271dfc0dbdf" } }, "message" : "Endpoint process event", "@timestamp" : "2021-01-31T03:46:18.4377483z "," ecS ": {"version" : "1.5.0"}, "data_stream" : {"namespace" : "default", "type" : "logs", "dataset" : "endpoint.events.process" }, "elastic" : { "agent" : { "id" : "4fe0da01-7f95-4c82-8cf9-4cc450230d0b" } }, "host" : { "hostname" : "XIAOGUOLIU4110", "os" : { "Ext" : { "variant" : }, "kernel" : "1903 (10.0.18362.720)", "name" : "Windows", "family" : "Windows", "version" : "1903 (10.0.18362.720)", "Platform" : "Windows ", "Full" : "Windows 10 Pro 1903 (10.0.18362.720)" [" 10.211.55.3 fdb2:2 ", "c26: f4e4:0:31 c8:34 c0:2 a8f: a3fc", "c26 fdb2:2: f4e4:0: ad95:2 fc3: a5ef: 1 db3", "Fe80: : 31 c8:34 c0:2 a8f: a3fc", "127.0.0.1," : : "1", "name" : "XIAOGUOLIU4110", "id" : "66a55086-f72c-45a3-beb9-787695051365", "mac" : [ "00:1c:42:a7:28:57" ], "architecture" : "x86_64" }, "event" : {" Sequence ": 192011, "ingested" :" incubating ":" 2021-02-02T07:44:523.345950z ", "Created" : "2021-01-3t3:46:18.4377483z ", "kind" : "event", "module" : "endpoint", "action" : "start", "id" : "M+Htx0X7Ic+Imf8A++++/l2C", "category" : [ "process" ], "type" : [ "start" ], "dataset" : "endpoint.events.process" }, "user" : { "domain" : "NT AUTHORITY", "name" : "SYSTEM", "id" : "S-1-5-18" } } }, ... ] }Copy the code
This is obviously the event we want to query.
Now, let’s go back to our original question. Detects events that occur in the following order within 60 seconds of installation:
cmd.exe
powershell.exe
tasklist.exe
whoami.exe
Copy the code
To do this, we need to use the following EQL for the query:
GET logs-endpoint.events.process-default/_eql/search
{
"query": """
sequence with maxspan=60s
[ process where process.name == "cmd.exe" ]
[ process where process.name == "powershell.exe" ]
[ process where process.name == "tasklist.exe" ]
[ process where process.name == "whoami.exe" ]
"""
}
Copy the code
As shown above, we define a limit of 60 seconds, starting with cmd.exe, then powershell.exe, tasklist.exe and whoami.exe. We want commands executed in this order to happen. We then execute the above commands in order from Powershell.exe under Windows:
We execute the EQL query above, so we can see the result processed by the search:
From the results of the query, we can see that cmd.exe is executed by powershell.exe, followed by tasklist.exe and whoami. This indicates that our EQL query is correct.
Creating detection Rules
Now that we’re familiar with EQL queries, in this section I’ll show you how to create a rule to check for the above events.
We chose to check every minute:
We choose not to do anything. Of course you can write either operation as follows:
Click Create & Activate Rule:
So we create a test that we custom. It’s currently in the Activated state. Enter the following command in Windows Powershell:
cmd.exe
powershell.exe
tasklist.exe
whoami.exe
Copy the code
We made sure that the above commands were executed sequentially and within 60 seconds. Let’s switch to the Detections interface:
From above we can see that there is a newly generated alert. It is caught by the Detect_cmd_powershell_tasklist_whoami rule. We can analyze this incident further.
Ok, that’s all for today’s exercise. I hope you can have a preliminary understanding of Detection Engine through this simple event Detection.