- Logging in to Kibana to view logs
- Check that logs are being received
- Enable the default detection rules
- Kibana basics
Once chapters 1 to 3 are complete, you can import an existing set of Kibana dashboards, which will visualize the logs, and answer questions like 'What patch level are the clients running?'.
In a web browser, navigate to https://your_Linux_server
and authenticate with the credentials provided in Chapter 3.2.
As of LME version 0.4, the install process automatically handles the initial index creating process and importing dashboards. Upon logging into Kibana the number of dashboards should be visible under the ‘Dashboard’ tab on the left-hand side.
If the initial dashboard import has an error, you can reattempt the upload by running the dashboard update script created within the root LME directory (NOT the one in 'Chapter 3 Files'):
sudo /opt/lme/dashboard_update.sh
🛠️ If this does not resolve the issue or you wish to manually import the dashboards, see Troubleshooting: Manual Dashboard Install for the previous installation instructions.
While on the Elastic home page, click on the hamburger icon on the left, select "Analytics" and click "Dashboard" and select "User Security," to show a dashboard similar to Figure 2.
Figure 2 - The LME NEW - User Security - Overview
In the top right hand corner, click the calendar icon to the left of "Last 15 minutes" and select "Today" to change the date range to only include today's data. The dashboard accurately represents the machines that have been sending logs. Changing to "Last 7 days" is useful to visualize logs over time.
Click on the hamburger icon on the top left, then under "Security," navigate to "Alerts" (in older versions, this may be titled "Detections").
Navigate to "Manage Rules" (In older versions, this may be titled "Manage Detection Rules"):
Select the option to "Load Elastic prebuilt rules and timeline templates":
Once the prebuilt Elastic rules are installed, filter from the "Tags" option and select "Windows":
Ensure that the maximum number of rows is shown for all relevant rules to be selected at once (In recent versions, there is an ability to "Select All" rows):
Select all the displayed rules, expand "Bulk actions" and choose "Enable":
In recent versions of Elastic that include Machine Learning rules (rules with the "ML" tag), you may receive errors when performing bulk actions:
Rules without the "ML" tag should still be activated through this bulk action, regardless of this error message. Use of "ML" rules require Machine Learning to be enabled, which is part of Enterprise and Platinum Elastic subscriptions.
Depending on the environment, exceptions may be added to some of the built-in Elastic rules shown above to prevent false positives. These will be specific to your environment and should be tightly scoped to avoid excluding potentially malicious behavior but may be beneficial to filter out some of the benign behavior of LME (for example to prevent the Sysmon update script creating alerts).
An example is shown below, with further information available here.
First, navigate to the "Manage Detection Rules" section as described above, and then search for and select the rule you wish to add an exception for:
Then navigate to the "Exceptions" tab above the "Trend" section and then select "Add new exception":
Next, configure the necessary exception, taking care to ensure that it is tightly scoped and will not inadvertently prevent detection of actual malicious behavior:
Note that in this instance the following command line value has been added as an exception, but the testme.local
domain would need updating to match the location you installed the update batch script to during the LME installation, the same value used to update the scheduled task as described here.
C:\Windows\SYSTEM32\cmd.exe /c "\\testme.local\SYSVOL\testme.local\Sysmon\update.bat"
Elasticsearch has provided a number of videos exploring the features of Kibana and how to create new dashboards and analytics. https://www.youtube.com/playlist?list=PLhLSfisesZIvA8ad1J2DSdLWnTPtzWSfI
Kibana's useful features are as following:
Found under "Analytics" -> "Dashboard," dashboards visualize LME data. LME comes with several dashboards. Take some time to get familiar with the different dashboards already available. If interested in creating custom dashboards, see the link above for starting points offered by Elasticsearch.
Note: If you make changes to the dashboards that LME provides, be sure to save your changes to a dashboard with a different name. Otherwise, your changes will be overwritten when you upgrade LME.
Found under "Analytics" -> "Discover," Discover allows the view raw events and craft custom filters to find events of interest. For example, to inspect all DNS queries made on a computer named "Example-1," you could insert the following query where it says "Filter your data using KQL syntax":
event.code: 22 and host.name: Example-1
See Kibana Query Language for more information on building queries like this.
Found under "Security" -> "Alerts," alerts are a powerful tool that helps automate detection of suspicious events. Review section 4.2 Enable Alerts for help configuring alerts. See Dections and alerts to learn more.