-
Notifications
You must be signed in to change notification settings - Fork 207
Importing Results Into Elastic Stack
Hayabusa results can easily be imported into Elastic Stack. We recommend using SOF-ELK, a free elastic stack Linux distro focused on DFIR investigations.
First download and unzip the SOF-ELK 7-zipped VMware image from http://for572.com/sof-elk-vm.
- Username:
elk_user
- Password:
forensics
When you boot up the VM, you will get a screen similar to below:
Open Kibana in a web browser according to the URL displayed. For example: http://172.16.62.130:5601/
Note: it may take a while for Kibana to load.
You should see a webpage as follows:
Click the sidebar icon in top-lefthand corner and open Integrations
.
Type in csv
in the search bar and click Upload a file
:
After uploading the CSV file, click Override settings
to specify the correct timestamp format:
As shown below, perform the following changes and then click Apply
:
- Change
Timestamp format
tocustom
. - Specify the format as
yyyy-MM-dd HH:mm:ss.SSS XXX
- Change the
Time field
toTimestamp
.
Now click Import
in the bottom left-hand corner.
As shown below, click on Advanced
and perform the following settings before clicking Import
:
- Title the
Index name
asevtxlogs-hayabusa
. - Under
Index settings
, add, "number_of_replicas": 0
so that the index health status does not turn yellow. - Under
Mappings
, change theRuleTitle
type oftext
tokeyword
so that we can do statistics on the rule titles and change theEventID
type oflong
tokeyword
in order to import without errors. - Under
Ingest pipeline
, add, "field": "Timestamp"
under theremove
section. Timestamps will be displayed as@timestamp
so this duplicate field is not needed. Also, delete the following in order to import without errors:{ "convert": { "field": "EventID", "type": "long", "ignore_missing": true } },
Settings should look similar to below:
After importing, you should receive something similar to below:
You can now click View index in Discover
to view the results.
The default Discover view should look similar to this:
You can get an overview of when the events happened and frequency of events by looking at the histogram at top.
In the left-side sidebar, you can add fields you want to display in the columns by clicking the plus sign after hovering over a field:
To start off, we recommend the following columns:
Your Discover view should now look like this:
You can filter with KQL to search for certain events and alerts. For example:
-
Level: "critical"
: Just show critical alerts. -
Level: "critical" or Level: "high"
: Show high and critical alerts. -
NOT Level:info
: Do not show informational events, only alerts. -
*LatMov*
: Show events and alerts related to lateral movement. -
"Password Spray"
: Only show specific attacks such as "Password Spray". -
"LID: 0x8724ead"
: Display all activity associated with Logon ID 0x8724ead.
We have exported a simple Hayabusa Dashboard in JSON to download here
To import the dashboard, open the left sidebar and click Stack Management
under Management
.
After clicking Saved Objects
, please click Import
in the upper right-hand corner and import the Hayabusa Dashboard JSON file you downloaded.
You should now be able to use the dashboard shown below:
We plan on creating Hayabusa logstash parsers and a dashboard pre-built for SOF-ELK so that all you will need to do is copy the CSV results file to a directory in order to ingest the logs.
Much of this documentation was taken from the blog write-up in Japanese from @kzzzzo2 here.
Many thanks to @kzzzzo2!