Skip to content

Importing Results Into Elastic Stack

DustInDark edited this page Apr 21, 2022 · 1 revision

Start an elastic stack distribution

Hayabusa results can easily be imported into Elastic Stack. We recommend using SOF-ELK, a free elastic stack Linux distro focused on DFIR investigations.

First download and unzip the SOF-ELK 7-zipped VMware image from http://for572.com/sof-elk-vm.

  • Username: elk_user
  • Password: forensics

When you boot up the VM, you will get a screen similar to below:

SOF-ELK Bootup

Open Kibana in a web browser according to the URL displayed. For example: http://172.16.62.130:5601/

Note: it may take a while for Kibana to load.

You should see a webpage as follows:

SOF-ELK Kibana

Import the CSV results

Click the sidebar icon in top-lefthand corner and open Integrations.

Integrations

Type in csv in the search bar and click Upload a file:

CSV Upload

After uploading the CSV file, click Override settings to specify the correct timestamp format:

Override Settings

As shown below, perform the following changes and then click Apply:

  1. Change Timestamp format to custom.
  2. Specify the format as yyyy-MM-dd HH:mm:ss.SSS XXX
  3. Change the Time field to Timestamp.

Override Settings Config

Now click Import in the bottom left-hand corner.

CSV Import

As shown below, click on Advanced and perform the following settings before clicking Import:

  1. Title the Index name as evtxlogs-hayabusa.
  2. Under Index settings, add , "number_of_replicas": 0 so that the index health status does not turn yellow.
  3. Under Mappings, change the RuleTitle type of text to keyword so that we can do statistics on the rule titles and change the EventID type of long to keyword in order to import without errors.
  4. Under Ingest pipeline, add , "field": "Timestamp" under the remove section. Timestamps will be displayed as @timestamp so this duplicate field is not needed. Also, delete the following in order to import without errors:
     {
       "convert": {
         "field": "EventID",
         "type": "long",
         "ignore_missing": true
       }
     },
    

Settings should look similar to below:

Import Data Settings

After importing, you should receive something similar to below:

Import Finish

You can now click View index in Discover to view the results.

Analyzing results

The default Discover view should look similar to this:

Discover View

You can get an overview of when the events happened and frequency of events by looking at the histogram at top.

In the left-side sidebar, you can add fields you want to display in the columns by clicking the plus sign after hovering over a field:

Adding Columns

To start off, we recommend the following columns:

Recommended Columns

Your Discover view should now look like this:

Discover With Columns

You can filter with KQL to search for certain events and alerts. For example:

  • Level: "critical": Just show critical alerts.
  • Level: "critical" or Level: "high": Show high and critical alerts.
  • NOT Level:info: Do not show informational events, only alerts.
  • *LatMov*: Show events and alerts related to lateral movement.
  • "Password Spray": Only show specific attacks such as "Password Spray".
  • "LID: 0x8724ead": Display all activity associated with Logon ID 0x8724ead.

Hayabusa Dashboard

We have exported a simple Hayabusa Dashboard in JSON to download here

To import the dashboard, open the left sidebar and click Stack Management under Management.

Stack Management

After clicking Saved Objects, please click Import in the upper right-hand corner and import the Hayabusa Dashboard JSON file you downloaded.

Import Dashboard

You should now be able to use the dashboard shown below:

Hayabusa Dashboard-1

Hayabussa Dashboard-2

Future Plans

We plan on creating Hayabusa logstash parsers and a dashboard pre-built for SOF-ELK so that all you will need to do is copy the CSV results file to a directory in order to ingest the logs.

Acknowledgements

Much of this documentation was taken from the blog write-up in Japanese from @kzzzzo2 here.

Many thanks to @kzzzzo2!

Clone this wiki locally