How to Elastic SIEM (part 2)

This is a continuation of the previous story. This time we will look at the Detections tab in Elastic SIEM. Our goal is to automate IOC detection using proven rules. Let’s remind: We installed Elasticsearch + Kibana on one of the VMs. We monitor an Ubuntu (Auditbeat, Filebeat, Packetbeat) and Windows 10 VM (Winlogbeat), although in this story we will focus on the Windows.

How to unlock Detections in Elastic SIEM?

We have to:

• Provide Elasticsearch — Kiban communication over TLS
• Enable xpack.security in Elasticsearch
• Set xpack.encryptedSavedObjects.encryptionKey in Kibana

Securing Elasticsearch

In this case, we have a one-node Elasticsearch cluster, so all we need to do is to add a line at the end of the /etc/elasticsearch/elasticsearch.yml line

xpack.security.enabled: true

and restart the Elasticsearch service

service elasticsearch restart

Note: With a normal cluster it will not be so easy. You need to secure communication between…