4.8 KiB
Importing Results Into Elastic Stack
Start an elastic stack distribution
Hayabusa results can easily be imported into Elastic Stack. We recommend using SOF-ELK, a free elastic stack Linux distro focused on DFIR investigations.
First download and unzip the SOF-ELK 7-zipped VMware image from http://for572.com/sof-elk-vm.
- Username:
elk_user - Password:
forensics
When you boot up the VM, you will get a screen similar to below:
Open Kibana in a web browser according to the URL displayed. For example: http://172.16.62.130:5601/
Note: it may take a while for Kibana to load.
You should see a webpage as follows:
Import the CSV results
Click the sidebar icon in top-lefthand corner and open Integrations.
Type in csv in the search bar and click Upload a file:
After uploading the CSV file, click Override settings to specify the correct timestamp format:
As shown below, perform the following changes and then click Apply:
- Change
Timestamp formattocustom. - Specify the format as
yyyy-MM-dd HH:mm:ss.SSS XXX - Change the
Time fieldtoTimestamp.
Now click Import in the bottom left-hand corner.
As shown below, click on Advanced and perform the following settings before clicking Import:
- Title the
Index nameasevtxlogs-hayabusa. - Under
Index settings, add, "number_of_replicas": 0so that the index health status does not turn yellow. - Under
Mappings, change theRuleTitletype oftexttokeywordso that we can do statistics on the rule titles and change theEventIDtype oflongtokeywordin order to import without errors. - Under
Ingest pipeline, add, "field": "Timestamp"under theremovesection. Timestamps will be displayed as@timestampso this duplicate field is not needed. Also, delete the following in order to import without errors:{ "convert": { "field": "EventID", "type": "long", "ignore_missing": true } },
Settings should look similar to below:
After importing, you should receive something similar to below:
You can now click View index in Discover to view the results.
Analyzing results
The default Discover view should look similar to this:
You can get an overview of when the events happened and frequency of events by looking at the histogram at top.
In the left-side sidebar, you can add fields you want to display in the columns by clicking the plus sign after hovering over a field:
To start off, we recommend the following columns:
Your Discover view should now look like this:
You can filter with KQL to search for certain events and alerts. For example:
Level: "critical": Just show critical alerts.Level: "critical" or Level: "high": Show high and critical alerts.NOT Level:info: Do not show informational events, only alerts.*LatMov*: Show events and alerts related to lateral movement."Password Spray": Only show specific attacks such as "Password Spray"."LID: 0x8724ead": Display all activity associated with Logon ID 0x8724ead.
Hayabusa Dashboard
We have exported a simple Hayabusa Dashboard in JSON to download here
To import the dashboard, open the left sidebar and click Stack Management under Management.
After clicking Saved Objects, please click Import in the upper right-hand corner and import the Hayabusa Dashboard JSON file you downloaded.
You should now be able to use the dashboard shown below:
Future Plans
We plan on creating Hayabusa logstash parsers and a dashboard pre-built for SOF-ELK so that all you will need to do is copy the CSV results file to a directory in order to ingest the logs.
Acknowledgements
Much of this documentation was taken from the blog write-up in Japanese from @kzzzzo2 here.
Many thanks to @kzzzzo2!