Elastalert with Sigma
A couple of weeks ago, Remco wrote a post about Sigma(1). I’ve also been spending a good bit of time setting up Elastalert rules with Sigma and wanted to expand on his great post. We are going to set up an elastalert rule for sigma_zeek_smb_converted_win_atsvc_task(2).
Convert Rule
Sigmac -t elastalert -c ./elastic_schema_config_file.yml /tmp/sigma/rules/sigma_zeek_smb_converted_win_atsvc_task >>/etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml
Let's see what this rule is doing
This rule is looking at the bro_smb_files events where IPC$ and atsvc show up.
alert:
- debug
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
filter:
- query:
query_string:
query: (event_type:"bro_smb_files" AND path.keyword:\\*\\IPC$ AND name:"atsvc")
index: '*:logstash-bro-*'
name: f6de6525-4509-495a-8a82-1f8b0ed73a00_0
priority: 3
realert:
minutes: 0
type: any
query_key: ["source_ip", "destination_ip"]
Test it
On Security onion they have a command builtin called so-elastalert-test.
#sudo so-elastalert-test -r /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml
1. Is the query running too slow?
2. Is it looking at the right data?
3. Are the results as expected?
elastalert_status - {'rule_name': '66a0bdc6-ee04-441a-9125-99d2eb547942_0', 'endtime': datetime.datetime(2020, 5, 29, 14, 51, 13, 474764, tzinfo=tzutc()), 'starttime': datetime.datetime(2020, 5, 28, 14, 51, 13, 474764, tzinfo=tzutc()), 'matches': 0, 'hits': 183990, '@timestamp': datetime.datetime(2020, 5, 29, 14, 53, 2, 609529, tzinfo=tzutc()), 'time_taken': 109.09370565414429}
If you are not getting any hits for the rule, expand the search to see if you have any true/false positives. On security onion manually, call the rule test and use the --days option.
#docker exec -it so-elastalert bash -c ‘elastalert-test-rule /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml --days 25’
You may have false positives from your administrator's desktops talking to other systems, and you will need to adjust the alert to not match on these IP’s. Once you are happy with the results, we need to add it to our alert/IR platform. In this case, we are going to send it to TheHive.
At the bottom of sigma_zeek_smb_converted_win_atsvc_task.yml you want to add TheHive config. The MITRE Tags are not being transferred to the elastalert rule, and we’ll add them manually.
===
hive_connection:
hive_host: https://ip
hive_port: 9443
hive_apikey:key
hive_alert_config:
title: ' Sigma Remote Task Creation via ATSVC Named Pipe {match[source_ip]} -- {match[destination_ip]}'
type: 'alarm'
source: 'Sigma'
description: 'Alert : {match[source_ip]}
severity:2
tags: ['elastalert', 'attack.lateral_movement', 'attack.persistence', 'attack.t1053','car.2013-05-004','car.2015-04-001', 'sigma']
tlp: 1
status: 'New'
follow: True
sourceRef: '{match[source_ip]}{match[destination_ip]}'
hive_observable_data_mapping:
- ip: '{match[source_ip]}'
- ip: '{match[destination_ip]}'
===
Now restart elastalert service and you should start getting alerts on any of these matches.
#so-elastalert-restart
(1)https://isc.sans.edu/diary/rss/26258
Comments