Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Add Packetbeat Index to Network Rules #14

Closed
peasead opened this issue Jul 2, 2020 · 3 comments · Fixed by #15
Closed

[Rule Tuning] Add Packetbeat Index to Network Rules #14

peasead opened this issue Jul 2, 2020 · 3 comments · Fixed by #15
Assignees
@peasead
Labels
Domain: Network Rule: Tuning tweaking or tuning an existing rule v7.9.0

Comments

@peasead
Copy link
Contributor

peasead commented Jul 2, 2020

Description

The Packetbeat Index needs to be added to network SIEM rules.

Filebeat was originally used to take advantage of the Zeek and Suricata network data modules. While Packetbeat is not a full-fledged protocol analyzer like Zeek, or even Suricata, it can act as a data source for these rules.

Example Data

Existing Index designation: index = ["filebeat-*"]
Suggested Index designation: index = ["filebeat-*", "packetbeat-*"]
@peasead peasead added v7.9.0 Domain: Network Rule: Tuning tweaking or tuning an existing rule labels Jul 2, 2020
@peasead peasead self-assigned this Jul 2, 2020
@peasead peasead mentioned this issue Jul 2, 2020
Merged
@ghost
Copy link

ghost commented Jul 2, 2020
edited by ghost
Loading

You probably also want to add the auditbeat-* index as well. We dont run packetbeat on every host, but we do run auditbeat, which is actually where we get more hits (thanks so its socket module)

See this tweet for details

@peasead
Copy link
Contributor Author

peasead commented Jul 6, 2020

Thanks for the feedback, @Ares3266

I agree, adding auditbeat-* is a great idea. I can circle back on this with a fresh Issue/PR in the future, or please feel free to contribute it.

@rw-access rw-access mentioned this issue Jul 8, 2020
Closed
@rw-access
Copy link
Contributor

@Ares3266 I created #35 for adding auditbeat to the rules

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peasead peasead

Labels
Domain: Network Rule: Tuning tweaking or tuning an existing rule v7.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add dataset and index to network rules elastic/detection-rules
2 participants
@peasead @rw-access