Merge pull request #279 from elastic/rwaight-patch-1

SIEM-at-Home Example Updates

Author: rwaight

Security Analytics/SIEM-at-Home/README.md

@@ -3,7 +3,8 @@ Monitoring your servers and workstations doesn't have to be difficult or expensi
 1. [Getting started](https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-1-getting-started)
 2. [Securing cluster access](https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-2-securing-cluster-access)
 3. [GeoIP data and Beats config review](https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-3-geoip-data-and-beats-config-review)
-4. Beats on Windows _(coming soon)_
+4. [Beats on Windows](https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-4-beats-on-windows)
+
 
 ## `beats-configs`
 Example configurations for beats when deploying an Elastic SIEM at Home running on Elasticsearch Service

Security Analytics/SIEM-at-Home/beats-configs/auditbeat/auditbeat-windows.yml

@@ -1,12 +1,12 @@
 # Configuration applicable for all beats on a specific device
-#================================ General =====================================
+#=== General ===
 name: myHostName
 tags: ["myTag", "myHostName"]
 fields:
   env: myEnv
   version: 11-26-2019
 
-#========================== Top Level Processor ===============================
+#=== Top Level Processor ===
 processors:
   - add_host_metadata:
       # netinfo.enabled should be set to `false` until GitHub issue
@@ -51,7 +51,7 @@ processors:
         destination.geo.name: myHomeLocation
       target: ''
 
-#============================= Elastic Cloud ==================================
+#=== Elastic Cloud ===
 # These settings simplify using beats with the Elastic Cloud (https://cloud.elastic.co/).
 cloud.id: "My_Elastic_Cloud_Deployment:abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 cloud.auth: "data_shipper:0987654321abcDEF"
@@ -73,11 +73,11 @@ output.elasticsearch.max_retries: 5
 #setup.ilm.check_exists: false
 #setup.ilm.overwrite: false
 
-#=========================== Xpack Monitoring =================================
+#=== Xpack Monitoring ===
 # When monitoring is enabled, the beat will ship monitoring data to the cluster
 monitoring.enabled: true
 
-#================================= Queue ======================================
+#=== Queue ===
 # See the 'Configure the internal queue' documentation for each Beat before 
 # configuring the queue.  Note that only one queue type can be configured.
 # You need to uncomment the specific queue type you decide to use.

Security Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml

@@ -0,0 +1,52 @@
+# Example for the Beats on CentOS blog
+# Configuration version: 11-27-2019
+#=== Auditbeat specific options ===
+#===  Modules configuration ===
+auditbeat.modules:
+
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+
+- module: system
+  datasets:
+    - user
+    - login
+  user.detect_password_changes: true
+  period: 10s 
+  state.period: 12h
+
+- module: system
+  datasets:
+    - package
+    - host
+  period: 30m
+  state.period: 12h
+
+- module: system
+  datasets:
+    - socket
+  socket.include_localhost: false
+  period: 3s
+
+- module: system
+  datasets:
+    - process 
+  processors:
+    - drop_event.when:
+         or:
+          - contains.event.action: "existing_process"
+          - contains.event.action: "process_error"
+    - add_process_metadata:
+        match_pids: [process.ppid]
+        target: process.parent
+  period: 5s
+
+#=== Beats Common Configs Here ===
+# Add the settings from the Beats General Config file (beats-general-config.yml)
+# to the end of this configuration file. The Beats General Config file example can be found at this link:
+# https://github.com/elastic/examples/blob/master/Security%20Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml

Security Analytics/SIEM-at-Home/beats-configs/beats-on-centos/auditbeat.yml

@@ -0,0 +1,53 @@
+# Example for the Beats on CentOS blog
+# Configuration version: 11-27-2019
+#=== Filebeat specific options ===
+#=== Filebeat modules ===
+filebeat.config.modules:
+  path: ${path.config}/modules.d/*.yml
+  reload.enabled: true
+  reload.period: 30s
+
+#=== Filebeat inputs ===
+filebeat.inputs:
+
+- type: log
+  enabled: true
+  paths:
+    - /var/log/yum.log
+
+- type: log
+  enabled: true
+  paths:
+    - /var/log/pihole.log
+  fields:
+    app: pihole
+    name: pihole
+
+- type: log
+  enabled: true
+  paths:
+    - /var/log/pihole-FTL.log
+  fields:
+    app: pihole
+    name: pihole-FTL
+
+- type: log
+  enabled: true
+  paths:
+    - /var/log/pihole_updateGravity.log
+  fields:
+    app: pihole
+    name: pihole-updateGravity
+
+- type: log
+  enabled: true
+  paths:
+    - /var/log/lighttpd/*.log
+  fields:
+    app: pihole
+    name: pihole-lighttpd
+
+#=== Beats Common Configs Here ===
+# Add the settings from the Beats General Config file (beats-general-config.yml)
+# to the end of this configuration file. The Beats General Config file example can be found at this link:
+# https://github.com/elastic/examples/blob/master/Security%20Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml

Security Analytics/SIEM-at-Home/beats-configs/beats-on-centos/filebeat.yml

@@ -0,0 +1,57 @@
+# Example for the Beats on CentOS blog
+# Configuration version: 11-27-2019
+#=== Packetbeat specific options ===
+#=== Network device ===
+# Select the network interface to sniff the data. On Linux, you can use the
+# "any" keyword to sniff on all connected interfaces.
+packetbeat.interfaces.device: any
+
+#=== Flows ===
+packetbeat.flows:
+  timeout: 30s
+  period: 10s
+
+#=== Transaction protocols ===
+# For more information on the transaction protocols, see
+# https://www.elastic.co/guide/en/beats/packetbeat/7.4/configuration-protocols.html
+packetbeat.protocols:
+- type: icmp
+  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
+  enabled: true
+
+- type: dhcpv4
+  # Configure the DHCP for IPv4 ports.
+  ports: [67, 68]
+  send_request: true
+  send_response: true
+
+- type: dns
+  # Configure the ports where to listen for DNS traffic. You can disable
+  # the DNS protocol by commenting out the list of ports.
+  ports: [53]
+  include_authorities: true
+  include_additionals: true
+  send_request: true
+  send_response: true
+
+- type: http
+  # Configure the ports where to listen for HTTP traffic. You can disable
+  # the HTTP protocol by commenting out the list of ports.
+  ports: [80, 8080, 8000, 5000, 8002]
+
+- type: tls
+  # Configure the ports where to listen for TLS traffic. You can disable
+  # the TLS protocol by commenting out the list of ports.
+  ports:
+    - 443   # HTTPS
+    - 993   # IMAPS
+    - 995   # POP3S
+    - 5223  # XMPP over SSL
+    - 8443
+    - 8883  # Secure MQTT
+    - 9243  # Elasticsearch
+
+#=== Beats Common Configs Here ===
+# Add the settings from the Beats General Config file (beats-general-config.yml)
+# to the end of this configuration file. The Beats General Config file example can be found at this link:
+# https://github.com/elastic/examples/blob/master/Security%20Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml

Security Analytics/SIEM-at-Home/beats-configs/beats-on-centos/packetbeat.yml

@@ -28,6 +28,18 @@ auditbeat.modules:
         target: system.process.parent
   period: 3m
 
+#=== Auditbeat logging ===
+# Configure logging for Auditbeat if you plan on using the GeoIP ingest processor
+# Initially use `info` for the logging.level, set logging.level to `debug` if you see
+# an `Failed to publish events: temporary bulk send failure` error message in the logs
+#logging.level: info
+#logging.to_files: true
+#logging.files:
+#  path: C:\Program Files\Elastic\logs\
+#  name: auditbeat
+#  keepfiles: 7
+#  permissions: 0644
+
 #=== Beats Common Configs Here ===
 # Add the settings from the Beats General Config file (beats-general-config.yml)
 # to the end of this configuration file. The Beats General Config file example can be found at this link:

Security Analytics/SIEM-at-Home/beats-configs/beats-on-windows/auditbeat.yml

@@ -50,6 +50,18 @@ packetbeat.protocols:
     - 8883  # Secure MQTT
     - 9243  # Elasticsearch
 
+#=== Packetbeat logging ===
+# Configure logging for Packetbeat if you plan on using the GeoIP ingest processor
+# Initially use `info` for the logging.level, set logging.level to `debug` if you see
+# an `Failed to publish events: temporary bulk send failure` error message in the logs
+#logging.level: info
+#logging.to_files: true
+#logging.files:
+#  path: C:\Program Files\Elastic\logs\
+#  name: packetbeat
+#  keepfiles: 7
+#  permissions: 0644
+
 #=== Beats Common Configs Here ===
 # Add the settings from the Beats General Config file (beats-general-config.yml)
 # to the end of this configuration file. The Beats General Config file example can be found at this link:

Security Analytics/SIEM-at-Home/beats-configs/beats-on-windows/packetbeat.yml

@@ -33,6 +33,18 @@ winlogbeat.event_logs:
           id: sysmon
           file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
 
+#=== Winlogbeat logging ===
+# Configure logging for Winlogbeat if you plan on using the GeoIP ingest processor
+# Initially use `info` for the logging.level, set logging.level to `debug` if you see
+# an `Failed to publish events: temporary bulk send failure` error message in the logs
+#logging.level: info
+#logging.to_files: true
+#logging.files:
+#  path: C:\Program Files\Elastic\logs\
+#  name: winlogbeat
+#  keepfiles: 7
+#  permissions: 0644
+
 #=== Beats Common Configs Here ===
 # Add the settings from the Beats General Config file (beats-general-config.yml)
 # to the end of this configuration file. The Beats General Config file example can be found at this link: