Merge pull request #277 from elastic/rwaight-patch-1

SIEM-at-Home example updates

Author: rwaight

Security Analytics/SIEM-at-Home/README.md

@@ -3,6 +3,7 @@ Monitoring your servers and workstations doesn't have to be difficult or expensi
 1. [Getting started](https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-1-getting-started)
 2. [Securing cluster access](https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-2-securing-cluster-access)
 3. [GeoIP data and Beats config review](https://www.elastic.co/blog/elastic-siem-for-small-business-and-home-3-geoip-data-and-beats-config-review)
+4. Beats on Windows _(coming soon)_
 
 ## `beats-configs`
 Example configurations for beats when deploying an Elastic SIEM at Home running on Elasticsearch Service

Security Analytics/SIEM-at-Home/beats-configs/beats-on-windows/auditbeat.yml

@@ -0,0 +1,34 @@
+# Example for the Beats on Windows blog
+# Configuration version: 11-27-2019
+#=== Auditbeat specific options ===
+#===  Modules configuration ===
+auditbeat.modules:
+
+- module: file_integrity
+  paths:
+  - C:/windows
+  - C:/windows/system32
+  - C:/windows/SysWOW64
+  - C:/Program Files
+  - C:/Program Files (x86)
+  - C:/ProgramData
+
+- module: system
+  datasets:
+    - host
+  state.period: 12h
+  period: 1h
+
+- module: system
+  datasets:
+    - process
+  processors:
+    - add_process_metadata:
+        match_pids: [process.ppid]
+        target: system.process.parent
+  period: 3m
+
+#=== Beats Common Configs Here ===
+# Add the settings from the Beats General Config file (beats-general-config.yml)
+# to the end of this configuration file. The Beats General Config file example can be found at this link:
+# https://github.com/elastic/examples/blob/master/Security%20Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml

Security Analytics/SIEM-at-Home/beats-configs/beats-on-windows/packetbeat.yml

@@ -0,0 +1,56 @@
+# Example for the Beats on Windows blog
+# Configuration version: 11-27-2019
+#=== Packetbeat specific options ===
+#=== Network device ===
+# Issue the `.\packetbeat.exe devices` command to determine the interfaces on your system
+# Select the network interface to sniff the data. On Linux, you can use the
+# "any" keyword to sniff on all connected interfaces.
+packetbeat.interfaces.device: 3
+
+#=== Flows ===
+packetbeat.flows:
+  timeout: 30s
+  period: 10s
+
+#=== Transaction protocols ===
+# For more information on the transaction protocols, see
+# https://www.elastic.co/guide/en/beats/packetbeat/7.4/configuration-protocols.html
+packetbeat.protocols:
+- type: icmp
+  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
+  enabled: true
+
+- type: dhcpv4
+  # Configure the DHCP for IPv4 ports.
+  ports: [67, 68]
+  send_request: true
+  send_response: true
+
+- type: dns
+  # Configure the ports where to listen for DNS traffic. You can disable
+  # the DNS protocol by commenting out the list of ports.
+  ports: [53]
+  include_authorities: true
+  include_additionals: true
+
+- type: http
+  # Configure the ports where to listen for HTTP traffic. You can disable
+  # the HTTP protocol by commenting out the list of ports.
+  ports: [80, 8080, 8000, 5000, 8002]
+
+- type: tls
+  # Configure the ports where to listen for TLS traffic. You can disable
+  # the TLS protocol by commenting out the list of ports.
+  ports:
+    - 443   # HTTPS
+    - 993   # IMAPS
+    - 995   # POP3S
+    - 5223  # XMPP over SSL
+    - 8443
+    - 8883  # Secure MQTT
+    - 9243  # Elasticsearch
+
+#=== Beats Common Configs Here ===
+# Add the settings from the Beats General Config file (beats-general-config.yml)
+# to the end of this configuration file. The Beats General Config file example can be found at this link:
+# https://github.com/elastic/examples/blob/master/Security%20Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml