Exporting Alerts to ELK
Overview
Elasticsearch allows users to capture data that is sent from Sophos Linux Sensor (SLS) in JSON format. Kibana also allows users to select the way they want to visualize the data coming from SLS, enabling users to build interactive dashboards based on needs. In this ELK walkthrough, we will use a simple deployment scenario of SLS deployed to a non-containerized Linux production server.
This article will also address how Filebeat, which is a lightweight shipper for forwarding and centralizing log data can be used to ingest alerts from SLS into an ELK Stack. In addition, we will also cover sending alert data to ELK via webhook from SLS.
Requirements
- Filebeat v7.0 (minimum version)
- ELK Stack (Elasticsearch, Logstash & Kibana)
- Sophos Linux Sensor
Note
It's very important that before performing any of these steps in the article users have SLS running in their environment. See Installing Sophos Linux Sensor.
Configuring SLS to log Alerts
We will be configuring SLS to log alert data to a file called /var/log/sophos-alerts.json
with a simple program blacklist which will generate an alert every time users run the program wget
.
-
Edit
/etc/sophos/runtimedetections-rules.yaml
using your preferred text editor. Add the following lines:alert_output: outputs: - type: file enabled: true name: /var/log/sophos-alerts.json Wget Program Blacklist: policy: program enabled: true alertMessage: Unauthorized Program Execution priority: High rules: - match programName == "*/wget" - default ignore comments: Alert on usage of the wget command
-
Restart SLS. It's recommended to restart when changes are made to the sensor configuration.
sudo systemctl restart sophoslinuxsensor
Exporting SLS Alerts to Filebeat
Now that SLS has been configured to log alerts users can proceed with exporting the alerts to Filebeat. Using the Elastic's Filebeat users can ingest Alerts from SLS into the ELK Stack.
-
Add the following lines to
/etc/filebeat/filebeat.yml
:filebeat.inputs: - type: log paths: - /var/log/sophos-alerts.json json.keys_under_root: true json.add_error_key: true
This won't only ingest alerts but will also parse the JSON data for you so that the individual top-level alert fields are easily indexed.
-
Restart Filebeat. Any alerts generated on the server should now show up in your Elastic deployment.
-
Create a test alert.
To generate an alert with our example policy, run a
wget
command on your server. User should see a resulting alert forUnauthorized Program Execution
.
Exporting SLS Alerts directly to Elasticsearch
With Elasticsearch users can automatically search and retrieve data using the Elasticsearch API. Elasticsearch will allow users to store, search and analyze data coming from SLS at near real time. This article assumes that users already have Elasticsearch running.
-
Edit
/etc/sophos/runtimedetections-rules.yaml
using preferred text editor. Add the following content:alert_output: outputs: - type: webhook enabled: true url: http://elasticservice.customer.com:9200/sophos-alerts/documents headers: "Content-Type": "application/json" Wget Program Blacklist: policy: program enabled: true alertMessage: Unauthorized Program Execution priority: High rules: - match programName == "*/wget" - default ignore comments: Alert on usage of the wget command
This won't only ingest alerts but will also parse the JSON data for you so that the individual top-level alert fields are easily indexed. Any alerts generated on the server should now show up in your Elastic deployment.
-
Create a test alert.
To generate an alert with our example policy, run a
wget
command on your sensor server. User should see a resulting alert forUnauthorized Program Execution
.
Visualizing SLS Alerts on Kibana
Using Kibana users can visualize the logs coming from SLS. Kibana provides a visual interface that allows users to detect, monitor behaviors and build dashboards thereby providing visibility for understanding and analyzing alerts coming from SLS.
From the previous steps covered in this article, and assuming that users have Kibana set up to consume or ingest alert data coming from either Filebeat and/or Elastisearch, users are able to see the test alert that is generated using our example policy when wget
is executed on their server.
If you haven't created an index, do the following:
- On your Kibana dashboard navigate to Settings > Elasticsearch > Index Management.
- Create an index called
sophos-alerts
. - On the next page, select Timestamp (this will depend on your preference).
After the sophos-alerts
index has been created, you can manipulate the data and decide from the available fields what your organization want to visualize. We also recommend that users add in their field description, linage,uuid, policy_type etc.