Elastic Security
KQL et ES|QL
Ingestion ECS, requêtes KQL/ES|QL, règles de détection et investigations dans Kibana.
KQL
# Processus PowerShell
process.name : "powershell.exe"
# Commande encodée
process.name : "powershell.exe" and process.command_line : (*-enc* or *EncodedCommand*)
# Connexions sortantes hors réseau privé
network.direction : outbound and not destination.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
# Event ID Windows
event.code : "4625" and winlog.channel : "Security"
ES|QL
Échecs d'authentification
FROM logs-windows.*
| WHERE event.code == "4625"
| STATS failures = COUNT(*), hosts = COUNT_DISTINCT(host.name)
BY user.name, source.ip
| WHERE failures >= 10
| SORT failures DESC
Processus rares
FROM logs-endpoint.events.process-*
| WHERE event.category == "process" and event.type == "start"
| STATS executions = COUNT(*), host_count = COUNT_DISTINCT(host.name)
BY process.executable
| WHERE executions < 5 and host_count <= 2
| SORT executions ASC
Volume réseau
FROM logs-network_traffic.*
| STATS bytes_out = SUM(source.bytes), events = COUNT(*)
BY source.ip, destination.domain
| SORT bytes_out DESC
| LIMIT 50
Bonnes pratiques
- filtre tôt dans la requête ;
- limite les champs retournés ;
- teste sur plusieurs périodes ;
- vérifie les valeurs nulles ;
- mappe la règle à une technique ATT&CK seulement si le comportement correspond.