Export JSONL Reporting Data to Logstash via an Encrypted Channel

Objective

The flow data collected by one or multiple Threat Defender installations can be collected by a Logstash instance and written to one or multiple Elasticsearch instances and evaluated with Kibana.

Requirements

To enable encryption via TLS you need the following:

  • a certificate authority in .pem format that is self-signed or signed by a trusted CA,

  • a certificate issued by this certificate authority, and

  • a private key belonging to that certificate.

Make sure that these are present in the Logstash pipeline directory.

Set up Logstash

In the Logstash pipeline directory, edit logstash.conf to define your inputs, processing and outputs:

input {
        tcp {
                port => 5000
                ssl_enable => true
                ssl_verify => true
                ssl_cert => "/path/to/your/server/certificate.pem"
                ssl_key => "/path/to/your/server/key.pem"
                ssl_extra_chain_certs => ["/path/to/your/server/certificate-authority.pem"]
                ssl_certificate_authorities => ["/path/to/your/cTD/certificate-authority.pem"]
                codec => json_lines {
                        ecs_compatibility => v1
                }
        }
}

## Add your filters / logstash plugins configuration here

output {
        elasticsearch {
                hosts => "elasticsearch:9200"
                user => "logstash_internal"
                password => "${LOGSTASH_INTERNAL_PASSWORD}"
        }
}

Set up Threat Defender

Configure Threat Defender to send JSONL data to Logstash:

  1. Go to Logging > Report Channels.

  2. Click Add to create a new reporting channel.

  3. On the settings screen, configure the following:

    • Report Type: JSONL

    • Message Type: Select Flow Reports. You can select additional types as required.

    • Endpoint: TLS encryption

    • Hostname: enter the hostname of your Logstash installation. Ensure the hostname matches the common name specified in the Logstash certificate.

    • Port: 5000 (the port of your Logstash installation as defined in the logstash.conf above)

    • Reconnection Delay: 15 seconds

    • Remote certificate authority: Select the remote CA specified in the Logstash configuration.

  4. Click SAVE to store your settings and close the settings screen. The new JSONL channel is displayed in the list of configured reporting channels.

Click the APPLY CHANGES button at the top of the main navigation to activate your configuration changes.

As a result, the state of the newly configured JSONL channel should change to connected and show a rising number of transmitted events.

Check Kibana

Open the Kibana interface in your browser (see the Kibana documentation for more detailed information). You can use the SIEM section to take a look into some predefined statistics; or start discovering on your own with the Discover section.