Export JSONL Reporting Data to Logstash via an Encrypted Channel
Objective
The flow data collected by one or multiple Threat Defender installations can be collected by a Logstash instance and written to one or multiple Elasticsearch instances and evaluated with Kibana.
Requirements
To enable encryption via TLS you need the following:
a certificate authority in .pem format that is self-signed or signed by a trusted CA,
a certificate issued by this certificate authority, and
a private key belonging to that certificate.
Make sure that these are present in the Logstash pipeline directory.
Set up Logstash
In the Logstash pipeline directory, edit logstash.conf
to define your inputs, processing and outputs:
input {
tcp {
port => 5000
ssl_enable => true
ssl_verify => true
ssl_cert => "/path/to/your/server/certificate.pem"
ssl_key => "/path/to/your/server/key.pem"
ssl_extra_chain_certs => ["/path/to/your/server/certificate-authority.pem"]
ssl_certificate_authorities => ["/path/to/your/cTD/certificate-authority.pem"]
codec => json_lines {
ecs_compatibility => v1
}
}
}
## Add your filters / logstash plugins configuration here
output {
elasticsearch {
hosts => "elasticsearch:9200"
user => "logstash_internal"
password => "${LOGSTASH_INTERNAL_PASSWORD}"
}
}
Set up Threat Defender
Configure Threat Defender to send JSONL data to Logstash:
Go to Logging > Report Channels.
Click Add to create a new reporting channel.
On the settings screen, configure the following:
Report Type:
JSONL
Message Type: Select
Flow Reports
. You can select additional types as required.Endpoint:
TLS encryption
Hostname: enter the hostname of your Logstash installation. Ensure the hostname matches the common name specified in the Logstash certificate.
Port:
5000
(the port of your Logstash installation as defined in thelogstash.conf
above)Reconnection Delay:
15 seconds
Remote certificate authority: Select the remote CA specified in the Logstash configuration.
Click SAVE to store your settings and close the settings screen. The new JSONL channel is displayed in the list of configured reporting channels.
Click the APPLY CHANGES button at the top of the main navigation to activate your configuration changes.
As a result, the state of the newly configured JSONL channel should change to connected
and show a rising number of transmitted events.
Check Kibana
Open the Kibana interface in your browser (see the Kibana documentation for more detailed information). You can use the SIEM section to take a look into some predefined statistics; or start discovering on your own with the Discover
section.