Exporting Reporting Data to Elastic/ELK
The flow data collected by one or multiple Threat Defender installations can be collected in a single Elasticsearch instance and evaluated with Kibana.
Preparing the ELK Stack
Run Elasticsearch and Kibana.
Setting up Filebeat
Set up Filebeat to handle the flow data provided by Threat Defender.
In the Filebeat directory, add a new file called
genua_ipfix.ymlwith the custom definitions of our PEN:
45480: 10: - :uint16 - :cognitixDpiProtocol 11: - :uint16 - :cognitixDpiApplication 12: - :uint32 - :cognitixDpiClassification 20: - :string - :cognitixCountrySource 21: - :string - :cognitixCountryDestination 30: - :string - :cognitixPolicyRuldId XXX: To be continued
filebeat.ymlto contain the following element:
filebeat.inputs: - type: netflow host: "0.0.0.0:2055" protocols: [ ipfix ] max_message_size: 50KiB custom_definitions: - <absolute path to genua_ipfix.yml created above>
Setting up Threat Defender
Configure Threat Defender to send IPFIX data to Filebeat:
- Go to Logging > Report Channels.
- Click ADD to create a new reporting channel.
On the settings screen, configure the following:
- Report Type:
- Message Type: Select
Flow Reports. You can select additional types as required.
- Observation Domain Id: can be
0if you use only one Threat Defender. Otherwise, set a different value for each Threat Defender to be able to distinguish the reporting sources.
- Update Interval:
- IP Address: enter the IP address of your Filebeat installation
2055(the port of your Filebeat installation as defined in the
- Reconnection Delay:
- Report Type:
Click SAVE to store your settings and close the settings screen. The new IPFIX channel is displayed in the list of configured reporting channels.
Click the APPLY CHANGES button in the header to activate your configuration changes.
As a result, the state of the newly configured IPFIX channel should change to
connected and show a rising number of transmitted events.
Open the Kibana interface in your browser (see the Kibana documentation for more detailed information). In the Dashboard section, select the
Netflow Overview dashboard to get a quick overview of some of the possibilities. You can also use the SIEM section to take a look into some predefined statistics; or start discovering on your own with the
Discover section. You can preselect the netflow events by using
input.type: netflow as a search filter.