Exporting Reporting Data to Elastic/ELK

Objective

The flow data collected by one or multiple Threat Defender installations can be collected in a single Elasticsearch instance and evaluated with Kibana.

Preparing the ELK Stack

If you do not yet have implemented an ELK stack, set up Elasticsearch, Kibana and Filebeat (see the respective documentation for further information).

Run Elasticsearch and Kibana.

Setting up Filebeat

Set up Filebeat to handle the flow data provided by Threat Defender.

  1. In the Filebeat directory, add a new file called genua_ipfix.yml with the custom definitions of our PEN:

    45480:
     10:
       - :uint16
       - :cognitixDpiProtocol
     11:
       - :uint16
       - :cognitixDpiApplication
     12:
       - :uint32
       - :cognitixDpiClassification
     20:
       - :string
       - :cognitixCountrySource
     21:
       - :string
       - :cognitixCountryDestination
     30:
       - :string
       - :cognitixPolicyRuldId
    XXX: To be continued
    
  2. Edit the filebeat.yml to contain the following element:

    filebeat.inputs:
    - type: netflow
     host: "0.0.0.0:2055"
     protocols: [ ipfix ]
     max_message_size: 50KiB
     custom_definitions:
       - <absolute path to genua_ipfix.yml created above>
    
  3. Run Filebeat.

Setting up Threat Defender

Configure Threat Defender to send IPFIX data to Filebeat:

  1. Go to Logging > Report Channels.
  2. Click ADD to create a new reporting channel.
  3. On the settings screen, configure the following:

    • Report Type: IPFIX
    • Message Type: Select Flow Reports. You can select additional types as required.
    • Observation Domain Id: can be 0 if you use only one Threat Defender. Otherwise, set a different value for each Threat Defender to be able to distinguish the reporting sources.
    • Update Interval: 30 seconds
    • Endpoint: UDP
    • IP Address: enter the IP address of your Filebeat installation
    • Port: 2055 (the port of your Filebeat installation as defined in the filebeat.yml above)
    • Reconnection Delay: 15 seconds
  4. Click SAVE to store your settings and close the settings screen. The new IPFIX channel is displayed in the list of configured reporting channels.

Click the APPLY CHANGES button in the header to activate your configuration changes. As a result, the state of the newly configured IPFIX channel should change to connected and show a rising number of transmitted events.

Checking Kibana

Open the Kibana interface in your browser (see the Kibana documentation for more detailed information). In the Dashboard section, select the Netflow Overview dashboard to get a quick overview of some of the possibilities. You can also use the SIEM section to take a look into some predefined statistics; or start discovering on your own with the Discover section. You can preselect the netflow events by using input.type: netflow as a search filter.

results matching ""

    No results matching ""