Skip to main content

Using Attack Detective with On-Prem Elastic

S
Written by Sergey Bayrachny

To run investigations in your on-prem Elastic instance, you need to do the following:

  • Configure a Data Plane integration with your Elastic instance on the SOC Prime Platform

  • Set up a User and Role in Elasticsearch for Attack Detective

  • Install the SOC Prime Attack Detective App for Elastic that connects your on-prem Elastic instance to Attack Detective

Configure a Data Plane on the SOC Prime Platform

To use Attack Detective with on-prem Elastic, first set up an integration profile (Data Plane) on the SOC Prime Platform.

  1. Log in to your SOC Prime Platform account and go to Account icon > Platform Settings > Data Planes.

  2. Click the Add Data Plane button.

  3. Give your Data Plane profile a meaningful name.

  4. Select Elastic Stack as your platform.

  5. Enable the On Prem switch.

  6. Select if you want to share the profile across your team.

  7. Set the URL of your Kibana with the port.

  8. Generate an Attack Detective API key by clicking the icon with arrows. You'll need to specify it in the .env file when installing the connector app. Please save the API key in a safe and accessible place. For security reasons, you won't be able to view it again. If you lose this secret key, you'll need to generate a new one.

  9. Optionally, link a Custom Field Mapping profile. Custom Field Mapping profiles will be applied automatically to queries with matching log sources. Note that Share to Company and Make Default settings have to be enabled in the linked profiles.

  10. Click Save Changes.

Set up a User and Role in Elasticsearch

To allow the Attack Detective connector app to access your Elasticsearch, set up a Role and assign it to a User in Elasticsearch.

  1. Go to Stack Management > Roles.

  2. Create a role with a meaningful name and the following privileges:

    • Cluster privileges: monitor, read_security, manage_api_key, manage_security

    • Index privileges (select * in the Indices dropdown): read, view_index_metadata, monitor

  3. Create a new user and assign it the role created on step 2. You'll need to specify the username and password of the created user in the .env file of the connector app.

Install the SOC Prime Attack Detective App for Elastic

Requirements

  • Host with Windows, Linux, or other operating system supported by Docker

  • Network access to the Elasticsearch data node to be queried (default port 9200). The app supports Elasticsearch v7.12 or higher

  • These packages should be installed on the host:

    • Docker v23.0.1 or higher

    • Docker Compose

  1. Download the Content Pack with the app from Threat Detection Marketplace.

  2. Unpack the downloaded archive.

  3. In the folder where the archive has been unpacked, create a .env file.

  4. In the .env file, specify the values for the following variables:

Variable

Description

Required

ATTACK_DETECTIVE_API_KEY

Attack Detective API key generated when configuring an Elastic Stack Data Plane on the SOC Prime Platform. See the instructions in the Configure a Data Plane on the SOC Prime Platform section of this guide.

Required

ES_HOST

The hostname of your Elasticsearch node which can be queried.

Required

ES_PORT

The port of your Elasticsearch API.

Required

ES_SCHEME

Recommended value: https

Required

ES_USER

The username of the user created for the Attack Detective app in Elasticsearch. For instructions, see the Set up a User and Role in Elasticsearch section of this guide.

Required

ES_PASSWORD

The password of the user created for the Attack Detective app in Elasticsearch. For instructions, see the Setting up a User and Role in Elasticsearch section of this guide.

Required

ES_VERIFY_CERTS

This variable defines whether to use an SSL certificate. Possible values: true, false.

Required

ES_TIMEOUT

This variable defines how long the app waits for the Elasticsearch response. The default value is 60.

Optional

MAX_CONCURRENT_REQUESTS_TO_ES

Max number of concurrent requests to Elasticsearch. The default and recommended value is 1. Set this value according to the performance of the app server and the Elasticsearch server.

If the value is 1, requests are sent sequentially. If the value is higher than 1, the requests are sent in parallel, with the number of parallel requests limited by the value of this variable. To enable Attack Detective to send parallel requests, select the Parallel type in Scan Settings before running the scan.

Optional

PROXY_FOR_ATTACK_DETECTIVE

Add this variable to the file only if you're using a proxy. Format: http://user:pass@host:port

Optional

The code in the file will look like this:

ATTACK_DETECTIVE_API_KEY=abCdeFg12345567899abcdeFg
ES_HOST=https://your.host.name
ES_PORT=9200
ES_SCHEME=https
ES_USER=AttackDetectiveUser
ES_PASSWORD=StrongPassword
ES_VERIFY_CERTS=true

5. In the same folder, run the following command:

docker-compose up --build -d

This command will launch a docker container in the background that will be running until it is stopped manually.

All dependencies will be installed from the requirements.txt file.

The successful response will contain a line that looks like this:

Container attack-detective-elasticsearch-client Started

6. To ensure that the installation has been successful, go to Docker container logs. In case of success, you'll see logs like these:

ES connection is OK
Attack Detective API connection is OK

Did this answer your question?