elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.68k stars 8.23k forks source link

Configurations of Alert Rules #194332

Open Gisselle-Guzman opened 1 month ago

Gisselle-Guzman commented 1 month ago

Hi all ! I have been a pentester but now I'm working on the blue side of things. So anyways I know all the malicious commands, the programs, and what an attacker will type, say into powershell or into their attack machine.

Anyways we have ELK. Looking into Kibana. I can see there are pre-built rules and I can duplicate them and make edits in the custom query. But the custom query looks like it's the output of how Windows will react when something malicious occurs. But what I want to do is add a custom query of common pentesting commands and if they are type & entered then an alert happens.

Like take for instance , basic , like a query for nmap for network scanning , sudo nmap -sC -sV -O -A , etc. I know there is already a pre-built rule for this, but this is just an example. Is there a way in Kibana to write an alert for powershell terminal commands a malicious threat will use directly ? Instead of formatting the custom query on how Windows process take place , etc when an attack happens?

Pinging @elastic/security-detection-engine (Team:Detection Engine)

Gisselle-Guzman commented 1 month ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine commented 1 month ago

Pinging @elastic/security-solution (Team: SecuritySolution)

yctercero commented 1 month ago

Hi there @Gisselle-Guzman ! For clarification, are you asking how to create a rule from scratch and not from a prebuilt rule?

If that's the case, you certainly can do what you're asking. We have rule creation docs here.