4/25/2023 0 Comments Osquery githubIf you take the time to learn the syntax, how to write parsing rules, learn how to aggregate, and how to write join queries (you're wrong there, it actually can do joins, though it is a relatively new feature - if you count a year or two to be old). There are definitely cons (DSL is overly complex and who the fcuk wants to write queries in JSON., you have to know how ES works internally to admin it reasonably, you trade functionality for speed - which you may not want), but it has its place and I'd take it over most other COTS SIEMS.Įlastic is one of the worst siems you can choose for threat hunting and analysis I don't think any other widely used product comes close to checking those boxes. Using a solid API with one of several officially supported client libraries,Īnd having a lot of support/resources from open source security community. ES and Splunk), I'd say there are trade-offs and you have to decide what's most important to you.ĮS will shine if you value the ability to: Having built/deployed multiple SIEMs from the ground up for large companies (incl. Saying ES is "the worst" for threat hunting and analysis is a bad take (IMO). index, source, sourcetype, host, _time, etc, but everything else is either happening through data model acceleration, or at search time which means it ingests data fast, but chugs when you want to search a lot of data, especially if you want to do expensive things like subsearches and joins. Splunk indexes some data at ingest - e.g. Conversely, Splunk mostly indexes at search time. The reason ES is so fast has nothing to do with scoring. If you aren't getting all the documents you expect when you query your data, it's because your query isn't working as expected. Scoring just determines the relative relevance of each result and you can sort by time (as Kibana already does for you). But this isn't how it works - ES first does a boolean match on all documents (events) matching your query. In terms of "estimating data results," I assume you're talking about the Practical Scoring Function ES uses because it's built on Lucene. As rich as (for example) Splunk SPL is, I can do WAY more with Python, way faster, and Elastic puts that data in my hands much more quickly than most SIEM products. If the Kibana GUI doesn't suit you, you can click an icon and see the underlying DSL the search is being translated to and modify it directly in the browser.īut.Elastic is also an API at heart and there's no reason you can't or shouldn't use Jupyter notebooks or similar to search it. You also have options to use KQL (Kibana Query Language, not Kusto), a neutered SQL syntax, and SPL w/ OpenDistro. You can absolutely aggregate, both in time-series (with TimeLion) and with full results using the DSL. It's much easier to measure building a system and its performance than it is to measure analysis and response time saved, or innovations that stem from more free time and less stress. Many from infra engineering and the teams they support not being able to accurately communicate use cases and requirements effectively, while bartering over OKRs and KPIs. I'm passionate about blue teams being as efficient as possible, and have ran into many road blocks over the years. It's a drill that captures misses.Įdit: Apologies for the grouchiness. Purple team is when a red teamer works directly with a blue teamer to create an attack and watch how the blue team systems and people react when it's happening. The final thing I have to say is that purple team is not a set of tools. It could be a nice intro in college, but you'll want to get modern data sets into real siems or DBs asap. This is a pretty interesting distro, but don't expect to be up to date with modern threat hunting, soc analysis, incident response or threat detection. People aren’t writing or looking at suricata rules much anymore, unless you're lucky enough to have an environment being proactively man in the middled, which is rare. ![]() It's all about host based logging like EDR, sysmon and windows event logs, while shored up by specific cloud-based app logs, or pulling forensic artifacts with osquery (or similar). It does not guarantee full accuracy when returning data.Īrkime full packet capture? Full packet capture relevance has faded greatly since the early 2010s due to encryption. ![]() ![]() Lastly, it uses techniques that estimate data results for the sake of speed. And it's even more limited through the search bar in the kibana GUI. The language is incredibly limited, the parsing is confusing, there's no no built in aggregations that make sense, you can only search over one set set of data at a time (no joins). Why are they calling it purple if it's really blue?Īlso, elastic is one of the worst siems you can choose for threat hunting and analysis.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |