Lab 4.3: Investigation Dashboards

Est. Time: 45 minutes

Goals:

• Create a host investigation dashboard in Elastic that brings your EQL rule to light

Instructions

1. Dashboards are useful tools for visualizing metrics and data, but they can also be highly useful when it comes to investigating alerts. In this lab we’re going to be creating a host investigation dashboard.

2. Start by creating a new blank dashboard. In Elastic, navigate Security → Dashboards and select “Create Dashboard”

   

3. The dashboard needs to now be populated with different searches, either in normal table form, or a visual form. I’ll show you an example of how to create one, then you can spend the rest of the lab experimenting with some of the other idea suggestions.

4. Start by creating a control for the host.name field. This will allow you to restrict the Dashboard’s content to the logs from a singular or set of hosts.

   1. Add a new basic Control from the “Add” button in the top right
   2. For the field, select host.name.
   3. Leave the rest of the defaults how they are and click “Save”.

   4. You should now have an option to select hosts within that Control. This will allow you to easily limit all the data on your dashboard to the host you are currently investigating.

      

5. Now let’s make a panel for process command line executions; specifically, the least common command line executions. Click “Create visualization” or Add -> Visualization. This will take you to the Lens builder.

   

   1. We’re going to start by changing the type to “Table” and in the search bar adding process.command_line: *. This search, within the Lens builder, will only apply to this panel; and within this panel, we are limiting the results to events that have the process.command_line field populated.

   2. You can add fields to this visualization by dragging from the left hand side, or by adding them on the right. For now lets add them from the left. Find the process.command_line field and drag it to the middle of the screen.

      

      

   3. If you see an exclamation in the top right, it’s telling you about “Accuracy mode”. Some visualizations have to toggle this option on to ensure that all data is accurately selected for the visualization. This adds more load to the cluster, but is necessary in some situations. In our case, let’s turn that on.

      

6. You’ll notice that in my case the table I have has 91 values of “Other”. Not very helpful. Let’s adjust the values there.

   1. Click on the row for command line. This will bring up customization options for that row.

      

   2. Here is where you modify how you’re seeing the data from that field. You can apply different functions, sorting, and much more.

      

   3. Change the number of values shown to 10 and sort by Descending; that sort method will show us the lowest numbers first, which is what we want in this case.

   4. Under “Advanced” is where you can adjust whether or not “Other” values are listed and it’s also where you can enable/disable accuracy mode.
   5. Lastly adjust the name of your visualization; we aren’t looking at the top ten values, we are wanting to see commands that aren’t being run frequently. Therefore I named this visualization “Least common values of process.command_line”.
   6. If you wanted to change how the number value is displayed, you would select “Count of records” and make that adjustment there.

   

   1. That will open up the options for more functions on how the numbers are displayed, such as unique counts, percentiles, and averages.

      

7. This visualization looks good for now, so hit “Save and return” in the top right. This will save your Lens and return you to the dashboard. It’s important to note that the Dashboard may still need to be saved.

   

8. Note how the query that was run inside of the Lens builder is applied to that specific lens, but not the dashboard as a whole. The dashboard’s search box is still empty.

   

9. You can view any panel specific filters by clicking on the filter symbol (three lines) on a lens.

   

10. Before going any further, make sure to hit Save on your dashboard and give it a name.

11. Now I challenge you to explore different dashboard panel types and make an investigative dashboard of your own. After the lab I’ll walk you through some ideas and how to apply them.
12. Suggestions, in case you’re lacking ideas:
    1. Most frequent network connections
    2. Abnormal DNS requests
    3. Large downloads or uploads
    4. Feed of alerts for the host in question

13. Spoiler: This is what my completed dashboard example looks like. We’ll walk through it after the lab if we have time.

    

    

    

Hardmode

Did you nail this lab right away? If so, here’s an additional challenge for you:

1. Build on the lab! Come up with your own visualizations that you think would be helpful during an investigation.
2. I encourage you to share your dashboard(s) with the class after the lab via Discord

Additional Resources

• https://www.elastic.co/guide/en/kibana/current/dashboard.html