Network Beaconing Identification
Package to identify beaconing activity in your network events.
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
The Network Beaconing Identification package consists of a framework to identify beaconing activity in your environment. The framework surfaces significant indicators of compromise (IoCs) for threat hunters and analysts to use as a starting point for an investigation in addition to helping them monitor network traffic for beaconing activities. This package is licensed under Elastic License 2.0.
Installation
You can install the Network Beaconing Identification package via Management > Integrations > Network Beaconing Identification.
To inspect the installed assets, you can navigate to Stack Management > Data > Transforms.
| Transform name | Purpose | Source index | Destination index | Alias |
|---|---|---|---|---|
beaconing.pivot_transform | Flags beaconing activity in your environment | logs-* | ml_beaconing-[version] | ml_beaconing.all |
For additional information on the transform's inner workings and the signals it generates, refer to this blog post.
Note: When querying the destination index to enquire about beaconing activities, we advise using the alias for the destination index (ml_beaconing.all). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings.
Dashboards
The Network Beaconing Identification has three dashboards:
- Network Beaconing: The main dashboard to monitor beaconing activity
- Beaconing Drilldown: Drilldown into relevant event logs and some statistics related to the beaconing activity
- Hosts Affected Over Time By Process Name: Monitor the spread of beaconing processes across hosts in your environment
For the dashboards to work as expected, the following settings need to be configured in Kibana.
- Ensure the pivot transform is installed and running.
- Go to Management > Stack Management > Kibana > Data Views. Click on Create data view button and enable Allow hidden and system indices under the Show Advanced settings.
- Create a data view with the following settings:
- Index pattern :
ml_beaconing.all - Name:
ml_beaconing - Custom data view ID:
ml_beaconing
- Index pattern :
Changelog
| Version | Details |
|---|---|
1.0.0 | Enhancement View pull request Initial release of package (with Serverless support) |