Getting started: Protect hosts with endpoint threat intelligence from Elastic Security

edit

Getting started: Protect hosts with endpoint threat intelligence from Elastic Security

edit

Go beyond blocking malware, ransomware, and advanced threats. Unify detection, prevention, and response across your entire ecosystem.

This guide walks you through a simple endpoint management scenario so you can learn the basics of creating an Elasticsearch cluster, adding data, and analyzing the results in Kibana. To get started, you can create a deployment in Elastic Cloud, where most of the configuration happens automatically. In just a few steps, you’ll learn how to implement threat intelligence to protect an endpoint and feed security information directly into the Elastic Stack for viewing and monitoring.

In this tutorial, you’ll deploy the Elastic Stack, install an Elastic Agent on your host to protect it from threats and collect logs and metrics, and then visualize the collected information.

If you prefer video tutorials, check out the Elastic Security Quick Start
or the Elastic Security How-to Series.

Prerequisites

edit

To get started, all you need is an internet connection, an email address, and a local or virtual machine from which you’d like to gather some endpoint event data.

Step 1: Create an Elastic Cloud deployment

edit

If you’ve already signed up for a trial deployment you can skip this step.

An Elastic Cloud deployment offers you all of the features of the Elastic Stack as a hosted service. To test drive your first deployment, sign up for a free Elastic Cloud trial:

  1. Go to our Elastic Cloud Trial page.
  2. Enter your email address and a password.

    Start your free Elastic Cloud trial
  3. After you’ve logged in, you can directly create a deployment. Give your deployment a name and select Create deployment.

    Create your first deployment
  4. While the deployment sets up, make a note of your elastic superuser password and keep it in a safe place.
  5. Once the deployment is ready, select Continue. At this point, you access Kibana and are prompted to Add integrations or to Explore on your own. Feel free to check the various options and integrations available. You can return to the home page of Kibana at any time by selecting the Elastic logo.

Your deployment includes a pre-configured instance of Fleet Server, which manages the Elastic Agents that you can use to monitor a host system.

Step 2: Add the Endpoint Security integration

edit

Elastic integrations include the configuration necessary to collect data from systems, manage systems, and perform actions with external systems. For example, there are integrations to collect MySQL logs and metrics, to protect hosts from malware, and to create issues in incident-reporting systems.

  1. Go to the Kibana home page and select Add integrations.

    Kibana home page
  2. Select Endpoint Security and on the next page select Add Endpoint Security.
  3. Add details for this integration:

    1. Give the integration a name — since this is an integration to protect your hosts, you might name it endpoint security.
    2. Integrations get associated with Agent policies. Give the policy a name — you might apply this policy to all of the Linux hosts in a particular data center and name it for the operating system and location.
    3. The Elastic Agent can protect your host and collect logs and metrics at the same time. Make sure that Collect system logs and metrics is enabled.
    4. Select Save and continue. This step takes a minute or two to complete.

      Configuration page for adding an Endpoint Security integration
  4. Select Add Elastic Agent to your hosts and the Add agent flyout will be displayed.

Step 3: Install and run an Elastic Agent on your machine

edit

Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, and more. A single agent makes it easy and fast to deploy monitoring across your infrastructure. Each agent has a single policy (a collection of input settings) that you can update to add integrations for new data sources, security protections, and more.

The Add agent flyout has two tabs: Enroll in Fleet and Run standalone. The default is to enroll the agents in Fleet, as this reduces the amount of work on the person managing the hosts by providing a centralized management tool in Kibana.

  1. Skip the Select enrollment token step, but note that the enrollment token is specific to the Agent policy that you just created. When you run the command to enroll the agent with Fleet you will pass in the enrollment token.
  2. Download, install, and enroll the Elastic Agent on your host by following the Install Elastic Agent on your host step.
  3. After about a minute your agent will have enrolled with the server, downloaded the configuration specified in the policy that you just created, and started collecting data. Close the Add agent flyout.

    Add agent flyout in Kibana

Step 4: View your host in Elastic Security

edit
  1. Go back to the Kibana home page (select the Elastic logo).
  2. Open Security.

    Solutions on the Kibana home page
  3. From the navigation pane, open the Overview page. On the overview page you probably will not have any alerts, so scroll down to the Events section, just to verify that data is flowing. It may take a minute for events to show, as when the Elastic Agent enrolls for the first time the configuration is being copied down from the server before collection starts.

    Overview page of the Security solution
  4. Now, enable detection rules by going back to the navigation pane and opening the Rules page. You should tailor the rules that you enable based on your organization’s resources and needs. For this tutorial, choose some or all of the rules and select Bulk actions and then Enable.

    Contextual menu for enabling detection rules

Step 5: Generate an alert

edit

The European Institute for Computer Anti-Virus Research (EICAR) provides anti malware test files. If your company policy allows these to be used, then proceed with this step.

  1. Navigate to eicar.org and use the button to download an anti malware testfile.
  2. Download eicar_com.zip to the system on which you installed Elastic Agent.

    eicar.org download options
  3. Extract the test file and then return to the Security > Detect > Alerts page in Kibana.

    Kibana Alerts page
  4. You should get a malware prevention alert. Get the details by selecting the View details arrow button.

    View details button on the Alerts page
  5. To find out what preceded the event, close the details pop-up and select the Analyze event cube-shaped button. Use the zoom in and out buttons, and drag the window contents around to see what led up to the malware being detected. For example, if you are protecting an Ubuntu endpoint, you may notice that a process named file-roller was used to run unzip. Selecting unzip will show you the timestamp, path to the unzip binary, process ID, username, and more information.

    Kibana endpoint alert process
    Kibana endpoint alert details

Step 7: Tidying up

edit
  1. You’ve now learned how to set up an Elastic Cloud deployment and bring in data from a host system to protect endpoints with threat intelligence. If you’d like to remove Elastic Agent from your system, run the uninstall command from the directory where it’s running and then follow the prompts.

    You must run this command as the root user.

    sudo /Library/Elastic/Agent/elastic-agent uninstall

    If you run into any problems, check Uninstall Elastic Agents from edge hosts for the detailed uninstall steps.

  2. You can also remove the anti malware test file if you downloaded that.

What’s next?

edit

Learn more about Elastic Security

Learn about other Elastic solutions and features

  • Want to add search to your website, applications, or organization data? Try out Enterprise Search.
  • Want Elastic to do the heavy lifting? Use machine learning to detect anomalies.