### Install Netsec Port Scan Fast ML Job Source: https://github.com/elastiflow/elastiflow_for_elasticsearch/blob/master/ml/README.md Use this script to install the 'netsec_port_scan_fast' anomaly detector and datafeed. Ensure you replace placeholder URLs and credentials with your actual Elasticsearch details. ```bash ./netsec_port_scan_fast.sh -h https://192.0.2.11:9200 -u elastic -p changeme ``` -------------------------------- ### Install ML Job via Shell Script Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt This script installs a specific machine learning anomaly detection job and its datafeed into Elasticsearch. Replace placeholders with your actual cluster details. ```bash # Install a specific ML job using the included shell script ./netsec_port_scan_fast.sh -h https://192.0.2.11:9200 -u elastic -p changeme ``` -------------------------------- ### Open and Start Brute Force Anomaly Detection Job Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Opens the anomaly detection job and starts its associated datafeed to begin processing data and detecting anomalies. ```bash curl -s -X POST "https://192.0.2.11:9200/_ml/anomaly_detectors/elastiflow_codex_netsec_bruteforce_direct_cli_in_fast/_open" \ -u elastic:changeme curl -s -X POST "https://192.0.2.11:9200/_ml/datafeeds/datafeed-elastiflow_codex_netsec_bruteforce_direct_cli_in_fast/_start" \ -u elastic:changeme ``` -------------------------------- ### Import Vega Sankey Visualizations Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Imports all Vega Sankey visualization examples into Kibana. These diagrams visualize network flow topology. The script iterates through `.ndjson` files and uses the Kibana API for import. Custom index patterns can be applied by editing the Vega spec within Kibana. ```bash # Import all Vega Sankey examples via Kibana API for file in "kibana/vega_examples/sankey/"*.ndjson; do echo "Importing: $file" curl -s -X POST "https://kibana:5601/api/saved_objects/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@"$file" echo "" done ``` -------------------------------- ### Install DNS Low-Response Availability Job Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Installs an anomaly detection job to monitor for low DNS response rates. It uses the 'low_count' function, partitions by the exporter host, and filters for UDP traffic on port 53. ```json { "job_id": "elastiflow_codex_avail_dns_resp_low", "groups": ["elastiflow","availability","network_services"], "description": "Low DNS Responses", "analysis_config": { "bucket_span": "20m", "detectors": [{ "function": "low_count", "by_field_name": "flow.server.ip.addr", "partition_field_name": "flow.export.host.name" }], "influencers": [ "flow.export.host.name","flow.client.ip.addr","flow.server.ip.addr","flow.server.host.name" ] }, "analysis_limits": { "model_memory_limit": "192mb" }, "data_description": { "time_field": "@timestamp", "time_format": "epoch_ms" }, "results_index_name": "custom-elastiflow_codex_avail_dns_resp_low" } ``` -------------------------------- ### Install Rare Inbound Country ML Job Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Installs an ML job to detect rare inbound countries. Requires Elasticsearch ML features and specific index patterns. The job uses the 'rare' function to identify anomalies. ```bash # Install rare inbound country ML job # File: ml/codex/netsec_activity/netsec_rare_geo_country_in.json curl -s -X PUT "https://192.0.2.11:9200/_ml/anomaly_detectors/elastiflow_codex_netsec_rare_geo_country_in" \ -H "Content-Type: application/json" -u elastic:changeme \ -d '{ "job_id": "elastiflow_codex_netsec_rare_geo_country_in", "groups": ["elastiflow","security","activity","inbound"], "description": "Rare Country - inbound", "analysis_config": { "bucket_span": "30m", "detectors": [{ "function": "rare", "by_field_name": "flow.client.geo.country.name" }], "influencers": [ "flow.client.geo.country.name","flow.server.l4.port.name", "flow.server.ip.addr","flow.client.as.label","flow.client.ip.addr" ] }, "analysis_limits": { "model_memory_limit": "384mb" }, "results_index_name": "custom-elastiflow_codex_netsec_rare_geo_country_in" }' ``` ```bash curl -s -X PUT "https://192.0.2.11:9200/_ml/datafeeds/datafeed-elastiflow_codex_netsec_rare_geo_country_in" \ -H "Content-Type: application/json" -u elastic:changeme \ -d '{ "job_id": "elastiflow_codex_netsec_rare_geo_country_in", "indices": ["elastiflow-flow-codex-*"], "query": { "bool": { "must": [ { "exists": { "field": "flow.client.geo.country.name" }}, { "term": { "l4.session.established": "true" }}, { "term": { "flow.server.as.org": "PRIVATE" }} ], "must_not": [ { "term": { "flow.client.as.org": "PRIVATE" }}, { "term": { "sec.threat.name": "Internet Scanner" }} ] } } }' ``` -------------------------------- ### Import ECS-Schema Query-Based Alert Rules Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Use this command to import alert rules that conform to the Elastic Common Schema (ECS). Ensure the file path is correct and overwrite is set as needed. ```bash # Import ECS-schema query-based alert rules curl -s -X POST "https://kibana:5601/api/detection_engine/rules/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@alerts/ecs/ecs_query.ndjson ``` -------------------------------- ### Import All ML-Based Codex Alert Rules Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt This command imports all machine learning-based alert rules defined in the `codex_ml.ndjson` file. It's useful for a comprehensive deployment of ML detections. ```bash # Import all ML-based Codex alert rules (brute force, DDoS, activity, recon) curl -s -X POST "https://kibana:5601/api/detection_engine/rules/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@alerts/codex/codex_ml.ndjson ``` -------------------------------- ### Import Specific ML-Based Codex Alert Rule Category Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Use this command to import ML-based alert rules for a specific category, such as brute force attacks. This allows for more targeted deployments. ```bash # Or import by category: curl -s -X POST "https://kibana:5601/api/detection_engine/rules/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@alerts/codex/netsec_bruteforce_ml.ndjson # 32 rules ``` -------------------------------- ### Create DNS Response Low Availability Anomaly Detection Job Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt This section describes how to set up an anomaly detection job to monitor for anomalously low response rates for DNS services. It includes creating the anomaly detector and its associated datafeed. ```APIDOC ## PUT /_ml/anomaly_detectors/{job_id} ### Description Creates an anomaly detection job to detect anomalously low response counts for DNS services. ### Method PUT ### Endpoint `https://:/_ml/anomaly_detectors/elastiflow_codex_avail_dns_resp_low` ### Request Body ```json { "job_id": "elastiflow_codex_avail_dns_resp_low", "groups": ["elastiflow","availability","network_services"], "description": "Low DNS Responses", "analysis_config": { "bucket_span": "20m", "detectors": [ { "function": "low_count", "by_field_name": "flow.server.ip.addr", "partition_field_name": "flow.export.host.name" } ], "influencers": [ "flow.export.host.name","flow.client.ip.addr","flow.server.ip.addr","flow.server.host.name" ] }, "analysis_limits": { "model_memory_limit": "192mb" }, "data_description": { "time_field": "@timestamp", "time_format": "epoch_ms" }, "results_index_name": "custom-elastiflow_codex_avail_dns_resp_low" } ``` ## PUT /_ml/datafeeds/{datafeed_id} ### Description Creates a datafeed for the DNS response low anomaly detection job. ### Method PUT ### Endpoint `https://:/_ml/datafeeds/datafeed-elastiflow_codex_avail_dns_resp_low` ### Request Body ```json { "job_id": "elastiflow_codex_avail_dns_resp_low", "indices": ["elastiflow-flow-codex-*"], "scroll_size": 1000, "query": { "bool": { "must": [ { "term": { "l4.proto.name": "UDP" }}, { "term": { "flow.src.l4.port.id": 53 }}, { "exists": { "field": "flow.export.host.name" }}, { "exists": { "field": "flow.server.ip.addr" }} ] } } } ``` ``` -------------------------------- ### Import Query-Based Security Alert Rules via API Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Import query-based detection rules for the Codex field schema into Kibana's Detection Engine. These rules query the 'elastiflow-flow-codex-*' index pattern and run every 5 minutes. ```bash # Import all query-based alert rules for the Codex schema curl -s -X POST "https://kibana:5601/api/detection_engine/rules/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@alerts/codex/codex_query.ndjson # Example rule structure (TCP X-Mas Flags — Defense Evasion, MITRE TA0005/T1599): # { # "name": "TCP X-Mas Flags", # "type": "query", # "language": "kuery", # "index": ["elastiflow-flow-codex-*"], # "query": "*", # "filters": [{ # "query": { # "bool": { # "should": [ # { "match_phrase": { "tcp.flags.bits": "255" }}, # { "match_phrase": { "tcp.flags.bits": "127" }}, # { "match_phrase": { "tcp.flags.bits": "63" }} # ] # } # } # }] # } ``` -------------------------------- ### Create Bruteforce Direct CLI Inbound Anomaly Detection Job Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt This section details the steps to create an anomaly detection job for detecting brute force direct CLI access attempts from inbound traffic. It includes creating the anomaly detector, setting up the datafeed, and opening/starting the job. ```APIDOC ## PUT /_ml/anomaly_detectors/{job_id} ### Description Creates an anomaly detection job to monitor for specific patterns, such as brute force attacks. ### Method PUT ### Endpoint `https://:/_ml/anomaly_detectors/elastiflow_codex_netsec_bruteforce_direct_cli_in_fast` ### Request Body ```json { "job_id": "elastiflow_codex_netsec_bruteforce_direct_cli_in_fast", "groups": ["elastiflow","security","access","bruteforce","inbound","fast"], "description": "Brute Force Direct CLI Access - inbound (fast)", "analysis_config": { "bucket_span": "10m", "model_prune_window": "14d", "detectors": [ { "function": "high_distinct_count", "field_name": "flow.client.l4.port.id", "over_field_name": "flow.client.ip.addr", "partition_field_name": "flow.server.l4.port.name" } ], "influencers": [ "flow.server.l4.port.name","flow.server.ip.addr","flow.server.host.name", "flow.client.as.label","flow.client.ip.addr","flow.client.host.name" ] }, "analysis_limits": { "model_memory_limit": "512mb" }, "data_description": { "time_field": "@timestamp", "time_format": "epoch_ms" }, "model_snapshot_retention_days": 7, "results_index_name": "custom-elastiflow_codex_netsec_bruteforce_direct_cli_in_fast" } ``` ## PUT /_ml/datafeeds/{datafeed_id} ### Description Creates a datafeed for an anomaly detection job, specifying the indices and query to use for data collection. ### Method PUT ### Endpoint `https://:/_ml/datafeeds/datafeed-elastiflow_codex_netsec_bruteforce_direct_cli_in_fast` ### Request Body ```json { "job_id": "elastiflow_codex_netsec_bruteforce_direct_cli_in_fast", "indices": ["elastiflow-flow-codex-*"], "scroll_size": 1000, "query": { "bool": { "must": [ { "terms": { "flow.server.l4.port.id": [22, 23] }}, { "exists": { "field": "flow.client.ip.addr" }}, { "term": { "flow.server.as.org": "PRIVATE" }} ], "must_not": [ { "term": { "flow.client.as.org": "PRIVATE" }} ] } } } ``` ## POST /_ml/anomaly_detectors/{job_id}/_open ### Description Opens an anomaly detection job, making it ready to process data. ### Method POST ### Endpoint `https://:/_ml/anomaly_detectors/elastiflow_codex_netsec_bruteforce_direct_cli_in_fast/_open` ## POST /_ml/datafeeds/{datafeed_id}/_start ### Description Starts the datafeed for an anomaly detection job, initiating data collection and analysis. ### Method POST ### Endpoint `https://:/_ml/datafeeds/datafeed-elastiflow_codex_netsec_bruteforce_direct_cli_in_fast/_start` ``` -------------------------------- ### Create Datafeed for DNS Low-Response Job Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Configures the datafeed for the DNS low-response availability job. It specifies the job ID, indices, scroll size, and a query to filter for UDP traffic on port 53, ensuring exporter and server IP fields exist. ```json { "job_id": "elastiflow_codex_avail_dns_resp_low", "indices": ["elastiflow-flow-codex-*"], "scroll_size": 1000, "query": { "bool": { "must": [ { "term": { "l4.proto.name": "UDP" }}, { "term": { "flow.src.l4.port.id": 53 }}, { "exists": { "field": "flow.export.host.name" }}, { "exists": { "field": "flow.server.ip.addr" }} ] } } } ``` -------------------------------- ### Import Kibana SNMP Dashboards via API Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Import SNMP dashboards and SNMP traps dashboards into Kibana using the Saved Objects API. Ensure the correct Kibana version and schema are selected. ```bash # Import SNMP dashboards for Kibana 8.2.x, Codex schema curl -s -X POST "https://kibana:5601/api/saved_objects/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@kibana/snmp/kibana-8.2.x-snmp-codex.ndjson # Import SNMP Traps dashboards for Kibana 8.14.x curl -s -X POST "https://kibana:5601/api/saved_objects/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@kibana/snmp_traps/kibana-8.14.x-snmp-traps-codex.ndjson # Available SNMP dashboard files: # kibana/snmp/kibana-7.17.x-snmp-codex.ndjson # kibana/snmp/kibana-7.17.x-snmp-ecs.ndjson # kibana/snmp/kibana-8.2.x-snmp-codex.ndjson # kibana/snmp/kibana-8.2.x-snmp-ecs.ndjson # kibana/snmp_traps/kibana-8.14.x-snmp-traps-codex.ndjson ``` -------------------------------- ### Create Datafeed for Brute Force Detection Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Configures the datafeed for the brute force anomaly detection job. Specifies the job ID, the indices to search, scroll size, and a query to filter relevant network traffic (SSH/Telnet to private IPs from public IPs). ```json { "job_id": "elastiflow_codex_netsec_bruteforce_direct_cli_in_fast", "indices": ["elastiflow-flow-codex-*"], "scroll_size": 1000, "query": { "bool": { "must": [ { "terms": { "flow.server.l4.port.id": [22, 23] }}, { "exists": { "field": "flow.client.ip.addr" }}, { "term": { "flow.server.as.org": "PRIVATE" }} ], "must_not": [ { "term": { "flow.client.as.org": "PRIVATE" }} ] } } } ``` -------------------------------- ### Create Brute Force Anomaly Detection Job Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Defines an anomaly detection job to identify brute force attacks targeting direct CLI access. Requires specifying job ID, groups, description, analysis configuration (bucket span, detectors, influencers), analysis limits, data description, model snapshot retention, and results index name. ```json { "job_id": "elastiflow_codex_netsec_bruteforce_direct_cli_in_fast", "groups": ["elastiflow","security","access","bruteforce","inbound","fast"], "description": "Brute Force Direct CLI Access - inbound (fast)", "analysis_config": { "bucket_span": "10m", "model_prune_window": "14d", "detectors": [{ "function": "high_distinct_count", "field_name": "flow.client.l4.port.id", "over_field_name": "flow.client.ip.addr", "partition_field_name": "flow.server.l4.port.name" }], "influencers": [ "flow.server.l4.port.name","flow.server.ip.addr","flow.server.host.name", "flow.client.as.label","flow.client.ip.addr","flow.client.host.name" ] }, "analysis_limits": { "model_memory_limit": "512mb" }, "data_description": { "time_field": "@timestamp", "time_format": "epoch_ms" }, "model_snapshot_retention_days": 7, "results_index_name": "custom-elastiflow_codex_netsec_bruteforce_direct_cli_in_fast" } ``` -------------------------------- ### Import Kibana Flow Dashboards via API Source: https://context7.com/elastiflow/elastiflow_for_elasticsearch/llms.txt Use this command to import flow dashboards into Kibana using the Saved Objects API. Ensure you specify the correct Kibana version and field schema (Codex or ECS). ```bash # Import flow dashboards for Kibana 8.14.x using the Codex schema # via Kibana Saved Objects API curl -s -X POST "https://kibana:5601/api/saved_objects/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@kibana/flow/kibana-8.14.x-flow-codex.ndjson # Import flow dashboards using ECS schema for the same Kibana version curl -s -X POST "https://kibana:5601/api/saved_objects/_import?overwrite=true" \ -H "kbn-xsrf: true" \ -H "Authorization: Basic $(echo -n 'elastic:changeme' | base64)" \ --form file=@kibana/flow/kibana-8.14.x-flow-ecs.ndjson # Available flow dashboard files: # kibana/flow/kibana-7.17.x-flow-codex.ndjson (Kibana 7.17.x, Codex schema) # kibana/flow/kibana-7.17.x-flow-ecs.ndjson (Kibana 7.17.x, ECS schema) # kibana/flow/kibana-8.2.x-flow-codex.ndjson (Kibana 8.2.x, Codex schema) # kibana/flow/kibana-8.2.x-flow-ecs.ndjson (Kibana 8.2.x, ECS schema) # kibana/flow/kibana-8.14.x-flow-codex.ndjson (Kibana 8.14.x, Codex schema) # kibana/flow/kibana-8.14.x-flow-ecs.ndjson (Kibana 8.14.x, ECS schema) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.