-
Notifications
You must be signed in to change notification settings - Fork 371
Naming requirements within RedELK
Marc Smeets edited this page May 22, 2023
·
4 revisions
For a properly working RedELK setup it is required to pay attention to the following requirements.
| Name | Description | Specifics to pay attention to |
|---|---|---|
| FilebeatID | Name given to the host by Filebeat. |
The name is given during running the install-redir.sh or install-c2server.sh scripts.For the c2 servers: have the identifier match the name in the mounts/redelk-config/etc/cron.d/redelk and the name passed to install-c2server.sh script If entered incorrectly during installation, background scripts will fail and implant log files, screenshots and keystrokes will not be accessible via RedELK interface. You can change it in the /etc/filebeat/filebeat.yml config file on the specific host or in mounts/redelk-config/etc/cron.d/redelk on the RedELK server |
| attackscenario | Name of the attack scenario this infra component belongs to. | An infra component can only belong to a single attackscenario. In case of TIBER or the likes this will likely be something like scenario1, scenario2 and scenarioX. Could also be more descriptive, e.g. ransomware, fingain, or your internally used code name. Name needs to be the same for all other components in the same scenario; it is an important way for filtering within the Kibana interface. The name is given during running the install-redir.sh or install-c2server.sh scripts. If entered incorrectly during installation, you can change it in the /etc/filebeat/filebeat.yml config file on the specific host. |
| Redirector backend | Name given in the config of the redirector application (Apache, HAProxxy, etc) for the backend. |
Must start with c2 or decoy Use a descriptive name, e.g. decoy-phishrun1 or c2-https. Stock Kibana views and dashboards expect the naming standard. Some alarms are hardcoded triggered for these c2* names |
| Redirector frontend | Name given in the config of the redirector application (Apache, HAProxxy, etc) for the frontend. | Let it be descriptive for you as you will use this in the RedELK interface to understand where traffic was coming in. Better not use spaces in the name. |