ELK Stack Automation and the Elasticsearch API
Reading Time: 7 minutes
Prototype Build: 4 hours (install, configuration, hardening, accounts, debugging)
Download+Customize: 3 minutes
Collective Time Saved:days
The ELK (Elasticsearch, Logstash, Kibana) stack is a collection of open-source tools from Elastic.co that form a data ingestion, search, analysis, and visualization platform. The Elastic Stack is the next evolution of the ELK stack and now includes a component called Beats (which is a family of lightweight and single-purpose data shippers). Today, we’re going to automate the Elasticsearch Search API to rapidly create canned and shareable threat hunting tools for you and your team. We will use the Packetbeat data shipper for easy setup and access to network data such as low-level DNS packet attributes and IP flow data.
ELK Stack Automation and APIs
As always, when diving into any API, the first concerns tend to be:
- Where and what sort of documentation does the API have?
- What specific endpoint(s) can I access?
- How do I authenticate against the API?
- Are there any prerequisites, limitations, or ‘gotchas’ ?
- What tooling can I use to quickly prototype and test?
Elasticsearch API Documentation
The current documentation version is 7.9 at the time of writing:
- Main Elastic Stack documentation hub here.
- Elasticsearch REST API here.
- Logstash REST APIs here.
- Beats reference here.
- - Filebeat reference here.
- - Packetbeat reference here.
- Kibana REST API here.
Elasticsearch API Endpoint(s)
Elasticsearch has an extensive and rich set of APIs for all functions. This is because the UI (User Interface) itself uses the APIs. We will be using the Elasticsearch Search API for our threat hunting, and so will interact almost entirely with this specific API endpoint:
Our indexes will contain the name ‘packetbeat’ and the format also includes the current date (this is covered in the installation setup). By using a wildcard '*' our API endpoint will cover all Packetbeat named indexes:
We will also be generating API keys via the Elasticsearch Security API endpoint at:
Elasticsearch API Authentication
There are three distinct ways to authenticate to the Elasticsearch API (once authentication is enabled). They include:
- Basic HTTP authentication
- and token-based (which can be via an API key or Oauth2.0 tokens).
Elasticsearch Search API Limitations
The Search API returns a maximum of 100 pages, a maximum of 1000 results per page, and a maximum of 10,000 document results per query, which is a limitation of the default Elasticsearch result window.
Note: There is very little security-enabled ‘out-of-the-box’ with the Elastic Stack when using the basic/trial install. This makes it trivial to get started but can leave your data and endpoints exposed unless you harden the configuration.
cURL on the CLI is one way to test our authenticated requests and subsequent calls. Postman has a fully-fledged GUI, and of course, you can use your preferred language of choice to make calls to the API. Today we will be going further and building useful security workflows using Tines. Tines enables rapid, reusable, and shareable workflows without delving into code (due to its visual builder). You can quickly register a free, fully functional, no-strings Tines trial here.
Quick Setup Up
We’ve set up an Ubuntu 20.04 server on AWS using a t3.large instance (to accommodate the system and JVM requirements) and then followed DigitalOcean’s excellent Elasticsearch installation tutorial. We will, however, be enabling security for authentication and also adding an additional Beats shipper called PacketBeat (over and above just Filebeat). We did not generate custom certificates and are instead using Cloudflare’s free and flexible TLS/SSL offering combined with Nginx’s simple reverse proxy on the Elastic Stack host. This ensures our primary transports are encrypted across the untrusted Internet, i.e. the ability to use ‘https’ for data in transit.
Note: If you are running a production instance of the Elastic Stack, we recommend you follow all their security guidance, including the use of correct certificates for full end-to-end encryption.
Step 1. Enable Basic Security
It is recommended that system-level accounts are reset and recorded as per the CLI tool “elasticsearch-setup-passwords”. To enable basic authentication and API key generation, there are some additional updates required in ‘elasticsearch.yml’ (and don’t forget to restart services afterward!).
The above change also has knock-on effects with Beats (i.e. filebeat.yml / packetbeat.yml) and Kibana configurations. Usernames and passwords are now required in each component's configuration files, e.g., for ‘filebeat.yml’ (below) running on the Elastic Stack. You would also need to change the host’s field if sending from a remote rather than a local data shipper.
Step 2. Packetbeat
In this guide, we also install the Packetbeat data shipper to enable us to query low-level DNS attributes and other IP packet fields. You can use the same Beats user you set up with the role of index ‘writer’ (from the DigitalOcean install tutorial) if you wish but also remember to run the setup, including that of telling Kibana to configure the right index policy, templates, and dashboards.
Note: You might need to manually supply the ‘elastic’ username and password on the CLI during setup, as you now should have authentication enabled.
Step 3. Minting API Tokens
We can create an API key from the CLI using something like cURL but let’s take a quick look at using the Kibana Dev Console under ‘Management/Dev Tools’ (as we should already have logged in to Kibana using the primary “elastic” user). Let’s create an API key valid for 14 days.
And the subsequent response gives us all we need to create our token.
To generate a usable token (based upon our API key), we need to combine the “id” and the “api_key” with a colon ‘:’ and then Base64 encode the resulting string. Here we use Ruby’s interactive console (irb) to achieve this (though you can use the CLI on OSX or *nix to accomplish this also, as shown in the second example below!).
We now have our token (ending in ‘==’ or “=” meaning it was padded due to a short length). We can use it with our API calls by submitting the token as a header in our requests as per below:
Putting it All Together
Let’s now create a simple threat hunting scenario leveraging Elasticsearch and using Tines for the workflow. We can then also expose our workflow to our colleagues as a canned query. You could modify it in many other ways as part of closed-loop automation (including querying or writing to a whole host of other platforms or services), but let’s focus on looking for DNS queries and traffic to dodgy domains first!
First, let’s focus on the API calls we make to Elasticsearch, and then we can expand to explain the other agent types used for additional functionality. The two main API queries we are going to send to Elasticsearch are to ask for and return all hosts that:
- made DNS queries about a specific domain
- sent IP traffic to an IP address (IPv4/IPv6) that resolved in the DNS answer
As noted previously, the UI depends on the API so the basic search terms for fields map from Kibana Query Language (KQL) usage to our JSON based API calls (with the exception of how we structure any conditional logic). Here we do a test to look for entries related to “cisco.com”.
To answer the second question regarding IP traffic we will need to first perform some DNS resolution for IPv4 and IPv6 RRs (Resource Records). This is where we will additionally ask Cloudflare’s DoH (DNS over HTTPS) for some answers so we can then query the raw IPs in Elasticsearch.
Note: For our examples, we’re using ‘cisco.com’ as the domain name queried. It is not in any way “bad” but simply has both IPv4 A and IPv6 AAAA resource records. Any domain will, of course, work in our automation (such as the WannaCry domain name www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com).
If we drag an Elasticsearch agent onto our Tines storyboard, we can see that it consists of JSON at the backend. It submits authentication and payload fields to our Elasticsearch Packetbeat index’s ‘_search’ endpoint. It includes all our Packetbeat indexes due to the ‘*’ asterisk glob pattern. This could be further refined but we will use the ‘range’ term to limit the window of time queried.
Note: The quoted endpoint can be tweaked to only include the current day’s index if so desired, but for now, we will use our time ‘range’ to define how far back to look. You can see that we have special fields for ‘global_resource’ and ‘credential’, which are configured elsewhere in Tines (so they can be easily reused and are safely stored).
When we run ‘▷’ this agent, we get the following response in our events:
As you can see, we received 7 hits, with one of them being an Ubuntu server called ‘aeuw1-t0001’.
Our second API call to Elasticsearch is very similar. It only uses different values in the ‘term’ field, such as ‘destination.ip’ using an array of IP addresses rather than the term ‘dns.question.name’ and a single string.
OK, so now let’s look at how we join up these agents (including how to query Cloudflare) and then make a few simple logic decisions using what we call Trigger and Event Transformation agents. We will also drag in a Webhook agent which will be used to start our automation workflow.
As you can see, we now use triggers to ensure we continue our story only if there are search hits received from Elasticsearch (otherwise, we send an email to say we could not find anything). We use a few Event Transform agents to massage the search results returned and also aggregate the Cloudflare DoH (DNS over HTTPS) responses as we want to search for all resolved IPs.
The email we receive from our query for ‘cisco.com’ looks like:
But how do we kick off this workflow and make it easily consumable by others? Well, because we initiate it with a Webhook agent, we can call it from other automation stories or remote systems. We can even drop a simple form in front of it with Tines in seconds. Tines has a simple form builder that allows you to auto-select any live Webhook agent in your story as an entry point. Let’s quickly generate a form for our colleagues (we can choose a private or public link to give them, so let’s keep it private for now):
And now, when we submit the form, it runs the automation for us!
We’ve seen how to use the Elasticsearch Search API and Tines to wrap pieces of functionality into straightforward and useful automations. These automation stories can grow as complex as you wish and involve tens if not hundreds of agents performing tasks with all manner of services and endpoints. Stories can also be modularized to form reusable sub-stories by using the Send To Story agent type (which also makes good use of the Webhook agent type!).
The above simple story can be downloaded here if you’d like to experiment and play around with it. It only takes a few minutes to get going! You can, of course, construct your own story or modify the workflow for your own needs. You can add agents from the library of more than a thousand agent templates that ship with Tines. Maybe it's time to drive security outcomes by automating your operational logic.
Assure yourself what's next!