Beacon Huntress Data Sources¶
Beacon Huntress now has the ability to store data sources to allow repeatable usage. Current data types are Zeek Connection Logs, Elastic Indices, and Security Onion Indices. Beacon Huntress defaults to the Zeek Connection Logs data source, which allows the user to select their raw Zeek connection logs. For details on setting up an API Key, please click the link.
Elastic¶
The Elastic data source will use Zeek connection logs contained inside of the application. The indices will be manually selected. Click the link for details on setting up an API.
To create an Elastic data source, follow the steps below.
- Under "Settings" click "Data Sources".
- Click the "New" button.
-
Select "Elastic" in the "Data Source Type" drop-down list.
-
The following inputs are required for Elastic:
- Data Source Name
- Unique name for your data source.
- Host
- Elastic Host Name.
- Port
- Elastic Port Name.
- API Key
- Elastic API Name.
- API Key can be viewed by clicking the eye button.
- Index
- Elastic Index Name (Multi-Select).
- Click the button to load the indices. You must have the correct Host, Port and API Key in order to load the indices.
- Click the "Add" button to create the new data source.
- The new data source will now be available for any "Search For Beacon" data source.
Security Onion¶
The Security Onion data source will use Zeek connection logs contained inside of the application. The indices will be automatically selected. Click the link for details on setting up an API.
- Under "Settings" click "Data Sources".
- Click the "New" button.
-
Select "Elastic" in the "Data Source Type" drop-down list.
-
The following inputs are required for Security Onion:
- Data Source Name
- Unique name for your data source.
- Host
- Security Onion Elastic Host Name.
- Port
- Security Onion Elastic Port Name.
- API Key
- Security Onion Elastic API Name.
- API Key can be viewed by clicking the eye button.
- Click "Add" button to create the new data source.
- The new data source will now be available for any "Search For Beacon" data source.
Zeek Logs¶
Zeek Connection Logs must be provided for Beacon Huntress to analyze. Follow the steps below to copy your Zeek logs from their initial location to a local directory that can be accessed by Beacon Huntress. It's recommended to organize the logs into separate directories, with each directory corresponding to a single day.
- In this example, we will copy Zeek connection logs to the
/zeekdirectory. The/zeekdirectory is mounted to the Docker container beacon_huntress.
# CREATE DIRECTORY (REPLACE YYYY-MM-DD WITH DATE)
mkdir -p /zeek/raw/data/YYYY-MM-DD
# START SFTP SHELL
sftp root@YOUR_FTP_SERVER
# SFTP COMMAND EXAMPLE (REPLACE YYYY-MM-DD WITH DATE)
get -R zeek/logs/YYYY-MM-DD/conn.* /zeek/raw/data/YYYY-MM-DD
- Under "Settings" click "Data Sources".
- Click the "New" button.
-
The following inputs are required for Zeek Connection Logs:
-
Data Source Name
- Unique name for your data source.
- Unique name for your data source.
-
Raw Log Location
- Raw Zeek file location.
- Raw Zeek file location.
-
Click "Add" button to create the new data source.
- The new data source will now be available for any "Search For Beacon" data source.
Create Elastic API¶
Elastic and Security Onion data sources can be accessed by using the Elastic API. In order to use these data sources you must set up an Elastic API Key.
Note
Elastic Indices must be Zeek Connection Logs. Beacon Huntress only works with Zeek Connection Logs.
- From the Elastic Management Console, navigate to "Security" then "API Keys".
- Click on the "Create API Key" button.
- Give the API key the name "bh_api" and restrict permissions according to your organization's security policies. Finally, click the "Create API Key" button.
- Copy the API key for Beacon Huntress usage.
Note
Once you leave the screen, the API key will not be retrievable. Best practice is to store the API key in a password safe.
