AWS Open Source Blog
Use Open Distro for Elasticsearch to Alert on Security Events
Open Distro for Elasticsearch’s Security plugin ships with the capability to create an audit log to track access to your cluster. You can surface various types of audit events like authentications, and failed logins. In a prior post, we covered the basics of setting an alert in Open Distro for Elasticsearch. In this post, we will couple the security plugin with the Alerting plugin to enable alerts on failed login attempts. You can expand this pattern to get notified whenever there are potentially malicious attempts to access your Elasticsearch cluster.
Set Up Your Monitor
Audit logging is enabled by setting opendistro_security.audit.type: internal_elasticsearch in your elasticsearch.yml file. Our Docker and rpm distributions enable this setting by default.
Open your Kibana dashboard, go to the Alerting tab, and click on Create Monitor. Give the monitor a name and the Schedule of when you want it to run. I named my monitor Audit Unauthorized Access Events, and set it to run Every 1 minute.
On the same page, scroll down to the Define Monitor section; this is where you define which index you want to monitor and an extraction condition for the data you will use to set a trigger for alerts. Set the index to security-auditlog-*, the destination for the security plugin’s audit logs. Define the monitor condition as WHEN count() OVER all documents FOR THE LAST 5 minute(s). Click on the Create button at the bottom to create your monitor.
You can also define the monitor using an extraction query. For example, if you just want to monitor Failed Login attempts in the last 5 minutes, then the extraction query might look like:
{
"query": {
"bool": {
"must": [
{
"match": {
"audit_category": {
"query": "FAILED_LOGIN"
}
}
},
{
"range" : {
"audit_utc_timestamp" : {
"gte" : "now-5m"
}
}
}
]
}
},
"sort": [{
"audit_utc_timestamp" : {
"order" : "desc"
}
}]
}
Set Up Your Trigger
Next, you need to create a trigger for this monitor. A trigger allows you to perform an action when the trigger’s condition on the monitor is met. I’ll create a trigger which sends an alert when my monitor query returns one or more results. Set the Trigger name to Unauthorized Access Events on ES Cluster, Severity level to 1, and Trigger condition to Above 1:
Scroll down and add an action for this trigger. I’ve configured an Amazon Chime room notification. Set the Action name to Notify OnCall, the Destination name to Chime, the Message subject to Unauthorized Access Events on ES Cluster, and add a descriptive Message. I copied my message from our documentation:
This is how the monitor dashboard looks once everything is created:
The green bar shows that there were no triggers in the recent past. You can create a trigger and alert by logging out from Kibana and using bad credentials to create a failed login attempt. Log back in again (with your real credentials) and you’ll see something like this (note the red in the bar at the corresponding timestamp:
You will also get an “Unauthorized Access Event” notification like this:
Conclusion
In this post, we explored alerting on failed logins. The Security plugin supports many more auditing categories. You can write complex extraction queries to alert on specific use cases such as repeated attempts to access a particular index.
You can also configure the data audit that logging generates by enabling/disabling certain categories in your elasticsearch.yml. You can find the list of those settings in Audit Logs – Open Distro for Elasticsearch Documentation.
Audit logging is useful in maintaining compliance and in the aftermath of a security breach. When used with Alerting, it can help you proactively defend your cluster.
Have an issue or question? Want to contribute? You can get help and discuss Open Distro for Elasticsearch on our forums. You can file issues here.