RedELK – Essential Naming Requirements For Deployment

In the complex landscape of RedELK deployment, adhering to precise naming requirements is crucial for operational success.

This article delves into the essential naming conventions necessary for a smoothly functioning RedELK setup.

From FilebeatID to Redirector configurations, understand the specifics that ensure your cybersecurity infrastructure is effective and efficient.

For a properly working RedELK setup it is required to pay attention to the following requirements.

Name	Description	Specifics to pay attention to
FilebeatID	Name given to the host by Filebeat.	The name is given during running the `install-redir.sh` or `install-c2server.sh` scripts. For the c2 servers: have the identifier match the name in the `mounts/redelk-config/etc/cron.d/redelk` and the name passed to `install-c2server.sh` script If entered incorrectly during installation, background scripts will fail and implant log files, screenshots and keystrokes will not be accessible via RedELK interface. You can change it in the `/etc/filebeat/filebeat.yml` config file on the specific host or in `mounts/redelk-config/etc/cron.d/redelk` on the RedELK server
attackscenario	Name of the attack scenario this infra component belongs to.	An infra component can only belong to a single attackscenario. In case of TIBER or the likes this will likely be something like scenario1, scenario2 and scenarioX. Could also be more descriptive, e.g. ransomware, fingain, or your internally used code name. Name needs to be the same for all other components in the same scenario; it is an important way for filtering within the Kibana interface. The name is given during running the `install-redir.sh` or `install-c2server.sh` scripts. If entered incorrectly during installation, you can change it in the `/etc/filebeat/filebeat.yml` config file on the specific host.
Redirector backend	Name given in the config of the redirector application (Apache, HAProxxy, etc) for the backend.	Must start with `c2` or `decoy` Use a descriptive name, e.g. decoy-phishrun1 or c2-https. Stock Kibana views and dashboards expect the naming standard. Some alarms are hardcoded triggered for these `c2`* names
Redirector frontend	Name given in the config of the redirector application (Apache, HAProxxy, etc) for the frontend.	Let it be descriptive for you as you will use this in the RedELK interface to understand where traffic was coming in. Better not use spaces in the name.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.