In the complex landscape of RedELK deployment, adhering to precise naming requirements is crucial for operational success.
This article delves into the essential naming conventions necessary for a smoothly functioning RedELK setup.
From FilebeatID to Redirector configurations, understand the specifics that ensure your cybersecurity infrastructure is effective and efficient.
For a properly working RedELK setup it is required to pay attention to the following requirements.
| Name | Description | Specifics to pay attention to |
|---|---|---|
| FilebeatID | Name given to the host by Filebeat. | The name is given during running the install-redir.sh or install-c2server.sh scripts.For the c2 servers: have the identifier match the name in the mounts/redelk-config/etc/cron.d/redelk and the name passed to install-c2server.sh scriptIf entered incorrectly during installation, background scripts will fail and implant log files, screenshots and keystrokes will not be accessible via RedELK interface. You can change it in the /etc/filebeat/filebeat.yml config file on the specific host or in mounts/redelk-config/etc/cron.d/redelk on the RedELK server |
| attackscenario | Name of the attack scenario this infra component belongs to. | An infra component can only belong to a single attackscenario. In case of TIBER or the likes this will likely be something like scenario1, scenario2 and scenarioX. Could also be more descriptive, e.g. ransomware, fingain, or your internally used code name. Name needs to be the same for all other components in the same scenario; it is an important way for filtering within the Kibana interface. The name is given during running the install-redir.sh or install-c2server.sh scripts. If entered incorrectly during installation, you can change it in the /etc/filebeat/filebeat.yml config file on the specific host. |
| Redirector backend | Name given in the config of the redirector application (Apache, HAProxxy, etc) for the backend. | Must start with c2 or decoyUse a descriptive name, e.g. decoy-phishrun1 or c2-https. Stock Kibana views and dashboards expect the naming standard. Some alarms are hardcoded triggered for these c2* names |
| Redirector frontend | Name given in the config of the redirector application (Apache, HAProxxy, etc) for the frontend. | Let it be descriptive for you as you will use this in the RedELK interface to understand where traffic was coming in. Better not use spaces in the name. |
This repo contains all variants of information security & Bug bounty & Penetration Testing write-up…
site:*/sign-in site:*/account/login site:*/forum/ucp.php?mode=login inurl:memberlist.php?mode=viewprofile intitle:"EdgeOS" intext:"Please login" inurl:user_login.php intitle:"Web Management Login" site:*/users/login_form site:*/access/unauthenticated site:account.*.*/login site:admin.*.com/signin/…
Matrix is an open network for secure and decentralized communication. Users from every Matrix homeserver…
Linux Security And Monitoring Scripts are a collection of security and monitoring scripts you can…
A fiber is a unit of execution that must be manually scheduled by the application…
XSS Exploitation Tool is a penetration testing tool that focuses on the exploit of Cross-Site…