Endgame Integration

[welch27330]

I followed the docs and I still am not able to see alerts or data from Endgame. I verified that the data is being sent and received via tcpdump but no luck. Any assistance will be greatly appreciated.

[dougburks]

How is your Security Onion installation configured (eval, standalone, distributed)?

[welch27330]

It is a distributed deployment. Jonathan

…

________________________________ From: Doug Burks ***@***.***> Sent: Friday, February 18, 2022 7:03:14 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: binary-one ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Endgame Integration (Discussion #7234) How is your Security Onion installation configured (eval, standalone, distributed)? — Reply to this email directly, view it on GitHub<#7234 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADSDDIPHPJZDUB5ZRLPOT7LU32CWFANCNFSM5OVTGDXA>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[dougburks]

Which node are you sending Endgame logs to?

[welch27330]

I am sending them to my Master node. Jonathan

…

________________________________ From: Doug Burks ***@***.***> Sent: Tuesday, February 22, 2022 1:26:13 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: binary-one ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Endgame Integration (Discussion #7234) Which node are you sending Endgame logs to? — Reply to this email directly, view it on GitHub<#7234 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADSDDIMDBG3IPM26NT2BGIDU4N6GLANCNFSM5OVTGDXA>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[dougburks]

Is Endgame correctly trusting the Security Onion certificate?

Does Endgame show any errors or provide any additional clues?

[welch27330]

The certificate is trusted and it shows a good connection. I can see the data coming across the interface on my master with tcpdump from the endgame server.

[dougburks]

Have you checked /opt/so/log for additional clues?

[welch27330]

Checked the logs, nothing relevant or I'm not looking in the right place

[dougburks]

From https://docs.securityonion.net/en/2.3/endgame.html#configuration, did you use the During Security Onion Setup option or the Post-Installation Setup option? If post-installation, did you replace $smpip with the actual IP address? Have you verified that the firewall rules are correct?

[welch27330]

I used the Post example and ensured that the FW rules are correct as well I verified the IP address.

[welch27330]

the traffic is for sure hitting the interface on the master

[weslambert]

Try checking the pipeline on the manger to ensure events are hitting the Logstash HTTP input for Endgame events (check the out value):

sudo so-logstash-pipeline-stats manager | grep -A5 -B5 endgame

If events are hitting the external interface, but aren’t hitting the input, it could be an issue with the local firewall rules with respect to the Docker interface, or particular iptables chains, etc.

Thanks,
Wes

[welch27330]

Wes, you called it, now what do I do? It's not hitting the pipeline

[weslambert]

What is the output of the following from the manger, redacting IPs as necessary?

sudo iptables -nvL | grep 3765

[welch27330]

0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.19 tcp dpt:3765
237k 2500M ACCPEPT tcp * * </IP ADDRESS Endgame/> 0.0.0.0/0 tcp dpt:3756

[weslambert]

Did you perform pre or post-setup configuration?

You'll want to compare the rules to something like that of Beats (5044).

For example:

    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.29          tcp dpt:5044
    0     0 ACCEPT     tcp  --  *      *       192.168.6.10          0.0.0.0/0            tcp dpt:5044
    0     0 ACCEPT     tcp  --  *      *       192.168.6.100         0.0.0.0/0            tcp dpt:5044
    0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:5044

I would double-check your SO firewall configuration with:

sudo so-firewall includedhosts endgame

If you don't see your SMP address, you can include it in the host group with:

sudo so-firewall includehost endgame $smpip

[welch27330]

I performed the post installation configuration steps as described in the guide.

[btdewey]

We just ran into this in a distributed deployment. The index filter is Endgame-* which won't search any additional search nodes and the endgame data is likely on a search node. We created a new index filter of *:Endgame-* and then manually modified the visualizations.

We found that data was getting into the system properly, but it was just the visualizations that were not working. Checking indexes and pipeline data on the master node did not return good value. Had to look at the search node before the indexes showed up.

[btdewey]

Just now realized that the index pattern on the endgame documentation page shows the correct on. I thought we were on 2.3.110, but now I need to verify that since that index pattern should have been correct.