Since the last update [5], over the past few months I added several enhancements to DShield SIEM and webhoneypot sensor collection that included an update to the interface to help with DShield sensor analysis. I updated the main dashboard to have all the main analytic tools listed on the left for quick access to all the sub-dashboards.

ELK Update

• Removed from the interface the usage of TCP 5601, now just https://IP
• Updated all Elastic packages to version 8.19.3
• Updated the webhoneypot logstash parser based on Mark's update
• Updated the DShield - Web Analytic page to reflect new content
• ELK monitoring with Metricbeat
• 2 Treat Intel feeds (run from ELK server via cronjob)
• Inclusion of ISC web activity detection rules
• Updated cowrie and docker troubleshooting pages [2][3]
• List of previous SANS.edu BACS internships students’ scripts [4]

I tested and added two additional applications in the Kibana DShield Main Page Activity to help with analysis. These are installed via docker when installing or updating docker to the current version:

Analysis Tools

• CyberChef
• Mitre ATT&CK - Attack Navigator

How to upgrade to the current version?

• cd DShield-SIEM
• sudo docker compose stop
• git pull --autostash
• sudo docker compose rm -f -v
• sudo docker compose up --build -d

Load new templates into Kibana:

• sudo docker exec -ti filebeat bash
• ./filebeat setup -e 

[1] https://github.com/bruneaug/DShield-SIEM/blob/main/README.md
[2] https://github.com/bruneaug/DShield-SIEM/blob/main/Troubleshooting/docker_useful_commands..md
[3] https://github.com/bruneaug/DShield-SIEM/blob/main/Troubleshooting/Troubleshooting_SIEM_and_Sensor.md
[4] https://github.com/bruneaug/DShield-SIEM/blob/main/README.md#dshield-analysis-scripts-and-code-by-students
[5] https://isc.sans.edu/diary/DShield+SIEM+Docker+Updates/31680
[6] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu