TBC

For detecting of blue team activity it uses:

1. the stored data in Elasticsearch
2. online services that give out some info that blue teams may have put there due to bad OPSEC.

RedELK supports the following alarms out of the box. You can enable/disable them in the main config file (mounts/redelk-config/etc/redelk/config.json)

Check if the hashes of your uploaded files are found at online security providers like VirusTotal, IBM X-Force and/or Hybrid Analyses. This requires configuration, i.e. API keys. See alarm_filehash in config file.

Checks to see if there is roque traffic to your C2. This is determined based on the IP addresses configured in the iplist_* files that access redirector backends named c2*.

Checks if there are rogue user-agents in your C2 traffic. This is determined based on the User-Agents that are listed in config file blacklist_useragents.conf and that access redirector backends named c2*.

This is to give you flexibility. Basically it allows you to get alarms on any traffic that is going to redirector backends with alarm in their name. This way you can use your own logic on your redirector, and still get alarms via RedELK.

Not an automatic check, but can help with the question if traffic is specifically destined to you or not. RedELK enriches redirtraffic data with info from Greynoise. Roughly speaking, if an IP address is known by Greynoise, you can assume it is part of the background noise of the Internet, e.g. one of the meany scanners. So if such a system is hitting your infra, it is probably not a targeted blue investigation. However, if an IP address is scanning your infra that is not known by Greynoise, it is likely a targeted investigation.

Not an automatic check, but can help with analysing if your infra is under investigation. RedELK enriches redirtraffic data with knowledge of known Tor exit nodes. If an IP address is a Tor node, a tag is set. Are you being scanned by a Tor node, it is likely that a blue team is doing some "covert" investigation.