Skip to content
This repository has been archived by the owner on Jul 13, 2023. It is now read-only.

Install

9ian1i edited this page Oct 31, 2019 · 9 revisions

Install WatchAD

WatchAD was a 360 internal system, so many related storage services use the private cloud inside 360. The following are suggested configuration methods, and they may be wrong or unreasonable. If there is any problem, please submit a issue, I will solve it in time.

Install dependencies

Local test environment

WatchAD requires some data storage services. It is recommended to use the Docker script already configured in the project. Execute the following commands in the project root directory:

docker-compose up

Rabbitmq, Logstash, ElasticSearch, Redis, MongoDB will be launched locally.

Because all storage-related services are installed locally, the default configuration is a simplified version of the architecture, and the project's architecture will use the following image:

Architecture_lite

Python Dependencies

Execute in the project root directory:

Pip3 install -r requirements.txt

Enable auditing

The basis of our analysis is all event logs of all domain controllers, so we first need to enable the security audit option on the domain controller to record all types of event logs. Take windows server 2008 R2 as an example. In the Local Security Policy -> Security Settings -> Local Policies -> Audit Policy, enable all auditing options:

open_audit

Install winlogbeat

First, open the configuration file {project_home}/settings/winlogbeat/winlogbeat.yml provided by us, and modify the hosts field of output.logstash to the IP and port of the Logstash you installed (default 5044), assuming you install The IP of Logstash is 10.10.10.10, and the configuration file is:

Winlogbeat.event_logs:
  - name: Security
  Ignore_older: 1h

Output.logstash:
  Hosts: ["10.10.10.10:5044"]

Download winlogbeat, the recommended version is 6.2, other versions of ES may have incompatibilities.

After decompressing, replace the original default configuration file winlogbeat.yml with the configuration file winlogbeat.yml you just modified.

Then follow the official website tutorial to install normally.

**Attention! The event log is not synchronized between domain controllers, so we must collect all event logs for all domain controllers, otherwise false positives and false negatives will occur. **

Initializing the engine

WatchAD uses python to automate some configurations:

Usage: WatchAD.py <options> [settings]

Options:
  -h, --help show this help message and exit
  --install Perform WatchAD to initialize the installation. Make sure that the complete environment is installed and configured before the second.
  -d DOMAIN, --domain=DOMAIN
                        A FQDN domain name of detection.
  -s SERVER, --ldap-server=SERVER
                        Server address for LDAP search. e.g: dc01.corp.com
  -u USERNAME, --domain-user=USERNAME
                        Username for LDAP search. e.g: CORP\peter
  -p PASSWORD, --domain-passwd=PASSWORD
                        Password for LDAP search.
  --check Check each database connection status, message queue status
  --start starts the detection engine
  --restart restart detection engine
  --stop Stop engine (delete existing message queues to prevent backlog caused by excessive data volume)
  --status View current engine status

Directly execute the installation command, such as:

Python3 WatchAD.py --install -d 360.cn -s dc01.360.cn -u admin -p password

Runtime Requirements

To start WatchAD normally, you need to meet the following requirements:

  1. All storage related dependencies are properly installed and configured
  2. Ability to access the LDAP server specified during installation
  3. The supervisor can be installed correctly.
  4. Install python3.6 correctly and have /usr/bin/python3 soft link

Start up

Python3 WatchAD.py --start

After starts up, the supervisor will be used to host the python process. The command line of WatchAD is simply a wrapper for the supervisor command. The startup of the engine is essentially the startup and shutdown of the supervisor task.

Production environment deployment

WatchAD relies on Rabbitmq, Logstash, ElasticSearch, Redis, and MongoDB. If you want to use existing storage services and MQ, please modify the {project_home}/settings/database_config.py configuration information, the configuration of the data pipeline Logstash. Refer to {project_home}/settings/logstash/logstash.conf and the configuration needs to be changed according to your environment.

Clone this wiki locally