LDAP (Lightweight Directory Access Protocol) is a popular method for centralizing user authentication and access control across an organization. Configuring Elasticsearch to use LDAP over a secure connection (LDAPS) adds an additional layer of security by encrypting communication between Elasticsearch and the LDAP server. This article provides a step-by-step guide to setting up LDAPS for […]

The post Configuring Elasticsearch Authentication with LDAPS appeared first on SOC Prime.

To start with Index State Management, first of all, you need to set up policies.You can use Visual Editor or Dev-tools. If you choose Visual Editor, then do the following:In Index Management > State management policies, choose Create policy and click Continue: Inside the Create policy, you need to set the policy info:        Policy ID       Description (optional) Set Error […]

The post Get started with ISM (Index State Management) appeared first on SOC Prime.

For nearly three years since the full-scale war in Ukraine began, cyber defenders have reported a growing number of russia-aligned offensive operations targeting Ukrainian organizations to collect intelligence, with attacks increasingly expanding their geographical scope. The russia-backed hacking collective tracked as TAG-110 or UAC-0063 has been observed behind an ongoing cyber-espionage campaign against organizations in […]

The post HATVIBE and CHERRYSPY Malware Detection: Cyber-Espionage Campaign Conducted by TAG-110 aka UAC-0063 Targeting Organizations in Asia and Europe appeared first on SOC Prime.

Start with navigating to Add Rules. Go to the Add Rules and Rule Groups page.Click Add Rules, then Add my own rules and rule groups, and choose Rule builder > Rule visual editor. Let’s define the Rule Settings: For a Single header, specify the header (for example, User-Agent). Leave as None or choose a transformation […]

The post AWS WAF: Creating Custom String Match Rule appeared first on SOC Prime.

Occasionally, as Elasticsearch administrators we may encounter a situation where all indices are automatically set to read_only_allow_delete=true, preventing write operations. Usually, this occurs when the cluster runs out of available disk space. Let’s discuss why this happens, how to resolve it, and how to prevent it in the future. So, why do indices become read_only_allow_delete=true? […]

The post Addressing read_only_allow_delete After Disk Space Issues appeared first on SOC Prime.

I had a problem with long-running stuck tasks. These tasks were stuck due to various reasons, such as resource constraints, bugs, or other issues. How I resolved it:I followed these steps: 1) You need to identify the stuck tasks by using the command below     When you use the above command, you will get lists of […]

The post How to Check What Task is Stuck and Cancel it on Dev-tools appeared first on SOC Prime.

When working with Elasticsearch, you may encounter the following error during complex queries involving cardinality aggregations: This error typically occurs when Elasticsearch’s dynamic pruning mechanism, designed to optimize aggregation queries, struggles to handle high cardinality (i.e., a large number of unique terms or values). Let’s dive into what this means and how to resolve it. […]

The post Handling the Dynamic Pruning Failure in Cardinality Aggregations in Elasticsearch appeared first on SOC Prime.

OpenSearch alerting feature sends notifications when data from one or more indices meets certain customizable conditions. Use cases include monitoring for HTTP status code 503, detecting CPU load averages above a specific threshold, or tracking the count of specific keywords in logs over defined intervals. Notifications can be configured to be sent via email, Slack, […]

The post OpenSearch Alert Monitoring: High CPU Usage Example appeared first on SOC Prime.

Step 1: List Available Snapshots First, you need to list the snapshots available in your S3 repository. You can do this by running the following query: This will return a list of all snapshots in the my_s3_repository. The response will include details like the snapshot id, creation date, and state (e.g., success, partial). Step 2: […]

The post How to Retrieve and Restore Snapshots from S3 Repository in OpenSearch appeared first on SOC Prime.

Step 1: Add AWS Credentials to the Keystore To securely store your AWS credentials, use the OpenSearch keystore. Add your AWS credentials to the OpenSearch keystore with the following commands: ./bin/opensearch-keystore add s3.client.default.access_key ./bin/opensearch-keystore add s3.client.default.secret_key Enter your AWS access_key and secret_key when prompted. OpenSearch will use these stored credentials for S3 interactions. Step 2: […]

The post Creating Snapshot Management Policies with Keystore Integration and Slack Notification Setup appeared first on SOC Prime.