| title | datePublished | cuid | slug | cover | tags |
|---|---|---|---|---|---|
Siem Lab : 1 |
Tue Mar 05 2024 15:30:23 GMT+0000 (Coordinated Universal Time) |
cltej12vr000209ju0w072lp6 |
siem-lab-1 |
security, homelab, siem |
For this SIEM lab I will be using Elastic lab for my SIEM home lab, I plan on making more of these series at least twice a month so stay tuned. Halfway through I noticed that I couldn't really use images so all the images would be on my Github repo created for this series.
To create a SIEM home lab on Elastic lab, you'd first need to have an account so go over to Elastic, here you would sign up, and register your account, on registration, you are given a 14 days free trial, alternatively you can opt to subscribe. Once you are done with the registration, you should get an email to verify login, once you do you would be allowed access for a 14 day period, by this time you should be prompted to the dashboard. On the dashboard you'd see a menu button for hosted deployments (side note, when I registered SIEM was already hosted, however if it isn't there's no need to fret, however if you have SIEM hosted, you can skip to Step 2).
Click on create deployment, now select ElasticSearch as the type of deployment
Choose a region and a deployment that fits your need, then click on Create Deployment
Wait for the configuration to be complete, after which select continue and proceed to step 2
In this step, we would be setting up our Linux distro and Virtual machine, head over to kali and select the image of your choice, then proceed to install disc (for this tutorial) I will be using Kali Linux, you can also use Kali purple as they have a lot of similarities.
Once your preferred image has been set to download, also head over to your preferred, I would be using Virtual box for this lab, however you can use anyone that is more convenient, so head over to VirtualBox.
Once you Virtual machine and you Linux distro has been downloaded, you'd want to install both of them.
To install your VirtualBox, simply select it from your downloaded folder, after which click on it, a pop up will show on your screen, after which it would need you to select some things, and once your done, you can click on finish.
Once your VirtualBox is ready to go, you can then mount your Kali Linux on your VirtualBox, to do this simply launch VirtualBox on your system.
Once Virtual box has been launched, click on add, then select your image from a folder, I recommend copying your installed image to a folder, then select the disk size you'd want to allocate for your Kali Linux I recommend not allocating more half of your CPU storage as you don't want to slow your system down.
Once that is done, you can then go ahead to graphically install it, at this point you'd be able to set up your country, your region, the disk you want to use, your username, password and some other things. Once this is done, you're done, you should then be able to sign into Kali Linux(feel free to check YouTube for a more visual step by step method of mounting Kali Linux).
You've made it this far, congrats.
Login into Elastic on your kali Linux browser, at this point, go back to dashboard and click on your deployment. Now you'd want to connect to an agent. Think of an agent as something ( could be a server, endpoint device ) that collects and sends data to a centralized system for analysis. In this case Elastic is your centralized system, your terminal on kali Linux is going to serve as your agent, and your terminal on kali Linux and a passcode you get from Elastic, would help us connect.
At the top right corner there should be a menu that allows us to see different options, now click on Add Integration. There you would see a lot of integrations, however we would be using Elastic Defend, so click on it and click on install elastic defend, then select the Linux option from there and proceed to copy the passcode and paste it in your terminal.
Once it is completed you should see a menu that the host is now listening. Now you'd want to test it out so feel free to do the following
Get your ip address using ifconfig
Then run a simple nmap scan on your ip address using sudo nmap insert ip -sS
Now we would want to pay a visit to logs, so we can query and analyze our log in SIEM. To do this simply open the menu option and search for logs under observability. Now in the search bar, enter process.arg : "sudo" or "nmap".
This will display all the logs of your scan at this point you can also feel free to view details of the log. You can also investigate your log.
It's all good and nice that we've seen logs and all, however we always visualize our logs, now this isn't for aesthetics, it's actually for easier real time monitoring and detection. Navigate to the menu again, under Analytics, click on Dashboard.
Click on Create Dashboard now click on create visualization.
Now this would allow us to create how we want to see our logs, feel free to play around with this part, however I would be going with Area, on the option where you see Bar vertical stacked, you'd want to click on it, under line and area you'd also want to click on Area.
Select Horizontal axis, then select Data histograms under functions and timestamp
This would enable us to see the time the event is happening. Now close that.
Select the Vertical axis, then select Count, this would show the frequency at which it events occur. Now you'd want to save and return.
Another things with SIEM is that it can be used for security detection. An alert happens when a rule has been flawed, this triggers a response that allows you to see what has happened.
On the menu, navigate to Security, under which, select Alerts, once on the Alerts dashboard, click on manage Alerts. Click on create new rule.
Now we'd want to define the rule by ourselves, and in this case the rule is "oh, I don't want any nmap scans on my endpoint, if there is any contact me", so essentially we are going to be customizing our query using the Custom Query option.
Select Custom Query
Look for a text box that says custom query, and input this command event.action: "nmap_scan"
Then click on continue, under the about rule, we'd want to describe the rule and set the risk score. A risk score shows how much of a risk something is, in this case we'd want to set our risk score to critical. Think of it this way, if the risk is low, it's like ohh kay this thing isn't much of a risk. If it is medium it's like this is a risk, we should look into it but you can take your time. If it is high, it's ohh please look into this ASAP. If it is critical, most times it could be a breach or something leading to a breach.
Then we'd want to schedule I'm just going to leave the default configurations.
Now the last thing is the rule action, since we want to be mailed, we can go ahead and select the mail action and input an email. Then under the response action, we'd also want a response so I'm going with Endpoint Security, then we'd want to create and enable our rule.
Now there are a whole lot of thing you can do with Elastic, that I haven't listed, feel free to go through it to learn more.
You should also check out this Article as the author also does a great job at Elastic SIEM lab.