SIEM stands for Security Information and Event Management. It's like a digital security guard for computer systems. It collects and analyzes data from various sources like logs and sensors to detect and respond to security threats and incidents in real-time. Think of it as a tool that helps organizations monitor, detect, and investigate potential security breaches or unusual activities within their networks.
You'll create a home lab using Elastic's web portal and a Kali Linux VM to learn Elastic SIEM. Generate security events on Kali, forward data to SIEM, and analyze logs for insights.
- Elastic Search
- Elastic Defender
- Kali linux VM
- Virtual machine or VMware
- Setup: You'll create a home lab environment using Elastic's web portal and a virtual machine (VM) running Kali Linux.
- Generating Security Events: On your Kali Linux VM, you'll simulate security events. This means creating situations that mimic real-world security threats, like attempted breaches or suspicious activities.
- Forwarding Data: You'll set up an agent on the Kali Linux VM to send the generated security event data to the Elastic SIEM. This is like installing a messenger to send the information securely to the SIEM platform.
- Query and Analysis: Once the data is in the SIEM, you'll use the Elastic web portal to query and analyze the logs. This involves asking specific questions about the data, like "show me all failed login attempts," and getting insights to understand potential security issues or patterns.
Step 1: Create an elastic account for free - https://cloud.elastic.co/registration
Step 2: Create Deployment
Step 3: After creating deployment download Kali VM - https://www.kali.org/get-kali/#kali-platforms
Add kali files on Virtual machine and the user name and password is kali.
if you face any difficulty then search on youtube "how to setup kali vm on Virtual box"
Step 4: Putting agent on Kali VM to collect logs -
Go to elastic , Click on 3 lines , Click down "Add Integrations"
Step 5: Click on Elastic Defend
Step 6: Click on Add
Configure whatever name you want to add then "save and continue":
Step 7: Click on Add "Elastic agent to your host"
Step 8: Copy the Linkπ (make sure your kali VM Running on background)
Step 9: Paste it on Kali VM and Press "Enter":
Step 10: After Installed Successfully run this command - "sudo systemctl status elastic-agent.service"
Step 11: Use Nmap on Kali VM to generate security events for testing.
For install Run command - "sudo apt-get install nmap"
After that run these 2 commands below π
Step 12: Now that we've sent data from Kali VM to the SIEM, we can analyze and search through the logs in the SIEM to understand what's happening in our system.
Go to Elastic >>> 3 lines >>> Observability >>> logs
Step 13: >> Enter search query in the bar.
>> Click "Search".
>> Results show below.
>> Click dots for more details.
Analyzing events helps understand security incidents.
Step 14: Use visualizations and dashboards to analyze logs for patterns or anomalies. For instance, create a dashboard showing security event counts over time.
Go to elastic >> 3 lines >> Analytic >> dashboard >> create visualization π
Step 15: Select Area
Step 16: Click Horizantal axis and select "Timestamp" and for Vertical axis select "Count".
So here,"Count" for the number of events and "Timestamp" for the time axis to show event counts over time.
Step 17: After that Save it π
Step 18: Create Alert (importamt)β
>>> Go to Alerts
>>> Click 'Manage rules' at top right corner.
>>> Click 'Create new rules'
>>> On 'define rule' section click 'Custum query'
Step 19: Search >>> event.action:"nmap-scan" on Custum query.
on about rule section give your rule name or description like (nmap detection)
and Choose how serious the alert is, so you know which ones need immediate attention. Leave all other settings as they are and then click "Continue."
Step 20:
-
After setting up Custum query Go to the "Actions" section.
-
Choose what action you want to happen when the rule activates: send an email notification, create a Slack message, or trigger a custom webhook.
-
Click on the "Create and enable rule" button to set up the alert.
-
Once the alert is created, it will monitor your logs for Nmap scan events.
-
If an Nmap scan event is detected, the alert will be triggered, and the action you selected will be executed.
-
To manage your alerts, go to the "Alerts" section under "Security."
We built a home lab using Elastic SIEM and a Kali VM. We connected the Kali VM to the SIEM using Elastic Beats agent to send data. Then, we created security events on the Kali VM using Nmap. We checked and studied these logs in the SIEM using the Elastic web interface. Additionally, we made a dashboard to display security events visually. Finally, we set up an alert to catch security events as they happen.