SIEM lab
Most SOC analyst positions want people who have experience with using a SIEM (Security Information and Event Manager). Although there are many different kinds of SIEMs out there, from what I understand they all work relatively the same. They gather data and send you alerts if something specific happens. I found this project on YouTube at https://www.youtube.com/watch?v=2XLzMb9oZBI&t=15s Gerald Augar. In the video he is following the notes form this article https://medium.com/@aali23/a-simple-elastic-siem-lab-6765159ee2b2 by Abdullahi Ali. I followed the notes as my guide and watched the video when I got stuck. However my project is a little different because I used Hyper-V instead of VirtualBox or VMware. So if that's what you're using, feel free to use my notes. At the end of this post, I talk a little bit about the problems I ran into and a few tips I have to make the experience a little better and a little easier.
Fill out the information and then click create deployment. Remember you can only have one free deployment at a time. Once your deployment is made, you’re ready for the next step.
The next step is to set up a Kali linux virtual machine. Go to https://www.kali.org/get-kali/#kali-installer-images. Click on installer.
This will start a download which takes a while.
Once downloaded, open Hyper-V manager. Click Quick Create. Click local installation source and then change installation source. Be sure to uncheck the box next to “This virtual machine will run windows”.
Select the Kali linux image download and create VM. Once the VM is created, right click on it and connect. You’ll then need to set up your Kali linux VM.
Create a hostname and a password. Make sure it is something easy to remember and consider writing it down so you don't forget. Other than that, following the prompts is pretty simple.
Next you need to set up an agent. Go back to your elastic account and click on your deployment, then click the hamburger menu in the top left corner. Then click “Add integrations".
In the search bar, type elastic defend and you should see an icon to click on that says elastic defend. Next, click on add elastic defend not he right hand side.
At the bottom of the page click install elastic agent.
The next page will give you instructions on how to install the agent on your computer. Select the right operating system (Linux Tar), then copy and paste the command into your command line and run the command on your Kali VM terminal. (Note, I had to open the website on my Kali machine because it wouldn’t let me copy and paste over the command). You will also have to give your sudo password.
This will take a minute to install. Once installed it will say “Elastic Agent had been successfully installed.”
At this point, Kali Linux should be sending data to the SIEM.
You can test to see if the Elastic agent is working by running sudo systemctl status elastic-agent.service in terminal.
Next, you need to create a security related event on the Kali Linux VM. To do this run the nmap command. Nmap comes preinstalled on Kali Linux. Do this by typing sudo nmap and then either the IP of your VM or localhost.
Note: Running other nmap commands is suggested such as “nmap -sS ”, “nmap -sT ”, “nmap -p- ”etc..” The more nmap commands you run, the more you will have to look at later.
Next, we want to set up a dashboard.
Click on the menu and under analytics, click on dashboard.
Click on create dashboard on the right hand side of the screen.
Then click on create visualization. Under the drop down menu (see photo below) select the visualization type. Choose either line or area. I went with area.
On the right hand side select metrics in the drop down menu under area.
Under horizontal axis change it to time stamp. You’ll have to select data histogram first when you click on it. Then change vertical axis to count. Then click save.
Next step is to create an alert. Click on the menu in the top left corner and under security select alerts.
Click on manage rules in the top right.
Under define rule, select custom query.
Then scroll down and type process.args: "nmap" into the custom query (the picture says something different, see the bottom of the article to find lessons learned).
Then click continue.
Give your rule a name and description under about rule, then give it a severity level. Leave schedule rule alone.
Under actions, you can choose what will happen if the event occurs, for example, an email will be sent to you. Then click create and enable rule.
Now you should get notified whenever nmap is run.
And there you have it. SIEM with alerts is all set up. Use the SIEM as much as you can before your trial is up.
Lessons learned:
I was having trouble getting the SIEM to stream live data. I had to go to type in agents into the search bar and click on "Fleet/Agents".
Once there I had to go into the policies to ensure that the agent and Elastic Defend were part of the same policy (As seen in the photo for "My first agency policy"). Once I did that, things started to run a lot smoother.
Another tip is not typing whatever you want into search bar and hitting enter during the stream. Type it out and options will appear in the drop down. I could not get it to work without using the options that appeared in the drop down. The same goes for using the alert system when creating a rule. I finally got it to work a day or two after I started and eventually got an email alert.
The notes and video were extremely helpful and if you get stuck on anything you should definitely check out both. Gerald Augar has a really cool YouTube channel as well, so check out some of his videos.
Overall, I am pretty excited about this project because it was my first time getting hands on with a SIEM. I was pretty satisfied when I finished troubleshooting the SIEM and everything started to run the way it should.
Comments
Post a Comment