Basic SIEM Home Lab Using Elastic Cloud
- Create an Elastic Account.Visit https://www.elastic.co and sign up for a free account using your email.
2. Open the Elastic Cloud console and sign in with the account you created.
3. Setting up the Agent to Collect Logs. In the Elastic Cloud console, follow the instructions to download and install the Elastic Agent on the Ubuntu VM.
4. From the Parrot machine, run Metasploit against the Ubuntu VM to produce security-relevant events.
5. Query for security events in Elastic SIEM. In Kibana (the Elastic UI), open the Security (SIEM) app or Discover page and query the indices where the agent is sending logs. Use filters and queries to locate events generated by your Metasploit activity. event.outcome:"failure"
6. Create a dashboard to visualize the events. In Kibana, create visualizations (charts, tables, timelines) for the important fields, then assemble them into a dashboard to observe events generated .
7. Enable a custom threshold alert. Stack Management - Rules - Edit
8. Configure Actions. Under Actions, click Add action. Fill in with email etc.
9. Perform a test by repeating step 4. Email notification received.
10. Click view alert details.
Related Posts
Basics of Pivoting
Security Lab Using EVE-NG (Part 1)
