Build a Powerful Home SIEM Lab Without Hassle! (Step by Step Guide)
Summary
TLDRThis tutorial offers a step-by-step guide to building a home Security Incident and Event Management (SIEM) lab using Elastic SIEM and a Kali Linux VM. It covers creating an Elastic account, setting up the Elastic Cloud instance, configuring the Kali VM, and installing the Elastic agent to push audit logs and telemetry. The video also demonstrates generating security events, creating a dashboard for visualization, and setting up alerts for incident response. By following along, viewers can gain hands-on experience and add valuable resume bullets for roles in cybersecurity, particularly for those aspiring to be SOC analysts.
Takeaways
- 😀 The video is a tutorial on building a home lab for security operations (SOC) analysts to gain hands-on experience with Elastic SIEM (Security Incident Event Management).
- 🔑 Creating an Elastic account is the first step, which is free but on a trial basis, meaning access will eventually be lost.
- 🖥️ The tutorial guides through setting up a Linux VM using VirtualBox and downloading the Kali Linux VM for the lab environment.
- 📡 It explains how to install and configure the Elastic Cloud instance and the Elastic agent on the Kali VM to push telemetry data.
- 🛠️ The video demonstrates using nmap to generate tasks and audit logs, which are pushed to the SIEM for analysis.
- 📊 The importance of creating dashboards in SIEM for visualizing events and telemetry is highlighted, with a walkthrough of creating a basic dashboard.
- 🚨 The tutorial covers setting up alerts in the SIEM to notify analysts of security events, such as nmap scans, via email or other integrations.
- 🔍 It emphasizes the value of customizing alerts and dashboards based on specific business needs and best practices in SOC.
- 📝 The script suggests documenting the lab setup and experiences, which can be beneficial when applying for jobs in the cybersecurity field.
- 🔄 The video encourages viewers to expand their home lab by adding more agents and endpoints, and to explore more complex configurations and use cases.
- 🗂️ The tutorial concludes by suggesting further resources and labs for enhancing SOC and incident response skills, like the 'So You Want to Be a SOC Analyst' video with Eric Capuano.
Q & A
What is the purpose of building a home SIM lab as described in the video?
-The purpose of building a home SIM (Security Incident Event Management) lab is to gain hands-on practical experience for security analysts, which is critical for developing blue team skills, becoming a security analyst, or enhancing one's capabilities in this field.
What is the significance of adding resume bullets after completing the SIM lab?
-Adding resume bullets after completing the SIM lab signifies the practical experience gained, which can be valuable for job applications in the cybersecurity field, showcasing the candidate's hands-on experience with SIM tools and techniques.
How does one get started with the SIM lab as per the video?
-To get started with the SIM lab, one needs to create an Elastic account for access to the Elastic Cloud, set up a Linux VM using VirtualBox, and install a Kali Linux VM to serve as the endpoint for pushing telemetry data into the Elastic Cloud.
What is the role of Elastic Cloud in the SIM lab?
-Elastic Cloud serves as the central repository for telemetry data collected from the Kali Linux VM. It is used to manage and analyze security events and incidents within the SIM lab environment.
What is the Elastic Defend integration used for in the SIM lab?
-The Elastic Defend integration is used to install an agent on the Kali VM, which pushes audit logs and telemetry data up to the SIM for analysis and monitoring.
How does one confirm the successful installation of the Elastic agent on the Kali VM?
-To confirm the successful installation of the Elastic agent, one can run the command `systemctl status elastic-agent.service` in the Kali VM, which should return a positive response indicating the service is running correctly.
What is the significance of generating tasks and analyzing security events in the SIM?
-Generating tasks and analyzing security events in the SIM helps in understanding the behavior of the system under different conditions, such as running network scans with nmap, and allows the analyst to practice detection and response strategies.
What is the purpose of creating a dashboard in the SIM?
-Creating a dashboard in the SIM serves to visualize security events and telemetry data, making it easier to monitor and analyze the system's activity over time.
Why are alerts important in the SIM?
-Alerts are important in the SIM because they notify security analysts of potential security incidents or events that require attention, enabling a timely response to threats.
What are some next steps suggested after setting up the basic SIM lab?
-Some next steps suggested include adding more agents to the network for additional telemetry data, creating more detailed dashboards and alerts for better monitoring, and exploring further customization and tuning of detections to suit specific security needs.
How can the SIM lab experience be leveraged for a job interview?
-The SIM lab experience can be leveraged in a job interview by documenting the hands-on experience with Elastic Stack, SIM, and creating alerts and detections, showcasing practical skills that are valuable in the cybersecurity field.
Outlines
🛠️ Building a Home SOC Analyst Lab with Elastic and Kali Linux
This paragraph introduces a practical lab for SOC (Security Operations Center) analysts, focusing on building a simulated lab environment at home. The lab involves setting up a Kali Linux VM in VirtualBox and integrating it with Elastic's SIEM (Security Information and Event Management) tool. The goal is to gain hands-on experience and enhance one's resume with relevant skills. The video provides a step-by-step guide to create an Elastic Cloud instance, configure it, and push telemetry data from the Kali VM. It also mentions the importance of SIEM in a SOC analyst's toolkit and offers a free trial account for Elastic Cloud.
🔍 Exploring Security Events and Creating Dashboards in Elastic SIEM
This section delves into the process of generating and analyzing security events within the Elastic SIEM platform. It guides the viewer through running commands like 'nmap' on the Kali VM to produce telemetry, which is then visualized in the Elastic SIEM dashboard. The paragraph emphasizes the significance of understanding and customizing dashboards and alerts for effective security monitoring. It also covers creating a basic dashboard and setting up alerts to detect specific security events, such as 'nmap' scans, and how to configure actions like sending an email when such events occur.
🚀 Advancing SOC Skills with Additional Lab Work and Customization
The final paragraph provides suggestions for further enhancing the home lab experience and SOC skills. It encourages viewers to add more agents to their networks for a more comprehensive telemetry collection and to create additional dashboards and alerts for a deeper understanding of security events. The video also highlights the importance of customization and tuning in the SOC field and suggests exploring other resources for more advanced lab setups. It concludes with advice on leveraging the lab experience to improve one's resume and prepare for job interviews, emphasizing the value of practical experience in the cybersecurity job market.
Mindmap
Keywords
💡SOC Analyst
💡Elastic SIEM
💡Home Lab
💡Kali Linux
💡Telemetry
💡Elastic Cloud
💡Elastic Agent
💡nmap
💡Dashboard
💡Alerts
💡EDR Solution
Highlights
Building a home SIM lab for hands-on experience in security incident and event management.
Creating a free Elastic SIM lab to gain practical experience as a security analyst.
No financial barriers to access the Elastic trial account for the lab.
Setting up a Linux VM in VirtualBox as the first step in the lab.
Using Kali Linux VM for generating security events and telemetry.
Installing Elastic Cloud and configuring it for the SIM lab.
Adding Elastic Agent to the Kali VM to push audit logs and telemetry.
Generating tasks and analyzing security events in the SIM.
Creating a dashboard in Elastic SIM to visualize security events.
Creating alerts in SIM to detect and respond to security events.
Using nmap to simulate security events for analysis in the lab.
Customizing dashboards and alerts for specific business needs.
The importance of alert tuning in a SOC environment.
Recommendations for expanding the lab with more agents and endpoints.
Encouragement to document lab experiences for future job interviews.
The value of hands-on experience with the Elastic stack for job prospects.
Upcoming video on building a victim machine compromised with a post-exploitation framework.
Introduction to incident response skills with Lima Charlie in the next lab.
Transcripts
want to get Hands-On practical lab
experience for sock analyst work making
a home Sim lab and just overwhelmed but
when you're done with this video you're
going to have this Sim built and you're
going to have these resume bullets you
can add to your resume let's get into
[Music]
it what's up everybody welcome back to
the channel I've got a banger for you
this blog post a simple elastic Sim lab
is a very easy to follow along practical
lab that will allow you to build a Sim
lab push Telemetry from a box via an
asent into it and do different types of
interactions with a Sim now really
quickly a Sim is a security incident
event management tool and it is a
critical tool of any sock analyst so if
you're interested in getting blue team
skills or becoming a sock analyst or
just leveling up your game in that way
this is a free easy way to do it that is
tons of practical experience believe me
and as I mentioned those resume bullets
are going to be yours to put on there
but basically this is going to walk
through and build a c Linux VM box in
Virtual box it's also going to stand up
elastic cloud and then push Telemetry
from the Cali box into the elastic Cloud
so let's follow it step by step step one
is you need to get an elastic account so
that's very easy I will note that this
is a free account but it is a trial so
at some point you'll lose access when
you go to the link it's going to look
just like this you can go ahead and use
your Google credits or sign up for a
free trial uh you can see here
definitely no credit card required
there's no Financial gating of you uh
once you get into it you're going to see
create deployment right I've already
gotten in here it's pretty straight
forward I'm in here right now create
deployment and you should get this kind
of look and feel okay so now we have the
elastic Cloud instance uh up and we're
ready to uh start to configure it but
first we've got to set up our Linux VM
I'm using virtual box you can download
it right here um at this site you'll
have to get a Cali VM use this one right
here Link in the description once you
get that up and running basically you'll
use a virtual box right here you'll add
one and then pick that Cali Linux uh VM
that you got once you install it it'll
be up and running here you go ahead and
just launch it and it'll look like this
you can see I have already got my Cali
box up we don't need virtual box here
anymore okay so we've got our Cali VM
here we are you can see that we can
access the internet so let's move on to
step two okay uh follow these directions
perfectly and we get on to step three so
now we have the elastic Cloud stack
right and then we have the Cali VM and
now we're ready to put the agent on the
Cali VM to push audit logs and Telemetry
up to the Sim so let's follow this go
into the elastic Sim instance hit the
hamburger menu on the top left click on
Integrations and choose elastic defend
let's go ahead and do that we're in here
we're going to go ahead click on the
hamburger menu you can see down the
bottom right there it says add
Integrations let's click that right
there on the top for me is elastic
defend if if it's not there for you you
can just type in defend in the search
bar and you can see it shows right up go
ahead and select that scroll down look
at it whatever you want to do it gives
you some interesting information as to
what it does I don't really care I just
want to I want to get that agent on
there so let's figure out what we're
doing here click add elastic defend
right here configure integration let's
just say whatever you want okay we are
going to choose what you want I'm going
YOLO and doing the entire complete EDR
solution no big deal agent policy name
again since we're just of uh testing
this it doesn't really matter go ahead
and hit save and continue down the
bottom here all right now we get this
popup that says the integration has been
added click add elastic agent to your
host it's the blue button right here you
want to add that now we're going to get
some directions we are using the Cali
Linux VM so we're going to use this uh
Linux command obviously if you're
deviating from the blog post then you're
going to have to choose your own
adventure here but for me I'm going to
go ahead and click the copy button I'm
going to go back to the Cali Linux VM
I'm going to go ahead and paste it in
here you can see it popped in and and
hit enter really quickly I just want to
point out it's running and it's
downloading all this stuff right here so
this is going to take a minute a little
longer than a few minutes later all
right so you can see it's done loading
uh we can tell because the um you can
see here elastic agent successfully
installed per the blog post if you want
to confirm it you can run this simple
command that you see in the in the uh
blog post right here pseudo system CTL
status elastic agent service go ahead
and run that just to confirm and you can
see we got a positive responds from the
system now let's go ahead and follow the
next step step four generate some tasks
in here they suggest we run nmap that's
fine let's go ahead and do that do end
map TP TCH Local Host this is basically
just running an end map scan on the Cali
box itself you could see here it found a
couple listening Services made a little
bit of noise all right so we've got two
two commands Okay so that should be
enough to get us going let's go back to
the blog post now let's follow the steps
let's go back inside do the elastic
deployment go to logs under
observability and take a look uh and
look for end map scan okay cool let's do
that let's go ahead and close this out
we're going to click on the hamburger
menu on the top left this is the
hamburger menu and we're going to go to
observability which is further down here
all right perfect let's do this
hamburger menu observability and then
logs this is what we're looking to click
on okay we'll take a look at what we see
looks like we've got some Telemetry in
here very nice all right so I typed in
process args uh colon end map and got a
couple events which makes sense right
we're going to go ahead click on the
three lipsus and see some details on
them and here it is we're seeing that
nmap was run in the environment okay
yeah n m-p like we're actually seeing
the exact command that we ran cool we're
seeing these things event process
command line so we're seeing the exact
same things by generating analyzing
different types of security events in
the Sim we can see all sorts of things
like wrong password attempts Etc right
now let's create a dashboard to
visualize the events this is good so
dashboards are pretty standard in socks
and for Sims so let's go back and go to
the analytics Tab and click on dashboard
so okay so I'm going back into the Sim
I'm going to click on the hamburger menu
again I'm going to go to analytics and
dashboard you can see hamburger menu and
dashboard right here so let's click on
that create dashboard create
visualization okay create dashboard uh
the blue button right here and create
visualization the blue button right here
and going back to the blog post select
area or line is the visualization type
uh looks like they chose area in the
example let's say area in the metric
section select count as the vertical
field and time stamp for the horizontal
field okay so let's see where is that
actually located over here on the right
thank you blog post so horizontal is
time stamp and the vertical access is
going to be count you can see now we've
got count and timestamp click the save
button to save the visualization save
and return simply cyber visualization
per blog count over time so now it looks
like we've got this dashboard created
and in there uh picture they've got some
visualization uh showing up let's see
what we've got I see a whole bunch of
nothing see if we can't figure out
something they said area in the blog
post but in the pictures they did
vertical bar chart so let's try that out
and just see if that works for us now
we're getting some graphics here let's
do a little bit more on the Cali box
pseudo- L maybe pseudo PS right make
directory Fubar at Tech SV Local Host
just trying to get some more data in
here so we can look and see the uh bar
charts changing there we go very nice uh
and then I'm actually going to do end
map simply cyber. all right so while
that's doing it let's create an alert
and the Sim alerts are very important
cuz they tell the humans what to look go
look for or what to go look at okay so
we're going back to the hamburger menu
up here okay you can see again hamburger
menu security and then alerts this is
what we're going for right here very
nice let's go while that's te up let's
create a new rule let's define the rule
as a custom query and we'll look for
those end map scans okay let's click on
manage rule let's create a new rule very
nice a custom query as selected already
the source is going to be event. action
colon and we want andap scan and then
we're going to click continue I think
under about rule type that okay so as a
sock analyst you'd actually want to give
some detail as to what this is right
like it's fun in a lab but you got to be
thorough because if someone else like
you you punch out of work and the next
person comes in and this thing fires off
they're going to be like what is this
obviously so you got to hook them up
okay uh keep all the other defaults like
schedule and click continue okay so
let's do that let's click continue let's
click continue so this is another good
thing like where does it alert like you
can have it fire off into slack and
notify everybody you can have it open a
jira ticket right for um action you can
just like General web hook if you're
going to get into apis and stuff this is
really powerful and nice because um it
allows for more Automation and
orchestration and I leave that to you as
a exercise for yourself okay so in the
action select the action you want to
take all right so we have to choose some
action let's send an email
all right there we go so now we've
created an action or excuse me an alert
called nmap scan it's one of our rules
this is fantastic let's see if we can
fire it off let's do that really quickly
and see if we can fire off that email
and then we'll call it a win all right
it detected it I mean it completed it so
let's go back really quick while that
alert comes in we'll go to our
dashboards you can see here the
Telemetry is coming in so we are getting
visibility this is really nice wait for
this to come in while that that's coming
in the blog post says we set up a home
lab using elastic Sim and a Cali VM we
forwarded data from the Cali VM as an
endpoint on our Network to the Sim using
the elastic beats agent generated
security events on Cali using nmap and
quered and analyze the logs in the Sim
um we created a dashboard to visualize
the security events not a very
interesting dashboard but we did and we
created alerts to detect security events
right so alerts are huge and you know
usually when you set up a Sim you can
get um like a default set of like best
practice alerts uh and then you want to
tune those obviously also I'm sure
there's dozens and dozens of prean
dashboards based on best practices like
anything else it's good to use some of
the templated stuff out the box to get
you off and running but if you're going
to work in a sock you are going to want
to start uh doing your own detections uh
detection tuning is an entire kind of
discipline within the sock and um
customizing those dashboards for your
best uh for for whatever your business
cares about most um in the they do say
next steps I want to remind you so like
this is basically just a basic kickoff
of the um Sim lab right but at this
point you have a lab that is pushing
Telemetry so what I would say to you is
two things one you can either a add more
a couple more um agents into your
networks and then you have like a couple
end points pushing Telemetry into that
one Central repo two I would recommend
creating a couple more dashboards a
couple more alerts like really robust it
out maybe even go and Google like Labs
that have alerts and detections right
Eric Capuano's um blog on so you want to
be a sock analyst has a couple great
examples I'll link that below and
basically play with it and get in here
now as I said on the onset of this video
because you're doing this lab you can
use these resume bullets now and really
you know we did a very limited amount of
you know Sim work sock work so it's a
thin resume bullet obviously but you are
doing it and you have all the capability
now and the infrastructure in your home
lab to take it to the next level and I
would strongly encourage you to keep
playing with this while the um trial
period is there get as much value out of
this as you can squeeze maybe even
document some of it and then when you go
to a job interview you can say oh I've
played with elastic stack I've played
with cabana I've created alerts and
detections trust me a hiring manager is
going to find that fascinating and
interesting believe me okay go check out
this blog post I hope you enjoy enjoyed
this video um there's a lot of different
opportunities here for you shout out to
the blog post author Abdullah Ali very
cool if you enjoyed that go check out
this um so you want to be a sock analyst
video I did with Eric capuano it walks
through another entire home lab that you
can use for free to level up and get
practical hands-on experience I think
you're really going to love it in this
next video that I'm going to drop right
here you are going to build a victim
machine that is compromised with a post
exploitation framework called sliver you
are going to set up a lima charlie um
basically centralized Management console
that's very much like a Sim but it will
allow you to detect um it's more of an
EDR solution or endpoint detection
response so you'll see the victim get
compromised with the post exploitation
framework in Lima Charlie and then be
able to do um response like quarantine
and stuff like that so this lab was more
about sock analy this lab I'm about to
send you to is more about incident
response skills get the Practical
Hands-On skills they're so so valuable
in the market do these home Labs you're
going to thank me I'm Jerry from Simply
cyber until next time stay
[Music]
secure
Weitere ähnliche Videos ansehen
Creating a Azure Cloud Server: A Step-by-Step Tutorial (IaaS)
Full Node.js Deployment - NGINX, SSL With Lets Encrypt
I Passed the Security Blue Team Level 1 Exam
Create VirtualBox Virtual Machine & Install Oracle Linux - Hands-On Experiments for Oracle DBAs
How to Configure LAN Segments in VMware Workstation Pro
How To Create a Logical Diagram | Day 1
5.0 / 5 (0 votes)