How To Setup ELK | Elastic Agents & Sysmon for Cybersecurity

John Hammond

10 May 202314:35

Summary

TLDRIn this video, the presenter walks through setting up the ELK stack (Elastic, Logstash, Kibana) for a Security Information and Event Management (SIEM) solution. They demonstrate using John Strand's introductory labs, which are part of Black Hills Information Security's free, pay-what-you-can training. The video covers creating an Elastic Cloud account, configuring Elastic Agent, integrating Sysmon for log collection, and using Kibana for data visualization and analysis. The session highlights the ease of setting up ELK, its usefulness for detecting security events, and the value of accessible cybersecurity training.

Takeaways

😀 The setup of an ELK (Elasticsearch, Logstash, Kibana) stack for a SIEM solution can be complex, but it becomes manageable with the right resources.
😀 John Strand's courses and Black Hills Information Security offer 'pay what you can' training, making cybersecurity education accessible to all.
😀 The Elastic Cloud offers a free 14-day trial, allowing users to experiment with setting up a deployment without a credit card.
😀 Setting up the Elastic Stack involves creating a deployment, managing credentials, and configuring the system for monitoring and security data ingestion.
😀 Integrating Elastic Agents with your hosts is essential for collecting and sending security data to the Elastic Stack.
😀 Sysmon (System Monitor) is a critical tool for improving the quality of logs collected from Windows machines, as it provides detailed and structured event logs.
😀 The installation of Elastic Agents and Sysmon is done via PowerShell commands, and the process can be automated using provided scripts.
😀 Once the Elastic Agent is installed and Sysmon is running, the integration is completed through the Kibana interface, specifically through the Fleet feature.
😀 Kibana's Fleet interface is used to manage agent policies, view agent statuses, and enable integrations like Sysmon for Windows.
😀 After Sysmon is configured, users can generate logs by performing activities like opening applications or running commands, which will be reflected in Kibana's Discover tab for analysis.
😀 Filtering logs in Kibana based on Sysmon data, such as process creation events, allows for effective tracking and security monitoring.

Q & A

What is the main focus of the video?
-The video focuses on setting up and using the ELK stack (ElasticSearch, Logstash, Kibana) for security monitoring, integrating Elastic agents and Sysmon for log collection and analysis.
What is ELK stack, and why is it important for security monitoring?
-ELK stack is a collection of three open-source tools: ElasticSearch, Logstash, and Kibana. It is used for searching, analyzing, and visualizing large volumes of data, making it crucial for security monitoring and log analysis in IT environments.
How can you access John Strand's free training courses?
-John Strand's free training courses are available through Anti-Siphon Training and Black Hills Information Security. They offer pay-what-you-can options, allowing individuals to choose their price for training materials.
What are the benefits of the pay-what-you-can model offered by these training platforms?
-The pay-what-you-can model makes high-quality educational resources accessible to more people, regardless of their financial situation. Users can choose the price they can afford, and even access the courses for free through tuition assistance.
What is Sysmon, and why is it used in this setup?
-Sysmon (System Monitor) is a Windows system service and device driver that provides detailed information about process creations, network connections, and changes to file creation time. It is used in this setup to collect valuable security logs for analysis in the ELK stack.
How do you create an Elastic deployment for security monitoring?
-To create an Elastic deployment, you need to sign up for a free Elastic Cloud trial, fill out a simple form with your details, and then set up a deployment with a name and configuration preferences. This grants access to the Kibana interface for managing logs and agents.
What is the process for adding Elastic agents to your deployment?
-To add Elastic agents, you need to navigate to the Fleet section in Kibana, create an agent policy, and then add the Elastic agent to your hosts. This allows the agents to collect and send data to the Elastic stack for analysis.
What troubleshooting steps are mentioned when installing Sysmon?
-When installing Sysmon, if the service fails to start, the video suggests using the correct command line parameters and verifying that Sysmon is registered as a service using the 'service' command.
How do you configure Elastic agents to ingest Sysmon logs?
-After installing Sysmon on the host, you need to navigate to the Fleet section in Kibana, access the Integrations, and add the Windows integration with Sysmon enabled. This configures the Elastic agent to collect Sysmon logs and forward them to the ELK stack.
What is the final step to verify if Sysmon logs are being collected correctly?
-To verify Sysmon logs are being collected, the video suggests performing normal activities on the host (e.g., opening applications or creating files) and then checking the Discover section in Kibana. You can filter for Sysmon data and look for events like process creation to ensure logs are coming through correctly.