Build a Powerful Home SIEM Lab Without Hassle! (Step by Step Guide)

00:00

want to get Hands-On practical lab

00:01

experience for sock analyst work making

00:03

a home Sim lab and just overwhelmed but

00:06

when you're done with this video you're

00:07

going to have this Sim built and you're

00:09

going to have these resume bullets you

00:10

can add to your resume let's get into

00:15

[Music]

00:23

it what's up everybody welcome back to

00:25

the channel I've got a banger for you

00:27

this blog post a simple elastic Sim lab

00:30

is a very easy to follow along practical

00:33

lab that will allow you to build a Sim

00:35

lab push Telemetry from a box via an

00:39

asent into it and do different types of

00:42

interactions with a Sim now really

00:44

quickly a Sim is a security incident

00:46

event management tool and it is a

00:49

critical tool of any sock analyst so if

00:52

you're interested in getting blue team

00:53

skills or becoming a sock analyst or

00:56

just leveling up your game in that way

00:58

this is a free easy way to do it that is

01:02

tons of practical experience believe me

01:05

and as I mentioned those resume bullets

01:07

are going to be yours to put on there

01:08

but basically this is going to walk

01:09

through and build a c Linux VM box in

01:12

Virtual box it's also going to stand up

01:14

elastic cloud and then push Telemetry

01:17

from the Cali box into the elastic Cloud

01:19

so let's follow it step by step step one

01:22

is you need to get an elastic account so

01:25

that's very easy I will note that this

01:26

is a free account but it is a trial so

01:29

at some point you'll lose access when

01:31

you go to the link it's going to look

01:32

just like this you can go ahead and use

01:34

your Google credits or sign up for a

01:35

free trial uh you can see here

01:37

definitely no credit card required

01:38

there's no Financial gating of you uh

01:40

once you get into it you're going to see

01:42

create deployment right I've already

01:44

gotten in here it's pretty straight

01:45

forward I'm in here right now create

01:47

deployment and you should get this kind

01:49

of look and feel okay so now we have the

01:52

elastic Cloud instance uh up and we're

01:54

ready to uh start to configure it but

01:56

first we've got to set up our Linux VM

01:58

I'm using virtual box you can download

02:00

it right here um at this site you'll

02:02

have to get a Cali VM use this one right

02:04

here Link in the description once you

02:06

get that up and running basically you'll

02:08

use a virtual box right here you'll add

02:10

one and then pick that Cali Linux uh VM

02:13

that you got once you install it it'll

02:15

be up and running here you go ahead and

02:17

just launch it and it'll look like this

02:19

you can see I have already got my Cali

02:21

box up we don't need virtual box here

02:23

anymore okay so we've got our Cali VM

02:25

here we are you can see that we can

02:27

access the internet so let's move on to

02:29

step two okay uh follow these directions

02:32

perfectly and we get on to step three so

02:34

now we have the elastic Cloud stack

02:37

right and then we have the Cali VM and

02:39

now we're ready to put the agent on the

02:41

Cali VM to push audit logs and Telemetry

02:44

up to the Sim so let's follow this go

02:46

into the elastic Sim instance hit the

02:48

hamburger menu on the top left click on

02:50

Integrations and choose elastic defend

02:52

let's go ahead and do that we're in here

02:54

we're going to go ahead click on the

02:55

hamburger menu you can see down the

02:57

bottom right there it says add

02:58

Integrations let's click that right

03:00

there on the top for me is elastic

03:01

defend if if it's not there for you you

03:03

can just type in defend in the search

03:05

bar and you can see it shows right up go

03:07

ahead and select that scroll down look

03:08

at it whatever you want to do it gives

03:10

you some interesting information as to

03:11

what it does I don't really care I just

03:13

want to I want to get that agent on

03:14

there so let's figure out what we're

03:16

doing here click add elastic defend

03:18

right here configure integration let's

03:20

just say whatever you want okay we are

03:22

going to choose what you want I'm going

03:24

YOLO and doing the entire complete EDR

03:26

solution no big deal agent policy name

03:28

again since we're just of uh testing

03:30

this it doesn't really matter go ahead

03:32

and hit save and continue down the

03:33

bottom here all right now we get this

03:35

popup that says the integration has been

03:36

added click add elastic agent to your

03:39

host it's the blue button right here you

03:41

want to add that now we're going to get

03:42

some directions we are using the Cali

03:44

Linux VM so we're going to use this uh

03:46

Linux command obviously if you're

03:48

deviating from the blog post then you're

03:50

going to have to choose your own

03:51

adventure here but for me I'm going to

03:53

go ahead and click the copy button I'm

03:54

going to go back to the Cali Linux VM

03:56

I'm going to go ahead and paste it in

03:57

here you can see it popped in and and

04:00

hit enter really quickly I just want to

04:02

point out it's running and it's

04:03

downloading all this stuff right here so

04:05

this is going to take a minute a little

04:07

longer than a few minutes later all

04:09

right so you can see it's done loading

04:11

uh we can tell because the um you can

04:13

see here elastic agent successfully

04:15

installed per the blog post if you want

04:16

to confirm it you can run this simple

04:19

command that you see in the in the uh

04:22

blog post right here pseudo system CTL

04:24

status elastic agent service go ahead

04:26

and run that just to confirm and you can

04:28

see we got a positive responds from the

04:31

system now let's go ahead and follow the

04:33

next step step four generate some tasks

04:35

in here they suggest we run nmap that's

04:37

fine let's go ahead and do that do end

04:39

map TP TCH Local Host this is basically

04:42

just running an end map scan on the Cali

04:44

box itself you could see here it found a

04:46

couple listening Services made a little

04:48

bit of noise all right so we've got two

04:50

two commands Okay so that should be

04:52

enough to get us going let's go back to

04:53

the blog post now let's follow the steps

04:56

let's go back inside do the elastic

04:57

deployment go to logs under

04:58

observability and take a look uh and

05:00

look for end map scan okay cool let's do

05:03

that let's go ahead and close this out

05:04

we're going to click on the hamburger

05:05

menu on the top left this is the

05:07

hamburger menu and we're going to go to

05:09

observability which is further down here

05:11

all right perfect let's do this

05:12

hamburger menu observability and then

05:15

logs this is what we're looking to click

05:17

on okay we'll take a look at what we see

05:19

looks like we've got some Telemetry in

05:21

here very nice all right so I typed in

05:23

process args uh colon end map and got a

05:26

couple events which makes sense right

05:27

we're going to go ahead click on the

05:28

three lipsus and see some details on

05:30

them and here it is we're seeing that

05:32

nmap was run in the environment okay

05:34

yeah n m-p like we're actually seeing

05:36

the exact command that we ran cool we're

05:38

seeing these things event process

05:40

command line so we're seeing the exact

05:42

same things by generating analyzing

05:44

different types of security events in

05:45

the Sim we can see all sorts of things

05:47

like wrong password attempts Etc right

05:49

now let's create a dashboard to

05:50

visualize the events this is good so

05:52

dashboards are pretty standard in socks

05:54

and for Sims so let's go back and go to

05:57

the analytics Tab and click on dashboard

05:59

so okay so I'm going back into the Sim

06:02

I'm going to click on the hamburger menu

06:03

again I'm going to go to analytics and

06:04

dashboard you can see hamburger menu and

06:07

dashboard right here so let's click on

06:09

that create dashboard create

06:10

visualization okay create dashboard uh

06:12

the blue button right here and create

06:15

visualization the blue button right here

06:17

and going back to the blog post select

06:18

area or line is the visualization type

06:21

uh looks like they chose area in the

06:23

example let's say area in the metric

06:25

section select count as the vertical

06:27

field and time stamp for the horizontal

06:28

field okay so let's see where is that

06:31

actually located over here on the right

06:33

thank you blog post so horizontal is

06:36

time stamp and the vertical access is

06:38

going to be count you can see now we've

06:39

got count and timestamp click the save

06:42

button to save the visualization save

06:44

and return simply cyber visualization

06:47

per blog count over time so now it looks

06:50

like we've got this dashboard created

06:52

and in there uh picture they've got some

06:55

visualization uh showing up let's see

06:57

what we've got I see a whole bunch of

06:58

nothing see if we can't figure out

07:00

something they said area in the blog

07:02

post but in the pictures they did

07:04

vertical bar chart so let's try that out

07:06

and just see if that works for us now

07:08

we're getting some graphics here let's

07:10

do a little bit more on the Cali box

07:13

pseudo- L maybe pseudo PS right make

07:17

directory Fubar at Tech SV Local Host

07:22

just trying to get some more data in

07:24

here so we can look and see the uh bar

07:26

charts changing there we go very nice uh

07:29

and then I'm actually going to do end

07:30

map simply cyber. all right so while

07:33

that's doing it let's create an alert

07:35

and the Sim alerts are very important

07:36

cuz they tell the humans what to look go

07:38

look for or what to go look at okay so

07:40

we're going back to the hamburger menu

07:42

up here okay you can see again hamburger

07:44

menu security and then alerts this is

07:47

what we're going for right here very

07:48

nice let's go while that's te up let's

07:50

create a new rule let's define the rule

07:52

as a custom query and we'll look for

07:54

those end map scans okay let's click on

07:56

manage rule let's create a new rule very

07:58

nice a custom query as selected already

08:01

the source is going to be event. action

08:04

colon and we want andap scan and then

08:07

we're going to click continue I think

08:09

under about rule type that okay so as a

08:11

sock analyst you'd actually want to give

08:13

some detail as to what this is right

08:16

like it's fun in a lab but you got to be

08:18

thorough because if someone else like

08:19

you you punch out of work and the next

08:21

person comes in and this thing fires off

08:22

they're going to be like what is this

08:24

obviously so you got to hook them up

08:26

okay uh keep all the other defaults like

08:28

schedule and click continue okay so

08:30

let's do that let's click continue let's

08:31

click continue so this is another good

08:33

thing like where does it alert like you

08:35

can have it fire off into slack and

08:37

notify everybody you can have it open a

08:39

jira ticket right for um action you can

08:42

just like General web hook if you're

08:43

going to get into apis and stuff this is

08:45

really powerful and nice because um it

08:47

allows for more Automation and

08:50

orchestration and I leave that to you as

08:52

a exercise for yourself okay so in the

08:54

action select the action you want to

08:55

take all right so we have to choose some

08:57

action let's send an email

09:00

all right there we go so now we've

09:02

created an action or excuse me an alert

09:04

called nmap scan it's one of our rules

09:06

this is fantastic let's see if we can

09:08

fire it off let's do that really quickly

09:10

and see if we can fire off that email

09:12

and then we'll call it a win all right

09:14

it detected it I mean it completed it so

09:17

let's go back really quick while that

09:18

alert comes in we'll go to our

09:20

dashboards you can see here the

09:21

Telemetry is coming in so we are getting

09:23

visibility this is really nice wait for

09:25

this to come in while that that's coming

09:27

in the blog post says we set up a home

09:29

lab using elastic Sim and a Cali VM we

09:32

forwarded data from the Cali VM as an

09:34

endpoint on our Network to the Sim using

09:37

the elastic beats agent generated

09:39

security events on Cali using nmap and

09:41

quered and analyze the logs in the Sim

09:43

um we created a dashboard to visualize

09:45

the security events not a very

09:46

interesting dashboard but we did and we

09:48

created alerts to detect security events

09:50

right so alerts are huge and you know

09:53

usually when you set up a Sim you can

09:54

get um like a default set of like best

09:57

practice alerts uh and then you want to

09:59

tune those obviously also I'm sure

10:01

there's dozens and dozens of prean

10:04

dashboards based on best practices like

10:06

anything else it's good to use some of

10:08

the templated stuff out the box to get

10:10

you off and running but if you're going

10:12

to work in a sock you are going to want

10:13

to start uh doing your own detections uh

10:17

detection tuning is an entire kind of

10:19

discipline within the sock and um

10:22

customizing those dashboards for your

10:24

best uh for for whatever your business

10:26

cares about most um in the they do say

10:30

next steps I want to remind you so like

10:31

this is basically just a basic kickoff

10:34

of the um Sim lab right but at this

10:36

point you have a lab that is pushing

10:39

Telemetry so what I would say to you is

10:41

two things one you can either a add more

10:44

a couple more um agents into your

10:46

networks and then you have like a couple

10:47

end points pushing Telemetry into that

10:49

one Central repo two I would recommend

10:51

creating a couple more dashboards a

10:53

couple more alerts like really robust it

10:55

out maybe even go and Google like Labs

10:58

that have alerts and detections right

11:00

Eric Capuano's um blog on so you want to

11:03

be a sock analyst has a couple great

11:05

examples I'll link that below and

11:06

basically play with it and get in here

11:09

now as I said on the onset of this video

11:11

because you're doing this lab you can

11:14

use these resume bullets now and really

11:18

you know we did a very limited amount of

11:20

you know Sim work sock work so it's a

11:23

thin resume bullet obviously but you are

11:25

doing it and you have all the capability

11:28

now and the infrastructure in your home

11:30

lab to take it to the next level and I

11:33

would strongly encourage you to keep

11:35

playing with this while the um trial

11:37

period is there get as much value out of

11:40

this as you can squeeze maybe even

11:42

document some of it and then when you go

11:44

to a job interview you can say oh I've

11:46

played with elastic stack I've played

11:48

with cabana I've created alerts and

11:50

detections trust me a hiring manager is

11:52

going to find that fascinating and

11:54

interesting believe me okay go check out

11:57

this blog post I hope you enjoy enjoyed

11:59

this video um there's a lot of different

12:01

opportunities here for you shout out to

12:03

the blog post author Abdullah Ali very

12:06

cool if you enjoyed that go check out

12:08

this um so you want to be a sock analyst

12:10

video I did with Eric capuano it walks

12:12

through another entire home lab that you

12:14

can use for free to level up and get

12:17

practical hands-on experience I think

12:19

you're really going to love it in this

12:21

next video that I'm going to drop right

12:23

here you are going to build a victim

12:26

machine that is compromised with a post

12:28

exploitation framework called sliver you

12:30

are going to set up a lima charlie um

12:33

basically centralized Management console

12:35

that's very much like a Sim but it will

12:37

allow you to detect um it's more of an

12:40

EDR solution or endpoint detection

12:42

response so you'll see the victim get

12:43

compromised with the post exploitation

12:45

framework in Lima Charlie and then be

12:47

able to do um response like quarantine

12:50

and stuff like that so this lab was more

12:52

about sock analy this lab I'm about to

12:54

send you to is more about incident

12:56

response skills get the Practical

12:58

Hands-On skills they're so so valuable

13:00

in the market do these home Labs you're

13:01

going to thank me I'm Jerry from Simply

13:03

cyber until next time stay

13:08

[Music]

13:15

secure