Project URL: https://trevordanielmurphy.com/index.php/projects/building-a-siem-lab-with-elastic-cloud/

Introduction

A recent YouTube video captured my attention as I explored various methods to gain practical experience with SOC and cybersecurity tools. My current role has introduced me to technologies like Elasticsearch and OpenSearch, sparking my interest in integrating professional development with personal learning endeavors. The video, shared by Gerald Auger, offers a comprehensive guide titled “Build a Powerful Home SIEM Lab Without Hassle! (Step by Step Guide).” It draws inspiration from Abdullahi Ali’s blog post, “A Simple Elastic SIEM Lab,” providing a structured approach to learning. This post serves as an introduction to SIEM and Elastic, often referred to as ELK, which stands for Elasticsearch, Logstash, and Kibana. These three open-source tools, when used collectively, facilitate real-time log analysis, crucial for identifying security breaches and monitoring server communications. SIEM (Security Information and Event Management): SIEM is a comprehensive solution that provides a holistic view of an organization’s information security. It combines two technologies: Security Information Management (SIM), which collects data from log files for analysis and reports on security threats and events, and Security Event Management (SEM), which conducts real-time system monitoring, notifies network admins about important issues, and establishes correlations among different security events. SIEM systems are vital for incident detection and response, providing insights through data analysis, aggregation, and correlation. ELK stands for Elasticsearch, Logstash, and Kibana — three open-source tools used together for searching, analyzing, and visualizing logs generated from any source in real-time. Elasticsearch is a search and analytics engine, Logstash is used for centralizing and processing data, and Kibana is a visualization tool. In the context of security, ELK can be used for log analysis, helping in identifying security breaches, system performance issues, and monitoring server communications. All three of these tools are bundled into the Elastic Cloud service that we will be trialing. My goal in completing this task is to gain the skill to start up, configure, and analyze data in a SIEM. As a bonus, I will learn to work with the Elastic Stack. I plan to set up the initial lab as described in this video and blog post and then continue to work to see how we can create events and analyze them. A video that I really enjoyed and that helped me with working further with Elastic was by John Hammond. You can check that video out here: https://www.youtube.com/watch?v=wiQ8U5mFncw&t=320s&pp=ygUMZWxhc3RpYyBzaWVt

Getting Started

Signing up for a free trial. Head on over to elastic.co/cloud and sign up for a free 14 day trial. No credit card needed:

Afterwards, log into your account for the first time, and we are going to select Security as our use-case, as seen here:

Now open the left side menu and select Add Integration from the bottom.

Search for and select Elastic Defend and then click the button to add it.

Now look for the banner with the option to Install Elastic Agent, and then copy the install code for the operating system of your choice. This will be for our first agent device that will report security events back to our Elast SIEM. I am going to install it on my Kali Linux VM first.

On the Linux VM, open up and terminal and run the copied command. This command has four parts: Curl is used to download the agent package, tar is used to unpack the zip file, then we switch to the new directory created from the zip file with cd, and then finally, it runs the agent installer with a URL tied to your Easltic instance.

Response Y to continue with the install and you will most likely have to verify the root or admin password. The end result we should see Elastic Agent has been installed successfully.

We can check the status of the Elastic agent service for any errors and make sure it is running with the command systemctl status elastic-agent.

Now with the agent installed, we are just going to run a few Nmap scans to create some events that we can view in Elastic. Here is one of the Nmap scans that we have ran:

To see what this will now look like in Elastic, navigate to Observability and go to logs.

*Update as of 2/2/2024. They expanded on the Logs section. We can check out either Explorer to see past logs or Stream for current ones. Let’s go to Explorer and search for Nmap. In this screenshot, you can see the fields I added after searching for Nmap. You can also see the exact Nmap commands that were run on the Kali Linux VM.

This is just an example of something we can find with Elastic as a SIEM. There are a ton of fields you can pick from to build your results.

Going Further

Now to add, I want to install the Defend agent on the additional machine to see what kind of activity we can monitor. I will be using my Active Directory lab environment and installing the agent on my domain controller and a Windows 10 PC.

To install on Windows: go to agents, add agents, and copy the PowerShell code. On your Windows server or workstation, make sure you run Powershell as Administrator. Here is what the code looked like for me:

We also want to get additional monitoring and reporting from Microsoft, so as recommended by John Hammond, we are going to install Sysmon on my domain controller.

1. Download Sysmon from Microsoft’s website.
2. Navigate to the download and extract it:
3. Install Sysmon with the -i flag like this:

Threat Simulations

Brute force attacks are common attacks faced on external servers and applications but can also be an event of interest for internal workstations and servers. This attack is when an attacker will use tools such as Hydra paried with a wordlist to send numerous log attempts to a server, workstation, or application. In this lab, I am going to simulate a smaller brute force attempt from my Kali Linux VM by simply utilizing rdesktop and trying to manually brute force into the Administrator account on my lab Windows Server 2019 VM. We will modify Elastic to view this threat and set up realistic alerts that a security team could use to report a brute-force attack.

Our command from Kali was pretty simple to utilize RDP and make connection attempts; see below:

This brings up a Remote Desktop Connection that I used to fudge in some consecutive log-on attempts to create some noise for Elastic.

In Elastic, go to Analytics and then Discover. Here we are going to search for logon-failed attempts, and we can utilize the Windows Event ID for this one in the search field with winlog.event_id:”4625"

I searched through the available fields and found the most useful ones for this simulation. Some of these fields just come up blank, so it may take some trial and error to get the right ones. See the screenshot of our simulated brute force attempt, along with the fields I selected:

So we were able to identify a brute force attack in our SIEM; what’s more important now is using these logs to take action. For this lab, we are simply going to send an email alert when we hit 5+ invalid log-in attempts in 1 minute.

1. From the Discover tab that we are on while reviewing the Brute Force alerts, click on Alerts and Create search threshold alert.

2. From here, enter a name for your alert, and define the query if it is not automatically filled in. Here I set it to “winlog_event_id:”4625" as shown in this screenshot. I also updated the group, threshold, and time window so that it will alert us if there are more than 5 invalid attempts within 1 minute. This is not the best rule, as some tools may delay attempts to avoid this.

3. Now, under actions, select Email and enter an email to send the alert.

4. After running Hydra again, here is what an alert email looks like:

1. Lessons Learned

This exploration into setting up and utilizing a SIEM with Elastic Cloud has been invaluable in comprehending the Elastic system and the fundamentals of SIEM technology. The main challenge was fine-tuning log filters to isolate pertinent data, an area I plan to delve into further with advanced attack scenarios. This project underscores the potential of SIEM systems in enhancing organizational security and offers a solid foundation for future cybersecurity endeavors.