Virtual Machine Details
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=”Ubuntu 20.04.2 LTS
RAM 4 GB, CPU 2
IP: 192.168.171.130
Download Elastic Search
sudo apt-get install apt-transport-https
wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install elasticsearch
Make following changes\un-comment to the elasticsearch main configuration file
vi /etc/elasticsearch/elasticsearch.yml
- network.host: 0.0.0.0
- http.port: 9200
- cluster.initial_master_nodes: lab4
Add elastic search to the startup group of Ubuntu
sudo update-rc.d elasticsearch defaults 95 10
sudo /bin/systemctl enable elasticsearch.service
sudo -i service elasticsearch start
sudo -i service elasticsearch status
If the service Fails to start please check the logs file
tail -100 /var/log/elasticsearch/elasticsearch.log
Verify ElasticSearch is running by opening the URL in a browser
Install Kibana
https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install kibana
sudo /bin/systemctl enable kibana.service
Make following changes to the Kibana main Configuration file
sudo vi /etc/kibana/kibana.yml
- server.port: 5601
- server.host: “0.0.0.0”
- server.publicBaseUrl: “http://192.168.171.130:5601”
- server.name: “lab4”
- elasticsearch.hosts: [“http://0.0.0.0:9200”]
Enable Kibana to run at startup sudo /bin/systemctl enable kibana.service
sudo systemctl restart kibana.service
If the service Fails to start please check the logs file
tail -100 /var/log/kibana/kibana.log
Verify Kibana is running by opening the URL in a browser
Enable Security Integrations for SIEM Funcionality
vi /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.authc.api_key.enabled: true
Enable Passwords and API authentications for Agents connection to ElasticSearch Server (note down the passwords generated from script below)
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
vi /etc/elasticsearch/elasticsearch.yml (replace passwords for connection between Kibana and ElasticSearch from above)
sudo systemctl restart elasticsearch.service
sudo systemctl restart kibana.service
Better yet restart the Virtual Machine so all configurations are re-loaded
Go to ElasticSearch URL and Goto –> Management –> Fleet
Fleet is your central managemnt for all your agents and hosts
agents are the small processes installed on hosts which you want to monitor
You can create Policies here, for example, create a Policy for Windows Hosts and enable IIS log integration.
Then you need to assign this policy to all windows hosts runing IIS servers
Add Windows Agent
Chose the Policy for Windows Hosts
Download the Elastic Agent to your Windows host, Install the Elastic Agent on the hosts you wish to monitor. You can download the Elastic Agent binaries and verification signatures from Elastic’s download page.
https://www.elastic.co/downloads/past-releases/elastic-agent-7-16-3
Enroll and start the Elastic Agent
From the agent directory, run the appropriate command to install, enroll, and start an Elastic Agent. You can reuse these commands to set up agents on more than one host. Requires administrator privileges.
.\elastic-agent.exe install --url=http://192.168.171.130:8220 --enrollment-token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
The Host shoudl appear in Feet Management Center
Similalrly you can onboard Linux servers
Linux users: We recommend the installer (TAR) over system packages (RPM/DEB) because it lets you upgrade your agent in Fleet. sudo ./elastic-agent install --url=http://192.168.171.130:8220 --enrollment-token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
Integrations
You can start adding Integrations Now, for example your Windows Server is running IIS server then add IIS integration Goto Management --> Integrations --> search for IIS
Install this integration
IIS Server Integration Dashboard
Also Enable following Integrations to take adavantage of Security funciotnality of Elastic Search
Once You enable Endpoint Protection, you can see the antimalware rules in action if any malware is detected, a good way to trigger this rule is to try downloading some known malware like Cain and Able or mimikatz on your windows host
Click analyze to see process tree
You can go to Manage –> Endpoints to see if your Endpoints ar eprotected by ElasticSearch Endpoitn Security or not
Threat Intelligence
You can include some Threat Intel Modules from FileBeat