SIEM Solutions

ElasticSearch Kibana SIEM Implementation

January 16, 2022
Security DashBoard ELK

Virtual Machine Details

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=”Ubuntu 20.04.2 LTS

RAM 4 GB, CPU 2

IP: 192.168.171.130

Download Elastic Search

sudo apt-get install apt-transport-https

wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –

echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

sudo apt-get update && sudo apt-get install elasticsearch

Make following changes\un-comment to the elasticsearch main configuration file

vi /etc/elasticsearch/elasticsearch.yml

  • network.host: 0.0.0.0
  • http.port: 9200
  • cluster.initial_master_nodes: lab4

Add elastic search to the startup group of Ubuntu

sudo update-rc.d elasticsearch defaults 95 10

sudo /bin/systemctl enable elasticsearch.service

sudo -i service elasticsearch start

sudo -i service elasticsearch status

If the service Fails to start please check the logs file

tail -100 /var/log/elasticsearch/elasticsearch.log

Verify ElasticSearch is running by opening the URL in a browser

Install Kibana

https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install kibana
sudo /bin/systemctl enable kibana.service

Make following changes to the Kibana main Configuration file

sudo vi /etc/kibana/kibana.yml

  • server.port: 5601
  • server.host: “0.0.0.0”
  • server.publicBaseUrl: “http://192.168.171.130:5601”
  • server.name: “lab4”
  • elasticsearch.hosts: [“http://0.0.0.0:9200”]
Enable Kibana to run at startup

sudo /bin/systemctl enable kibana.service
sudo systemctl restart kibana.service

If the service Fails to start please check the logs file

tail -100 /var/log/kibana/kibana.log

Verify Kibana is running by opening the URL in a browser

Enable Security Integrations for SIEM Funcionality

vi /etc/elasticsearch/elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.authc.api_key.enabled: true

Enable Passwords and API authentications for Agents connection to ElasticSearch Server (note down the passwords generated from script below)

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

vi /etc/elasticsearch/elasticsearch.yml (replace passwords for connection between Kibana and ElasticSearch from above)

Add any random 32 chracters for KIabana

sudo systemctl restart elasticsearch.service

sudo systemctl restart kibana.service

Better yet restart the Virtual Machine so all configurations are re-loaded

Go to ElasticSearch URL and Goto –> Management –> Fleet

Fleet is your central managemnt for all your agents and hosts

agents are the small processes installed on hosts which you want to monitor

You can create Policies here, for example, create a Policy for Windows Hosts and enable IIS log integration.

Then you need to assign this policy to all windows hosts runing IIS servers

Add Windows Agent

Chose the Policy for Windows Hosts

Download the Elastic Agent to your Windows host, Install the Elastic Agent on the hosts you wish to monitor. You can download the Elastic Agent binaries and verification signatures from Elastic’s download page.

https://www.elastic.co/downloads/past-releases/elastic-agent-7-16-3

Enroll and start the Elastic Agent

From the agent directory, run the appropriate command to install, enroll, and start an Elastic Agent. You can reuse these commands to set up agents on more than one host. Requires administrator privileges.

.\elastic-agent.exe install --url=http://192.168.171.130:8220 --enrollment-token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==

The Host shoudl appear in Feet Management Center

Similalrly you can onboard Linux servers

Linux users: We recommend the installer (TAR) over system packages (RPM/DEB) because it lets you upgrade your agent in Fleet.

sudo ./elastic-agent install --url=http://192.168.171.130:8220 --enrollment-token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==

Integrations

You can start adding Integrations Now, for example your Windows Server is running IIS server then add IIS integration

Goto Management --> Integrations --> search for IIS

Install this integration

IIS Server Integration Dashboard

Also Enable following Integrations to take adavantage of Security funciotnality of Elastic Search

Once You enable Endpoint Protection, you can see the antimalware rules in action if any malware is detected, a good way to trigger this rule is to try downloading some known malware like Cain and Able or mimikatz on your windows host

Click analyze to see process tree

You can go to Manage –> Endpoints to see if your Endpoints ar eprotected by ElasticSearch Endpoitn Security or not

Threat Intelligence

You can include some Threat Intel Modules from FileBeat

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *