Build Your Own Home SIEM Lab!
In every 80's action movie, it always starts off with a bad guy stealing that one valuable, priceless, work of art by finding that one security camera blind spot or vulnerability. Well the same thing happens in the cyber world. Hackers are breaking in to find the blind spot.
This can be an uphill battle for security analysts dealing with burnout and too many tools to choose from that will send over 1000 daily alerts. Who is going to be our Chuck Norris and stop the bad guys? Enter SIEM.
SIEM (Security Information Event Management) is infused with AI, machine learning, and analytics and incorporates all the data that we have inputted and outputs a high fidelity alert and prioritized by severity.
What is high-fidelity? Let us go back to our 80's movie plot. The bad guy is stealing from the museum however has caused some sort of diversion at the front while he is stealing the materials from back. The true issue is not the diversion, but the priceless materials that are being stolen. How SIEM works is when there is a cyber attack, it is able to output the true issue at hand and provide a swift spinning back fist to the attackers by notifying the proper "authorities". So moral of the story is that all organizations need Chuck Norris, or 'er uh I mean SIEM.
However, what if I told you that you could build your own SIEM lab at home? Yeah SERIOUSLY!! But first we are going to need a couple of things:
Lab Time:
VirtualBox
Free Elastic account
Install Kali VM.
Setting up Kali Linux VM
Download Kali Linux from the official Kali website
Create a new VM with the Kali VM file in VIrtualBox
Start VM and follow the on-screen prompts to install Kali.
Log in to the Kali VM using the credentials "kali" for both the username and password.
Setting Up Elastic Account
Sign up for a free trial to Elastic Cloud
Once free trial is started, click on "Create Deployment" button and select "Elasticsearch" as deployment type.
Choose region and deployment size that fits your needs and client " Create Deployment."
Wait for configuration to complete.
Once deployment is ready, click "continue."
Setting up Agent to Collect Logs
An agent is a software program that is installed on a device to collect and send data to system for analysis and monitoring. So what we are going to do is set up or agent to collect logs from our Kali VM and forward them to our SIEM instance. Exciting!
Log into Elastic SIEM and navigate to Integrations
Search for "Elastic Defend" and click to open the integrations page
Click on "install elastic defend" and follow instructions to install agent on Kali VM.
Paste command into the Kali terminal (command line)
Once the agent is installed, you will see a message that says "Elastic Agent has been successfully installed. It will automatically start collecting and forwarding logs to your Elastic SIEM instance.
Run the command: sudo systemctl status elastic-agent.service to verify that the agent has been installed correctly
Generating Security Events on Kali Vm
Now that we have verified that the agent is working correctly, we can start generating security events in Kali VM. Lets start by using the Nmap tool. The Nmap (Network Mapper) is a free utility used for network exploration, management, and security auditing. Used to discover hosts and services on a computer network, creating a "map" of the network.
If you arent using a Linux VM, install Nmap. Nmap comes preinstalled on Kali.
Run scan on Kali machine by running the command : sudo nmap<vm ip) or sudo nmap localhost
Run a few more scans (“nmap -sS <ip address>”, “nmap -sT <ip address>”, “nmap -p- <ip address>”etc..”
Querying Events in Elastic SIEM
Now that we have generated security events in our VM, lets start querying those events and analyzing that data.
Inside Elastic click the menu at the top-left witht the 3 horizontal lines and then click on the "Logs" tab under "Observability" to view the logs from the VM.
In the search bar, enter a search query. For example to search for all the logs related to Nmap scans enter: event.action: "Nmap_scan" or process.args: "sudo".
Click "search"
Please note that it may take a whole for the events to populate and show up on the SIEM, so this query might not work right away.
Results of the search will be displayed in the table below. Click on the 3 dots for more details.
By generating and analyzing different types of security events in Elastic SIEM like the one above, or generating authentication failures by typing in the wrong password for a user or attempting SSH logins an incorrect password, you can gain a better understanding of how security incidents are detected, investigated, and responded to in real-world environments.
Create a Dashboard to Visualize Events
When using a SIEM when available you always want to create visualizations to see patterns and anomalies in your data. Create a simple dashboard that shows a count of security events over time.
Navigate to Elastic web portal at https://cloud.elastic.co/.
Click on the menu icon on the top left, under "Analytics", click on "Dashboards".
Click on "Create a Dashboard" button at the top right.
Click on "Visualizations" button to add.
Select "area" or "line" as the visualization types. This will create a chart that shows the count of events over time.
In the “Metrics” section of the visualization editor on the right, select “Count” as the vertical field type and “Timestamp” for the horizontal field. This will show the count of events over time.
Click on the "Save" to save the visualization and then complete the rest of the settings.
Create an Alert
In SIEM, alerts are critical for detecting security incidents and responded to them in a timely manner. Alerts are created based on predefined rules or custom queries, and can be configured to trigger specific actions when certain conditions are met. By following these steps, you can create an alert that will monitor your logs for Nmap scan events and notify you when they are detected.
Click on the menu icon in the top-left, then under "security", click on "Alerts."
Click "Manage rules" at the top right.
Click "Create new rule" button at the top right.
Under the “Define rule” section, select the “Custom query” option from the dropdown menu.
Under “Custom query,” set the conditions for the rule. You can use the following query to detect Nmap scan events.
This query will match all events with the action “nmap_scan.” Then click “Continue.”
Under the “About rule” section, give your rule a name and a description (Nmap Scan Detection).
Set the severity level for the alert, which can help you prioritize alerts based on their importance. Keep all the other default settings under “Schedule rule” and click “Continue.”
In the “Actions” section, select the action you want to take when the rule is triggered. You can choose to send an email notification, create a Slack message, or trigger a custom webhook.
Finally, click the “Create and enable rule” button to create the alert.
Once you’ve created the alert, it will monitor your logs for Nmap scan events. If an Nmap scan event is detected, the alert will be triggered and the selected action will be taken. You can view and manage your alerts on the “Alerts” section under “Security.”
Conclusion
In this guide, we have set up a home lab using Elastic SIEM and a Kali VM. We forwarded data from the Kali VM to the SIEM using the Elastic Beats agent, generated security events on the Kali VM using Nmap, and queried and analyzed the logs in the SIEM using the Elastic web interface. We also created a dashboard to visualize security events and then created an alert to detect security events.
This home lab provides a valuable environment for learning and practicing the skills necessary for effective security monitoring and incident response using Elastic SIEM. By following these steps, you can gain hands-on experience with using a SIEM and improve your security monitoring skills to help you become a successful security analyst or engineer.
