Elastic SIEM Lab using Kali Linux VM

Objective

This project demonstrates how to set up a home lab for Elastic Stack SIEM (Security Information and Event Management) using a Kali Linux VM and the Elastic Cloud platform. The project includes configuring an Elastic Agent, generating security events, analyzing logs in the Elastic SIEM, creating visualizations, and setting up alerts for real-time threat detection. The goal is to practice security monitoring and incident response techniques using Elastic Stack.

Skills Learned

SIEM Deployment and Configuration
Log Analysis and Event Monitoring
Security Event Alerting
Data Visualization and Dashboard Creation

Tools Used

Elastic SIEM (Elastic Stack): Security Information and Event Management
Kali Linux: Virtual Machine for testing and generating security events
VirtualBox: Virtualization platform for running the Kali Linux VM
Elastic Agent: Collecting and forwarding logs from the VM to Elastic SIEM

Steps

Elastic Agent Installation on Kali Linux

This screenshot captures the Kali Linux terminal executing commands to integrate the host machine with the Elastic Stack. The process involves downloading, extracting, and installing the Elastic Agent, which enables data collection and monitoring from the host. By enrolling the agent with the Elastic Cloud, it ensures that real-time logs and security data from the Kali machine are sent to Elastic’s centralized system for analysis and threat detection. This integration is a key step in establishing endpoint security monitoring as part of the broader SIEM setup.

Activity Generation Commands in Kali Linux

This screenshot showcases two commands executed in the Kali Linux terminal to create network activity and generate logs for monitoring. The first command performs a comprehensive port scan on the localhost, while the second command initiates a SYN scan. These commands are instrumental in simulating activity, thereby enabling the effective observation of logging mechanisms and monitoring capabilities within the Elastic Cloud environment.

Logs Overview in Elastic Cloud

This screenshot displays the Logs section in the Observability area of Elastic Cloud. Captured after executing various commands on the Kali Linux machine to generate activity, it illustrates the comprehensive logging of events. The logs include various activities that were performed, providing valuable insights into system behavior and facilitating anomaly detection as part of the endpoint monitoring process.

Log Entry Details for Kali Linux IP

These screenshots highlight the details of a log entry, where the host IP matches that of the Kali Linux machine. It provides in-depth information about the logged activity, including timestamps and the nature of the events, allowing for targeted analysis and investigation of actions performed on the host system. This detail is crucial for understanding user activities and detecting any potential security threats.

Graphical Representation of Logs and Activities

This screenshot presents the graphical dashboard displaying logs and activities from the Kali Linux machine. The dashboard refreshes every five seconds, providing real-time insights into the ongoing activities and facilitating immediate monitoring of the system’s status. This dynamic visualization is crucial for analyzing the effectiveness of the logging and monitoring solutions implemented in the Elastic Cloud environment.

Email Alert for nmap Scan Detection

This screenshot displays the email alert generated by Elastic Defender, notifying that an nmap scan has been detected on the Kali Linux machine. The alert serves as a critical security measure, allowing for immediate awareness and response to potential network scanning activities, enhancing the overall security posture of the environment.

Conclusion

The successful deployment of the Elastic Stack with the Elastic Agent on the Kali Linux environment has demonstrated the effectiveness of integrating endpoint security with centralized logging and monitoring capabilities. By generating intentional activity and analyzing the resulting logs, the project showcased the system’s ability to capture and visualize data effectively. The alerts set up through Elastic Defender proved instrumental in providing real-time notifications for suspicious activities, such as the nmap scans, thereby reinforcing the importance of proactive threat detection. This project not only enhances the understanding of SIEM capabilities within Elastic Cloud but also establishes a solid foundation for future security operations and incident response strategies.