The Detection Lab project aimed to establish a controlled environment for simulating and detecting cyber attacks. The primary focus was to ingest and analyze logs within a Security Information and Event Management (SIEM) system, generating test telemetry to mimic real-world attack scenarios. This hands-on experience was designed to deepen understanding of network security, attack patterns, and defensive strategies.
- Advanced understanding of SIEM concepts and practical application.
- Proficiency in analyzing and interpreting network logs.
- Ability to generate and recognize attack signatures and patterns.
- Enhanced knowledge of network protocols and security vulnerabilities.
- Development of critical thinking and problem-solving skills in cybersecurity.
- Elastic Security Information and Event Management (SIEM) system for log ingestion and analysis.
- Network analysis via nmap by using Kali Linux Virtual Box (VM) for capturing network traffic.
- Telemetry generation tools to create realistic network traffic and attack scenarios.
Step 1: Log in to your Elastic SIEM instance. Navigate to the Integrations page by clicking on the Kibana main menu at the top left and selecting 'Integrations' from the bottom of the list.
Step 2: Search for 'Elastic Defend' and click on it to open its integration page.
Step 3: Click on 'Install Elastic Defend' and follow the instructions on the integration page to install the agent on your Kali VM.
Step 4: Ensure 'Linux' is selected on the page, then copy the provided command to your clipboard.
Step 5: Paste the copied command into the terminal of your Kali VM. Run the command.
Step 6: Once the agent is installed, which can take a few minutes, you will see a message stating 'Elastic Agent has been successfully installed.' The agent will automatically start collecting and forwarding logs to your Elastic SIEM instance, though it might take a few minutes for the logs to appear in the SIEM.
Step 7: To verify the agent installation, run the following command: sudo systemctl status elastic-agent.service.
Step 8: In this exercise, I used the Nmap tool (Network Mapper), a free and open-source utility for network exploration, management, and security auditing. Nmap is designed to discover hosts and services on a computer network, effectively creating a network 'map.' It can scan hosts for open ports, identify the operating system and software running on the target system, and collect additional network information. Running Nmap scans generates several security events, including the detection of open ports and the identification of services on those ports. Perform a few more Nmap scans using commands like nmap -sS <localhost>, nmap -sT <localhost>, and nmap -p- <localhost>etc.
Step 9: With the data from the Kali VM now forwarded to the SIEM, we can begin querying and analyzing the logs. In your Elastic Deployment, click the menu icon at the top left (three horizontal lines), then select the 'Logs' tab under 'Observability' to view the logs from the Kali VM.
Step 10: In the search bar, enter a search query to filter the logs. For example, to find all logs related to Nmap scans, use the query: event.action: "nmap_scan" OR process.args: "sudo". Click the "Search" button to execute the query. The search results will appear in the table below, and you can click on the three dots next to each event for more details.
Step 11: To create a dashboard in the Elastic web portal:
- Navigate to the Elastic web portal at https://cloud.elastic.co/.
- Click on the menu icon at the top-left.
- Under "Analytics," click on "Dashboards.
Step 12:
-
Click the “Create dashboard” button at the top-right to start a new dashboard.
-
Press “Create Visualization” to add a new visualization to the dashboard.
-
Choose between “Area” or “Line” as your visualization type to create a chart displaying event counts over time.
-
In the visualization editor under the "Metrics" section on the right:
Select "Count" as the vertical field type. Choose "Timestamp" for the horizontal field. This setup will display the count of events over time in your visualization. Click on the "Save" button to save the visualization. Complete any remaining settings or configurations as needed to finalize your dashboard setup.
Step 13: To access the Alerts section in Elastic Security:
Click on the menu icon at the top-left. Under "Security," click on "Alerts." Click on "Manage rules" located at the top right corner of the page.
Step 14:
To create a new rule for detecting Nmap scan events:
- Click on the "Create new rule" button at the top right.
- Under the "Define rule" section, select the "Custom query" option from the dropdown menu.
- In the "Custom query" field, set the conditions using the following query to detect Nmap scan events:
event.action: "nmap_scan"
This query will filter events where the action is "nmap_scan". Adjust the query as needed to match specific criteria for detecting Nmap scans or other security events.
Step 15:
After setting the custom query to match events with the action "nmap_scan," click "Continue." In the "About rule" section, give your rule a name (e.g., Nmap Scan Detection) and a description. Set the severity level for the alert to prioritize alerts based on their importance. Keep the default settings under "Schedule rule" unchanged, and then proceed by clicking "Continue."
Step 16:
In the "Actions" section, choose the action you want triggered when the rule detects an event. Options include sending an email notification, creating a Slack message, or triggering a custom webhook. Finally, click the "Create and enable rule" button to create the alert with your selected actions.
Step 17: Once the alert is created, it will monitor your logs for Nmap scan events. When an Nmap scan event is detected, the alert will trigger and execute the selected action. You can manage and view all your alerts in the "Alerts" section under "Security."
