GETTING STARTED WITH ELASTIC STACK IN CYBERSECURITY
(This is a direct clone from John Strands’ IntroLabs on GitHub. Some configurations were not working while setting up this project in my cybersecurity homelab so I updated John’s work with an alternative walkthrough)
The Elastic Stack is a group of open source products from Elastic designed to help users take data from any type of source and in any format, and search, analyze and visualize that data in real time. The product group was formerly known as the ELK Stack for the core products in the group — Elasticsearch, Logstash and Kibana — but has been rebranded as the Elastic Stack.
To learn ELK, we don’t need several servers or to spend large sums of money. We can get into the driver’s seat and experiment with ELK by using the Elastic Cloud 150-day trial. The trial does not require a credit card to get started. You only need an email and a password.
1. Set up an account.
Start your free Elastic Cloud Trial
This link is for the trial sign up page. Start a trial by signing up.
2. Watch your email for a confirmation.
3. Click “Verify and Accept.” You should be redirected to the cloud login page. If you’re not redirected, you can find it here.
After logging in, fill out the proper fields with the correct information pictured below and select the check boxes with red dots.
Once those fields are filled out click “Next”
4. Start an ELK instance.
Upon clicking next you will see the following page. For my instance I will be calling it “security-development. Make sure to enter the name of your deployment and click “Create Deployment”.
Next we will see this page.
Elastic will present the credentials for this ELK stack. There is the option to download a CSV of the credentials. However you decide to hold onto these credentials, don’t lose them.
Then we will need to wait for the continue button to turn blue, once that’s done click continue
We will be greeted with menu of options, we want to skip that menu.
Then at the top of the page we want to click search and type “kibana” and hit enter.
Once the next page load we want to add Kibana. Select “Add Kibana”
We will next be prompted to “Install Elastic Agent” This is what we are going to put on our machine that monitors what’s happening. Click “Install Elastic Agent”
Select windows. We will need to click the “Copy to Clipboard”. Hold onto this command. It is recommended to paste this command into some file where you won’t lose it. In this example, I saved it to a file I called “agent.txt.” We will use this command later.
Delete this line of code:
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.11.0-windows-x86_64.zip
-OutFile elastic-agent-8.11.0-windows-x86_64.zip
Expand-Archive .\elastic-agent-8.11.0-windows-x86_64.zip -DestinationPath 5. Download Elastic Agent
Download the Elastic Agent for your chosen platform and format and choose your platform. We recommend using the installers (TAR/ZIP) over system packages (RPM/DEB) because they provide the ability to upgrade your agent within Fleet.
Extract/Unzip the downloaded file.
The remainder of the code should be in this format:
cd elastic-agent-8.11.0-windows-x86_64 .\elastic-agent.exe install - url=hxxps://xyzPART 2
Press the windows button and type PowerShell, make sure to click “Run as Admin”
Once the powershell instance opens, locate the directory where the file was extracted, copy what you kept in the file in my case it was “Agent.txt” and paste it into the powershell and hit enter to install the elastic agent.
C:\WINDOWS\system32> cd C:\Users\[USER]\Downloads\elastic-agent-8.11.0-windows-x86_64C:\Users\[USER]\Downloads\elastic-agent-8.11.0-windows-x86_64\elastic-agent-8.11.0-windows-x86_64> .\elastic-agent.exe install - url=hxxps://xyzYour output on PowerShell should look like below:
Make sure you type y and hit enter when prompted by PowerShell. Switch back over to your browser and you should see “1 Agent has been enrolled”.
Then Click “Add to Integration”. On the next page leave everything default and click “Confirm Incoming Data”.
Lets make sure the device has successfully connected. Click the hamburger at the top left of the window and scroll down almost all the way to the bottom. You should see the option “Fleet”, select fleet.
Our Elastic Agent is installed and configured to be connected to our ELK instance in the cloud. Part three will cover how to configure Sysmon to submit logs to this Elastic Agent, which will ingest the logs to appear in Kibana.
PART 3
By default, Windows logs are not ideal. To get logs that are more readable and useful, we can use Sysmon.
6. Download Sysmon
Follow this link to download Sysmon.
Find the “Download Sysmon” link.
Perform “Extract All” on the Sysmon Folder. Ensure the Sysmon folder is selected — It will be highlighted blue.
“Extract” to the Downloads folder. Windows should auto-populate the Downloads path.
In your search bar, type “PowerShell.” The following options will be presented. Click “Run as Administrator.”
Now that Sysmon is running on our system, we need to configure our Elastic agent to gather these logs. Sign into your cloud account.
Navigate to “Integrations” through the navigation menu.
At the top of the page enter “windows” into the search bar. Select the Windows option with the red square pictured below.
Add this integration.
By default, the Sysmon logs channel should be active. This can be checked under the “Collect events from the following Windows event log channels:” section of the “Add integration” page.
Save the Integration.
When prompted click “Add elastic agent to your hosts”.
In the Integrations menu, find the “Installed integrations” tab.
In PART 1, we selected an Elastic Security configuration. In doing so, “Endpoint Security” and “System” are automatically installed in our Integrations.
7. At this point, play around on the computer that has Elastic Agent installed.
Move files around, create files, start programs, make a few Google searches. This will generate some logs to ensure that we have Sysmon logs reaching our cloud.
After you have created some log activity, navigate to “Discover” by accessing the hamburger menu on the top left.
Set a filter on your data to limit your results to sysmon data. This can be done by searching the “data_stream.dataset” field for “windows.sysmon_operational” data. Then click “add filter”. Your filter should now be set.
If you have a result, and not an error, your Sysmon data is being collected and sent to Elastic.
REFERENCES
