Breaking News



DetectionLabELK is a fork from Chris Lengthy’s DetectionLab with ELK stack as a substitute of Splunk.

Description:

DetectionLabELK is the perfect lab to make use of if you want to must construct atmosphere pleasant detection choices. It’s been designed with defenders in concepts. Its number one objective is to permit blueteams to in brief collect a Area house home windows area that comes pre-loaded with coverage tooling and a few easiest possible practices in terms of software logging configurations. It will simply be changed to suit maximum wishes or expanded to incorporate further hosts.

Use cases:

A well-liked use case for DetectionLabELK is while you imagine adopting MITRE ATT&CK framework and wish to make larger detections for its ways. You’ll be able to use DetectionLabELK to in brief run atomic checks, see what logs are being generated and evaluation it in your manufacturing surroundings. This fashion you’ll be able to:

Lab Knowledge:

Number one Lab Alternatives:

  • Microsoft Subtle Danger Analytics is put in at the WEF device, with the light-weight ATA gateway put in at the DC
  • Windoes Evenet forwarder along with Winlogbeat are pre-installed and all indexes are pre-created on ELK. Era add-ons for Area house home windows also are preconfigured.
  • A customized Area house home windows auditing configuration is in a position by the use of GPO to incorporate command line procedure auditing and further OS-level logging
  • Palantir’s Area house home windows Are compatible Forwarding subscriptions and customized channels are carried out
  • Powershell transcript logging is enabled. All logs are stored to wefpslogs
  • osquery comes put in on every host and is pre-configured to connect with a Fleet server by the use of TLS. Fleet is preconfigured with the configuration from Palantir’s osquery Configuration
  • Sysmon is put in and configured the usage of Olaf’s open-sourced configuration
  • All autostart pieces are logged to Area house home windows Are compatible Logs by the use of AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Lab Hosts:

  1. DC – Area house home windows 2016 Area Controller

    • WEF Server Configuration GPO
    • Powershell logging GPO
    • Enhanced Area house home windows Auditing coverage GPO
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards Sysmon & osquery)
    • Sysinternals Equipment
    • Microsft Subtle Danger Analytics Light-weight Gateway
  2. WEF – Area house home windows 2016 Server

    • Microsoft Subtle Danger Analytics
    • Area house home windows Are compatible Collector
    • Area house home windows Are compatible Subscription Advent
    • Powershell transcription logging proportion
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
    • Sysinternals equipment
  3. Win10 – Area house home windows 10 Workstation

    • Simulates worker workstation
    • Sysmon
    • osquery
    • Sysinternals Equipment
  4. Logger – Ubuntu 18.04

    • Kibana
    • Fleet osquery Supervisor
    • Bro
    • Suricata
    • Elastic Beats Forwarder (Forwards Bro logs & Suricata & osquery)
    • Guacamole
    • Velociraptor

Necessities

  • 55GB+ of loose disk area
  • 16GB+ of RAM
  • Vagrant 2.2.2 or more moderen
  • Virtualbox

Deployment Imaginable alternatives

  1. Use Vagrant Cloud Packing containers – ETA ~2 hours.

    • Prepare Vagrant in your software.
    • Prepare Packer in your software.
    • Prepare the Vagrant-Reload plugin by way of working the next command: vagrant plugin prepare vagrant-reload.
    • Obtain DetectionLabELK in your native device by way of working git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR obtain it at once by the use of this hyperlink.
    • cd to “DetectionLabELK/Vagrant” and execute vagrant up.
  2. Collect Packing containers From Scratch – ETA ~5 hours.

    • Prepare Vagrant in your software.
    • Prepare Packer in your software.
    • Prepare “Vagrant-Reload” plugin by way of working the next command: vagrant plugin prepare vagrant-reload.
    • Obtain DetectionLabELK in your native device by way of working git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR obtain it at once by the use of this hyperlink.
    • cd to “DetectionLabELK” base tick list and collect the lab by way of executing ./collect.sh virtualbox (Mac & Linux) or ./collect.ps1 virtualbox (Area house home windows).

Troubleshooting:

  • To be sure that construction procedure finished effectively, keep in mind to are in DetectionLabELK/Vagrant tick list and run vagrant standing. The 4 machines (wef,dc,logger and win10) must be working. if one of the vital vital machines was once once now not working, execute vagrant reload <host>. If you want to pause the entire lab, execute vagrant droop and resume it the usage of vagrant resume.
  • Deployment logs it’ll be provide throughout the Vagrant folder as vagrant_up_<host>.log

Lab Get right of entry to:

Give a boost to: Should you face any problem, please open a brand new factor and supply an identical log report.




Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X