DetectionLabELK is a fork from Chris Lengthy’s DetectionLab with ELK stack as an alternative of Splunk.
Description:
DetectionLabELK is the easiest lab to make use of if you want to compile surroundings pleasant detection functions. It’s been designed with defenders in concepts. Its number one purpose is to permit blueteams to briefly compile a Space house home windows house that comes pre-loaded with coverage tooling and a few best possible imaginable practices in relation to gadget logging configurations. It could possibly simply be changed to suit maximum wishes or expanded to incorporate further hosts.
Use circumstances:
A well-liked use case for DetectionLabELK is while you imagine adopting MITRE ATT&CK framework and need to lengthen detections for its ways. You’ll be able to use DetectionLabELK to briefly run atomic assessments, see what logs are being generated and examine it in your manufacturing surroundings. This fashion you’ll be able to:
- Validate that your manufacturing logging is operating as anticipated.
- Be sure that your SIEM is collecting the proper occasions.
- Enhance indicators prime quality by way of decreasing false positives and getting rid of false negatives.
- Decrease protection gaps.
Lab Wisdom:
Number one Lab Possible choices:
- Microsoft Tough Risk Analytics is put in at the WEF gadget, with the light-weight ATA gateway put in at the DC
- Windoes Evenet forwarder along side Winlogbeat are pre-installed and all indexes are pre-created on ELK. Generation add-ons for Space house home windows also are preconfigured.
- A customized Space house home windows auditing configuration is in a position by way of GPO to incorporate command line procedure auditing and additional OS-level logging
- Palantir’s Space house home windows Have compatibility Forwarding subscriptions and customized channels are carried out
- Powershell transcript logging is enabled. All logs are stored to
wefpslogs
- osquery comes put in on every host and is pre-configured to connect with a Fleet server by way of TLS. Fleet is preconfigured with the configuration from Palantir’s osquery Configuration
- Sysmon is put in and configured the usage of Olaf’s open-sourced configuration
- All autostart pieces are logged to Space house home windows Have compatibility Logs by way of AutorunsToWinEventLog
- SMBv1 Auditing is enabled
Lab Hosts:
DC – Space house home windows 2016 House Controller
- WEF Server Configuration GPO
- Powershell logging GPO
- Enhanced Space house home windows Auditing coverage GPO
- Sysmon
- osquery
- Elastic Beats Forwarder (Forwards Sysmon & osquery)
- Sysinternals Equipment
- Microsft Tough Risk Analytics Light-weight Gateway
WEF – Space house home windows 2016 Server
- Microsoft Tough Risk Analytics
- Space house home windows Have compatibility Collector
- Space house home windows Have compatibility Subscription Creation
- Powershell transcription logging share
- Sysmon
- osquery
- Elastic Beats Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
- Sysinternals apparatus
Win10 – Space house home windows 10 Workstation
- Simulates worker workstation
- Sysmon
- osquery
- Sysinternals Equipment
Logger – Ubuntu 18.04
- Kibana
- Fleet osquery Supervisor
- Bro
- Suricata
- Elastic Beats Forwarder (Forwards Bro logs & Suricata & osquery)
- Guacamole
- Velociraptor
Will have to haves
- 55GB+ of unfastened disk house
- 16GB+ of RAM
- Vagrant 2.2.2 or more moderen
- Virtualbox
Deployment Choices
Use Vagrant Cloud Bins – ETA ~2 hours.
- Organize Vagrant in your gadget.
- Organize Packer in your gadget.
- Organize the Vagrant-Reload plugin by way of working the next command:
vagrant plugin prepare vagrant-reload
. - Obtain DetectionLabELK in your native gadget by way of working
git clone https://github.com/cyberdefenders/DetectionLabELK.git
from command line OR obtain it without delay by way of this hyperlink. cd
to “DetectionLabELK/Vagrant” and executevagrant up
.
Compile Bins From Scratch – ETA ~5 hours.
- Organize Vagrant in your gadget.
- Organize Packer in your gadget.
- Organize “Vagrant-Reload” plugin by way of working the next command:
vagrant plugin prepare vagrant-reload
. - Obtain DetectionLabELK in your native gadget by way of working
git clone https://github.com/cyberdefenders/DetectionLabELK.git
from command line OR obtain it without delay by way of this hyperlink. cd
to “DetectionLabELK” base tick list and compile the lab by way of executing./compile.sh virtualbox
(Mac & Linux) or./compile.ps1 virtualbox
(Space house home windows).
Troubleshooting:
- To make certain that construction procedure finished effectively, you should definitely are in
DetectionLabELK/Vagrant
tick list and runvagrant standing
. The 4 machines (wef,dc,logger and win10) must be working. if some of the a very powerful machines was once now not working, executevagrant reload <host>
. If you want to need to pause the entire lab, executevagrant droop
and resume it the usage ofvagrant resume
. - Deployment logs will also be provide within the
Vagrant
folder asvagrant_up_<host>.log
Lab Get right of entry to:
Support: When you face any problem, please open a brand new factor and supply identical log record.
Supply : KitPloit – PenTest Equipment!