Introduction

There is a lot going on today in a modern network. The ability to visualize, search, and react to security events is critical. A SIEM (Security Information and Event Management) is typically used to meet these needs. There are a lot of SIEM solutions out there and it can be a very complex topic. However, there are some open-source solutions that can meet your needs. This blog will walk your though the process of deploying and some basic usage of an open source solution called the Elastic Stack. The Elastic stack is a great platform used for many different needs. Today we will focus on a simple SIEM implementation.

Virtual Machine Setup

Our LAB SIEM deployment will be installed onto a VMWare environment on a single virtual machine. For a production environment be sure to properly size your virtual machines or hosts to meet your needs. In addition, since this is a LAB environment, we will not attempt to secure the host. In production you would want to harder your host deploy SSL/TLS and require authentication.

Let’s get started by creating a new virtual machine. For our LAB needs we will configure an Ubuntu 18.04 server virtual machine with 4 vCPUs, 2 gigs of RAM, a 300 gig disk, and a single ethernet port.
Make sure to mount your Ubuntu ISO for your CD and click the attach check box.

Figure 1: Virtual Machine Parameters

Click finish and power on your new virtual machine. Connect to the console and start a standard installation selecting your keyboard map and other host information. For your network connection you can either assign a static IP address or leave it as DHCP depending on your requirements. In our case we will use a static IP address.

Figure 2: Static IP Address Configuration

You will also need to setup a user that will later be used to access the command line of the virtual machine. Make sure you remember the credentials as you will need them later.

Figure 3: Initial User Creation

Continue through the standard setup. Towards the end of the setup make sure to enable OpenSSH server. This is how we will access the new virtual machine when the installation is complete.

Figure 4: Enable OpenSSH Server

Finish going through the install wizard and reboot your virtual machine. We are now ready to install and configure our services.

Elasticsearch Install

Our first service to install is Elasticsearch. This is a core component required to allow us to search our collected data. To begin our installation, we need to access the new virtual machines command line. We will use SSH (Secure Shell) for this. There are many SSH clients out there. We will use Putty  (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) for Windows. Open your SSH client and connect to the new virtual machine you just created.

Figure 5: Use SSH Client to Connect to Virtual Machine

Once connected the first step is to install the APT key and APT repository.
Command: wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –

Figure 6: Install APT key

Next step is to install the APT software repository. This will enable access to the required software components for the SIEM installation.
Command: sudo apt update
sudo apt install apt-transport-https
sudo echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install elasticsearch

Figure 7: Elasticsearch Software Install

Now that the software is installed, we need to do a little bit of configuration. There are many options available in the configuration file. We will only configure the minimum required to enable the service to start and be available to any host.
To access the configuration file, we will use the nano text editor. Make sure the following configuration options are set.
Command: sudo nano /etc/elasticsearch/elasticsearch.yml
node.name: node-1
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: [“node-1”]

Figure 8: Elasticsearch Partial Configuration

Now that Elasticsearch is configured for our needs we need to start the service and make sure it is accessible from a browser.
Command: sudo service elasticsearch start

Figure 9: Elasticsearch Access Validation

Set elasticsearch to start at boot time.

Command: sudo systemctl enable elasticsearch

If you see a similar reply, then you are ready to move on to the next step.

Kibana Install

The next component is Kibana. This is basically the web interface you will use to access the data collected. All this data would not be much good without a way to view it. Installation is easy since we have already added the APT repository.
Command: sudo apt install kibana

Figure 10: Kibana Software Installation

Once the software is installed, we again need to edit the configuration to suite our needs. We are just configuring the minimum for our LAB needs. Using nano open the configuration file and make sure the following configuration options are set.
Command: sudo nano /etc/kibana/kibana.yml
server.port: 5601
server.host: “0.0.0.0”
elasticsearch.hosts: [“http://localhost:9200”]

Figure 11: Kibana Partial Configuration

Once you have saved your configuration changes, we need to start the service and validate access with a browser. Also set the service to start at boot time.
Command: sudo service kibana start
Command: sudo systemctl enable kibana

Figure 12: Validate Kibana Access

Once you have validated access it’s time to move on to Beats.

Beats Install

Now the fun part begins. Beats are basically agents that capture data and send the information to Elasticsearch for processing. There are many flavors of Beats each with a different purpose. For example, Packetbeat is used to collect network traffic, Filebeat is used to ingest files, and Winlogbeat is used to collect Windows host logs. Additional information on Beats is available on the Elastic Beats website (https://www.elastic.co/downloads/beats).

For our lab setup we will only be installing Winlogbeat on a Windows 10 host. We will do the installation manually. This installation could be automated using group policy or many other software deployment/management applications in a production environment.

To begin our installation, we log into a Windows 10 host and download the winlogbeat application from the following link. https://www.elastic.co/downloads/beats/winlogbeat

Uncompress the file, rename the folder to winlogbeat and copy it to c:\Program Files\.
Now as with all other components we need to edit the configuration file to suite our needs. Open the file winlogbeat.yml with your favorite text editor and change the 2 host items to point to your virtual machine created earlier.

Figure 13: Winlogbeat.yml Host Changes

Once the configuration changes are saved, it’s time to install the winlogbeat service. Open a PowerShell prompt as administrator and change to your winlogbeat directory. Once you have opened an administrator PowerShell prompt make sure script execution is enabled.
Command: powershell -ep bypass

Now run the service installation PowerShell script to install the service.
Command: .\install-service-winlogbeat.ps1

Figure 14: Winlogbeat Service Install

Once installed start the service. This will enable winlogbeat to collect Windows logs and send them to Elasticsearch for processing.
Command: start-service winlogbeat

Validate the service is running using the Windows services plugin.

Figure 15: Winlogbeat Service Running

Sample Usage

Now that we have all required components in place lets access Kibana and do a little testing. Open a web browser and access your virtual machine’s IP address on port 5601 to display the Kibana portal and select the SIEM icon on the left near the bottom.

Figure 16: Kibana SIEM Access

Now click on hosts, you should see a host count of 1 and some user authentication graph data. The Windows 10 host that the winlogbeats agent was installed on will be displayed under all hosts.

Figure 17: Kibana SIEM Hosts

Now that everything appears to be working. Let’s add a local user to our Windows 10 host and add that user to the local administrator’s group. This is a task that is often performed by malicious users.

Figure 18: Create Local User and Add to Administrators

Now back to the Kibana SIEM to see if we have seen the potentially malicious activity. We will search for the specific event to see if it was detected by using the search box near the top of the web page.
Search: event.action : “added-group-account-to”

Figure 19: Search for Potentially Malicious Event

As you can see from the image, we were able to pick up these events with a good amount of detail. This is just a small example of the information that can be obtained. Many additional add-ons and agents are available to collect additional information and create alerts based on specific events.

Conclusion

The more information you can collect and process from your environment the more insight you will have into misconfigurations, errors, performance, and malicious events. A small budget, a little elbow grease, and open source tools is all that’s required to get you started. This should get you up and running and give you the ability to expand over time adding additional hosts, agents, and add-ons.

Blog References:
https://logz.io/learn/complete-guide-elk-stack/#intro
https://www.elastic.co/guide/index.html

Blog By: Brian Hitchcock CISSP, OSCP

  Download Blog