Building Your Own SIEM Lab: A Step-by-Step Guide (Part 1)
Written on
This article marks the beginning of a series dedicated to creating a SIEM lab while developing 'Purple Team' skills. The term 'Purple' reflects our dual focus: primarily on 'Blue Team' operations while also incorporating 'Red Team' strategies to enrich our SIEM with pertinent data. The series will unfold as follows:
- Setting up the lab
- Logging activities and data ingestion
- Investigating with Elastic Agent
- Investigating with Winlogbeat
For those interested in following along, I’ll assume you possess fundamental IT skills and have a basic understanding of what a SIEM is.
Note: Most of the configurations in this guide will be manual; however, there are alternative automation methods available. Tools like Vagrant and Ansible are excellent for this purpose. While I have some familiarity with these tools, I currently lack a complete automated setup, which will be addressed in a future article.
SIEM Alternatives
Numerous well-known (and costly) SIEMs, such as Splunk and LogRhythm, cater to enterprise needs, but my focus is a modest home lab that doesn’t have the necessary hardware or budget for complex enterprise solutions.
Although Splunk offers a free version and is widely recognized, I've opted for an alternative called Elastic. It’s free, open-source, and fits nicely into my home lab environment. Due to its open-source nature, Elastic enjoys extensive usage and serves as the foundation for various other SIEM applications, which I will briefly mention.
Elastic
https://www.elastic.co/elastic-stack
Originally launched as 'Elasticsearch', it later integrated additional applications—Logstash and Kibana—to form the 'ELK Stack'. Over time, further enhancements and app integrations have expanded the ELK beyond these three core applications, leading to its common reference as the 'Elastic Stack'.
Graylog
https://www.graylog.org/products/open-source
This platform utilizes Elasticsearch and MongoDB at its core while featuring an intuitive web GUI.
SOF-ELK
https://sansgear.com/sof-elk/
A highly customized iteration of the Elastic Stack developed by SANS, used in their 'Tactical SIEM' training course.
HELK
https://github.com/Cyb3rWard0g/HELK
Another tailored version of the Elastic Stack, emphasizing threat hunting.
All these options are strong contenders, each excelling in different areas. For my purposes, I've chosen the standard Elastic stack due to its straightforwardness and minimal resource requirements. Plus, it has a visually appealing interface!
Lab Overview
As mentioned earlier, my available computing power is limited, so the lab will be quite basic. Despite these constraints, we will incorporate essential elements to simulate a standard on-premise enterprise network, with possibilities for future expansions.
Lab Specifications and Considerations
My host PC specifications: - Windows 10 - Intel i5 Skylake CPU (quite dated) - 32 GB RAM - 512 GB SSD
Specifications for each virtual machine: - Active Directory — Windows Server 2019 (1 CPU, 2 GB RAM) - Elastic SIEM — Ubuntu Server 20.04 LTS (2 CPUs, 2 GB RAM) - Workstation 1 — Windows 10 (1 CPU, 2 GB RAM) - Workstation 2 (optional) — Windows 10 (1 CPU, 2 GB RAM) - Attacker Workstation (optional) — Kali Linux (Gnome DE) (2 CPUs, 4 GB RAM)
If you need help setting up an Active Directory server and a domain-joined Windows 10 workstation, refer to the video below:
Zero to Hero: 0:00 — Welcome 2:37 — Lesson overview 5:00 — Downloading our ISOs 6:35 — Installing Windows Server 2016 and Windows 10 16:30 — Renaming Windows Server...
Alternatively, you can consult this guide.
Miscellaneous Notes: - I am using VirtualBox as my hypervisor since it is free and feature-rich. You can also use the free version of VMware, but it lacks features like guest snapshotting. - I utilize the NAT Network type and depend on the domain controller for client DHCP (screenshots of the VirtualBox configuration follow). - Port forwarding is set up to connect to and manage the Elastic server (see the 'Installing Elastic' section below).
To begin, navigate to File -> Preferences in the main VirtualBox Manager.
Elastic Overview
A fully equipped Elastic Stack consists of various components and integrations, but we will concentrate on two primary applications—Elasticsearch and Kibana. In a production setup, these applications would typically be installed separately; however, due to the constraints of a home lab, we'll combine them on a single server.
This illustration offers a simplified view of a typical production setup.
I opted for Ubuntu to host the Elastic Stack, but other operating systems such as Debian, OpenSUSE, or even Windows could also be utilized. If you need instructions for setting up an Ubuntu server in VirtualBox, check out this walkthrough; otherwise, a quick online search will suffice.
Installing Elastic is straightforward, as the documentation is quite reliable compared to many open-source products. The basic installation steps include:
- Importing Elastic's PGP key
- (Optional) Installing the apt-transport-https package for secure traffic to the repositories
- Adding Elastic to the local sources list
- Installing the app(s) using the local package manager
- Modifying some configuration files
Before diving into the details, let’s quickly review the components we’ll be installing on our server.
Elasticsearch
“Elasticsearch offers near real-time search and analysis for all data types. Whether your data is structured or unstructured, numeric, or geospatial, Elasticsearch can efficiently store and index it to facilitate quick searches.”
Kibana
- An open-source analytics and visualization platform. Utilize Kibana to explore your Elasticsearch data and create visually stunning dashboards.
- A UI for managing the Elastic Stack. Manage security settings, assign user roles, take snapshots, and more, all through the convenient Kibana interface.
- A centralized hub for Elastic's solutions. From log analytics to document discovery to SIEM, Kibana serves as the portal to access these features.
Many readers might not remember the past, but one could liken Elastic to those old View-Master stereoscopes. Picture Elasticsearch data as photo reels, with Kibana as the viewer that allows you to quickly flip through the images.
Installing Elastic
Now that the foundation has been laid, we can proceed with the installation of Elastic. I’m starting with a fresh, updated install of Ubuntu server.
Before initiating the installation, I set up port forwarding on my NAT Network to utilize the Windows Terminal app on my host PC for interacting with the Elastic server. While this is not essential, it makes for a more comfortable terminal experience.
We begin by adding Elastic’s PGP signing key to our APT keyring:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Next, as an optional step, install the apt-transport-https package to secure the connection to the public repositories:
sudo apt-get install apt-transport-https
Now let's add Elastic to our sources list:
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
Finally, install both Elasticsearch and Kibana:
sudo apt-get update && sudo apt-get install elasticsearch kibana
An optional step is to configure systemd to automatically start Elasticsearch and Kibana upon system boot:
sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable elasticsearch.service sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable kibana.service
That’s it! Elastic is now installed on our server.
Next, we will go through the configuration steps needed to get our new SIEM operational.
Configuring Elastic
Before we proceed, it's important to note that our home lab version of Elastic is extremely insecure. For simplicity, we will skip essential measures like certificates and unique passwords, which are crucial in a production environment.
WARNING: DO NOT USE THIS CONFIGURATION IN A PRODUCTION SETUP!
Elastic configuration files are formatted in YAML and are relatively straightforward to edit.
Elasticsearch
Using your preferred editor, open /etc/elasticsearch/elasticsearch.yml and locate the 'Network' section.
Uncomment the line for network.host and replace it with the local server's IP address.
Uncomment the line for http.port but keep its value as '9200'.
Next, find the 'Discovery' section and add the following line:
discovery.type: single-node
Normally, you would have multiple Elasticsearch servers in a cluster. By setting the discovery type to 'single-node', we instruct Elasticsearch not to search for neighboring nodes. This setting also bypasses several strict bootstrap checks that are usually necessary in a highly available production cluster; however, this is not a concern for our lab setup.
Once you complete these changes, save the file, restart the Elasticsearch service, and confirm it is running:
Kibana
Next, open the file /etc/kibana/kibana.yml:
Uncomment the line for server.port but keep the value at '5601'.
Uncomment the line for server.host and change 'localhost' to the server's IP address.
Uncomment the line elasticsearch.hosts and replace 'localhost' with the server's IP address.
After saving your changes, restart the Kibana service and verify it is running.
The Kibana web interface should now be accessible. You can reach it via a browser on one of the virtual machines within the NAT Network or from your local host PC (make sure to set up an additional port forwarding rule in VirtualBox).
Technically, we now have a functioning Elastic Stack set up and running. As noted earlier, Elastic offers numerous functionalities, integrations, and features for various applications, but I won’t cover everything here.
For our home lab, we aim to explore the ‘Security’ section of the Kibana dashboard:
As you navigate through the interface, you’ll discover that most features are accessible, though certain parts of the Elastic Stack will require additional configurations.
Additional Configuration
We will need to revisit both the Elasticsearch and Kibana configuration files to make further changes to fully leverage all that Elastic has to offer.
In the /etc/elasticsearch/elasticsearch.yml file, scroll to the bottom and in the 'Various' section, add the following lines:
xpack.security.enabled: true xpack.security.authc.api_key.enabled: true xpack:
security:
authc:
realms:
native:
native1:
order: 0
By enabling X-Pack, we unlock several additional features, one of which is the concept of Realms—essentially an authentication system. We will use the Native realm, which allows for local authentication. Other realms, such as SAML, require a paid license.
After saving your changes, restart Elasticsearch.
Next, navigate to the /usr/share/elasticsearch/bin directory. The Elastic Stack includes various built-in user accounts, and we’ll need to set their passwords:
sudo ./elasticsearch-setup-passwords interactive
This command will launch an interactive script prompting you to set a password for each built-in user. For simplicity, I used 'Password123' for all, but feel free to use any password you prefer. Once again, I must stress that while this method eases setup in our lab, unique passwords should always be used in a production environment!
Restart Elasticsearch once again.
Now, return to the /etc/kibana/kibana.yml file and make the necessary adjustments.
Scroll to the section referencing elasticsearch.username and elasticsearch.password—uncomment those lines and update the password value to match what you set previously.
Finally, scroll to the bottom and add the following lines:
xpack.security.enabled: true xpack.ingestManager.fleet.tlsCheckDisabled: true xpack.encryptedSavedObjects.encryptionKey: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
The first line activates the X-Pack extension for Kibana, while the last two lines enable functions for the Fleet beta that we will use in the next part of this series.
Restart Kibana and refresh your browser tab—you should now be greeted with a login prompt.
The username will be ‘elastic’, and the password will be whatever you set for that account.
Upon successfully logging in, you will have access to parts of Kibana that were previously restricted:
That concludes this portion of the series.
Feel free to explore the Kibana UI. While there may not be much to view until logs are ingested, I will address that in the next installment. We'll discuss how to set up a Windows environment to generate the appropriate logs/events and how to ingest them into Elastic using Beats and the new Elastic Agent.
If you enjoyed this article and would like to support my work, please consider buying me a coffee through this link.