Elastic Stack Tutorial | Create a Free SIEM Tool with Elasticsearch, Winlogbeat, & Kibana | Part 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in today's video we're gonna continue working with the elastic stack we're gonna install wind log beat says mom and start visualizing those logs in Cabana will also teach you how to make your own visualizations thank you for choosing to watch this video to help us help more people like you please like comment and subscribe also hit the notification Bell so that you'll get notified of our future videos so let's get started last time we installed elastic search we installed cabana and we started bringing in host data on our server from audit beat we briefly showed you the CM application we're going to expand today by bringing in window event security logs using win log P then we'll actually show you how to make your own visualizations in Cabana in addition to a little more practice on that cm application the first thing we're going to do is add additional logging service to our Windows system now for my purposes of this tutorial I created a Windows virtual machine you don't have to take that step you could easily put this on whatever system you are hosting your server on on for instance on a daily basis I run sesemann and when log beat on my laptop providing me an extra layer of security so sesemann again is an extra logging service it monitors processes it monitors DLL use it monitors connections network connections so it really enriches the amount of data and the amount of threats that we can detect on a Windows host and so I'm going to show you how to install that before we put win log beat on the easiest way is Google to find all our resources that we need so we're going to Google siz Mon so out of this Google search we're going to want to separate links here the first one is gonna be from Docs Microsoft comm and it's actually going to be the SIS Mon page we're also going to come to Swift on security github because there is a sample system on configuration that you can use which is a great place to start and I'll show you how you do that so first we're going to open up the Microsoft site so we can download says one ok so this is the official Microsoft site for sis mop so we're gonna be following these steps here the first thing we need to do obviously is download it so go ahead and click download sis Mon so once you have sis Mon download it go ahead and extract it using the extract all or if you have others zip related software feel free to use that to extract it you're going to want to either extract it directly into the Program Files folder or you can also just grab this and then drag a copy in it's up to you either way it's fine so once it's in Program Files go ahead and open it up and you can see that there is the user agreement and the actual application so the second piece that we got to go ahead and go get is a configuration file for it so like I was saying Swift on security provides a very good sample configuration for you to start with so we're going to use that one okay so we're going as you can see this monk configuration file for everybody not only do they provide this as a good starting point but it also allows a good starting point for others to make configurations that they might need for specific use cases or they might want to enrich data say with mitre attack techniques there's all sorts of different configurations that you can look at and what you want to do here is look at the different Forks that are available and you'll see all the different ones that community members have made so we're going to go ahead and download this then so go ahead and once you have the system on config folder downloaded and extracted go ahead and enter it go into it and find the system on config export that XML file go ahead and drag a copy of that into the sizzler folder that you put into Program Files so here it is so I'm gonna use hold down control and I'm gonna drag a copy and do the system on folder and once I'm in this is one folder what I'd like you to do is to go ahead and right click here and rename it and all we're gonna do we're not gonna change too much we're just gonna get rid of the name export and leave it as says mom config so before we install says mom I want to show you what the configuration actually looks like it looks like a large file but what what's going on here is we're excluding trusted processes trusted file images things that are going to be on the system and we don't want to be alerting on them because we already know that they're not so for instance this is for process create and it says on match exclude and it does this for all the different event types so network connection on that include and then it shows different ones that should be connecting so you know if it comes from the temp folder it probably shouldn't be making a network connection and what's nice about this configuration is that it's highly commented out so you can see why they're making that particular rule so we're going to go ahead and follow these instructions and I'll tell you the command that we're going to use for our installation for our installation first of all let me close this so I can show you how I got there I didn't bring up your command prompt quick way of getting there by the way it's just CMD make sure to run as administrator and then navigate to your system on directory so Program Files and then says mam so the command we're going to use is going to be siz Mon and then we're telling it we're installing it with a configuration so - I then we want to give the name of the configuration now if you weren't in if the configuration wasn't saved in the directory then you would have to give the whole path but since ours is we don't have to so says mam config dot XML we're also gonna want to go ahead and tell it to accept the EULA agreement so we'll put that now what I'm doing here is we want to make all our hashes 256 because by default says mine uses sha-1 and eventually that could cause problems with having distinct hashes for all of our values - L will give you image loads which are important they're used a lot in threat attacks and then - n will give you Network modern so that will monitor connections DNS and everything like that and push enter and then it will install it we've installed says mom I want to show you a really good way to make sure your installation worked and then it's running so you're gonna go into your search bar and you're going to type in services you're gonna open the services app okay these are all the different services that are running on your Windows machine so what I'm gonna do is I'm gonna scroll down to the esses and then notice here it has sis Mon and status is running even says who's it's logon house which is the local system it stopped it can be restarted from here so this confirms that says Mon is on our machine it's running and everything's good so we'll close this and we'll move on to installing when log B so to install when log B first thing you want to do always go back to the documentation site before elastic and what I did was I just googled install when mom beat elastic and I was able to come to this page and you off the download it so go to the downloads page and you have different options on how you can install it you can download it as a zip file which is what we're gonna be doing they're also working on a Microsoft installer but as you can see it's still in beta and what that means is they're still testing in it it still might have some problems so maybe down the line we'll use this installer but for now we're gonna want to make sure to click on the 64-bit windows zip so you'll click on that and then it'll prompt you to download it and so you can go ahead and download that I've actually already downloaded it earlier as you might say in a cooking show so I've downloaded it and I have it here in my downloads folder and so what I'm gonna do it's zipped remember so I'm gonna go ahead and right-click and then I'm gonna extract it and then now it's ins it's um extracted now if we go to the installation steps here we can follow these and it will tell you what to do one thing that you have to do is you have to rename the file the folder itself so noticed when we extracted it it extracts as win log beat then it has the version and you know the platform we're actually going to have to rename that one important thing notice what they're asking you to rename in here when log beat but with a capital W that's very important um if you don't capitalize that W it actually won't start and that's a common problem a lot of people run into I've run into it and I finally it finally occurred to me that wait a minute it's starting because the computer is looking for capitalize W for the directory but you know sometimes most of the time we wouldn't capitalize things but so we're gonna rename it so go down to rename and then very important capitalized when log be and we're gonna go ahead and move that to our program files that's what they want us to do so you can tell it to move it to Program Files and then it's gonna ask you for permission to do it and now we should be able to go to the Program Files yeah they'll be there blast now we're gonna open up PowerShell so just type power you search barn you'll come up or you can type out the whole thing but it'll come up once you just type out power make sure to run as a traitor we're gonna do CD and when you put in this path you're going to have to put this in quotes because Program Files has a space so we're in Program Files I just like to do it one step at a time cuz that way it's easier for me okay so now we're in a win log beat directory we can give it a directory command you can see everything in here so we're gonna be running this script install service win one beat but ps1 so we're gonna do dot forward slash so it's in our path install service win mug beat dot ps1 okay and it's it's run on some of your systems script execution policies may not be set if they aren't then you're gonna have to change you're gonna have to UM put these options in here on execution policy unrestricted and they have an example on how you can do that on the documentation site but basically you have to let it know that it can run the script and on my system I have script running setup but here they show you how to do this and the elastic documentation the but execution posit policy unrestricted you just put that option when you run it and bill running without a problem so now we can check our list of services well I'm gonna close it actually we can go and check our list of services we can confirm that when lug beats in here now and there we are when lug beat has been at it the only thing we're gonna change let's notice it's set for automatic on that we're gonna want to come into properties and we are gonna want to change that to manual want that only manuals stop-and-start and from now on when we stop and start winning would be well just do it from here you can do it from PowerShell but this is we're actually gonna go back to our boon to machine and we're gonna make a quick change to the Cabana configuration now before we had access Cabana gist from inside of our virtual machine or in other words from the same server that we were using it from however when mod B is going to be on a different host and from that host we're gonna have to connect to Cabana in order to load some dashboards and some index patterns that you want to use you want to have them set up before you go to use it so for our use case we're gonna have to come in here and change that so I'm going to my terminal I'm gonna do sudo nano et Cie oh no and then the configuration file which is component and here it's gonna want to know what the server host IP address is going to be so right now it's an localhost that's not what we want to do we want it to be the IP address of this this server so we're gonna do IP address and find what it is so for me here it's dot 110 so then I'm gonna go I'm gonna write that in so 192.168.1.2 N and so now anybody will be able to so we've changed that IP address now um I also want you to go down and check which IP you have for your elasticsearch O's and make sure it's the same one if you've been doing this video as one go through and it hasn't been that long time between the two parts it should still be the same IP address but depending on your home router settings your IP address actually changes every so often in my case it used to be dot seven now it's dot ten so I actually need to make sure to change that on the elasticsearch host entry otherwise it wouldn't have been able to connect so that's a good thing to check and then in my case I did it I also did this for elasticsearch so etc' slash elasticsearch slice elastic so yeah and again I use Nano on the Nano editor and I had to go down here to where the network settings are so on network host I had to change that 2.10 and then on the discovery seat host I also changed that 2.10 this is one reason Wow in a lab it's okay just to use you know changing DCH DHCP addresses but in a production area they they need to be reserved addresses that are going to stay constant because you don't want that changing then I also had to do it in Auto be odd it'd be not o be odd it'd be I had to do it went down here the output hmm and I put the host everything else remained the same it was just this last number used to happen now it's ten since I changed them all I went ahead and shut down all the services again I did that with sudo and then service and then elasticsearch in particular and then sudo service a non-stop sudo service optimal and then I'm gonna start them all so you want to start with the elasticsearch all the time start and again depending on how much RAM you're able to give your system it could take a couple minutes for elasticsearch sister you then we're going to do sudo service cabana start and sudo service audit beat okay Oh leave those running but you can minimize your virtual machine now what we're gonna want to do is change our and lock the configuration so we're gonna come in here go to Program Files go down the wind log beat and it's gonna be wind log beat llamo you can edit this with a lot of different programs the best two are either gonna be a program called atom which is free to use and you just open it with atom and it will keep all the um yeah mol formatting another one that I like using especially with llamo is called notepad plus plus and again you can download either of those on the internet for free they're really good because they highlight things with different colors as you can see so comments are green important key names become blue it just makes it easier to see everything because otherwise it can get very confusing so we're gonna come in here and we're gonna do a couple things actually the first thing we're gonna do is come down to the Cabana setup because we're gonna be setting up our dashboards and so we're gonna want to come in here where it says host and backspace so it's no longer commented out and then we're just gonna enter that idea the IP address of that server so in my case it's 192.168.1 and then dot ten we kept it at the default port of 5601 so we don't have to change any of that which is good we're not using space cabana spaces right now so we don't have to set that we just needed to put that IP address in then we're gonna change the but elasticsearch we're gonna change that host as well because right now by default it's set for localhost but that's not what we have it we have it on that server so we're gonna do 192.168 and in my case dot 1.10 just use what that IP address that we found a virtual machine whatever your router might have given it and those are the only settings I'm just to show you some of the others as you can see if you change it to HTTPS this is where you would uncomment and let know that if there was a username and password you would uncomment these and then put them in here and again elastic has made all that basic level security free to use now it's no longer you know requires a special license so after you get comfortable with elastic I really suggest you watch some videos on how to set that up so that when you're using it you know maybe in the cloud or in a real production environment you're you have a safe setup you don't want them just open like this without passwords and such we've changed all the settings we're going to change just to show you this up here this is where the wind log beat tells it what logs it wants to by default it's set to do the security logs and the event logs for application and security as you can see and then it's also set to do the system on locks so three different log types are set up by oh if in the future if you wanted to change that you could go in here and actually write up no different paths to whatever logs you might want for now the default ones are actually really good so in order to set up the wind Mockbee dashboards we're gonna go ahead and open PowerShell again again remembering that as an administrator we're going to navigate to our older whoops navigate to our folder if we can remember where it is now it's in C and then Program Files backslash B I always like opening see what's in my directory just makes me feel better so we're gonna be running this wind lock beat dot exe and we're gonna run the setup with the - option and what it's doing here is it's connecting to elasticsearch we can go over this real fast it's connecting to elasticsearch and then it's setting up the lifecycle policies that's what an elm policy is its lifecycle management and then it's loading the template for that version of when log beat and then it says okay it's all good then it's actually connecting to Kabana this is what Caban I had to be set up separately and then it's loading the dashboards so now it's all set up so now we can start the service what I like to do is just come in here to service services I like doing in here because this is a lot easier when you just want to quickly start or stop it again you can do it from PowerShell HTTP slash slash and then the IP address of your server so in my case is ten and then it's gonna be a colon and then the default port for a Cabana which is 56.50 six zero one one push enter and then you can see Cabana loads up then again depending on how much RAM you were able to give Cabana might take a little time to load but we're ready to go so from this Cabana homepage I want you to go to the first button which is the discover tab the discover tab if you recall from the previous videos where you go and you can actually see all the logs that are being taken you click on discover and then remember previously we were looking at audit beat but if you click on the arrow you now see that we have another index pattern which is for a little win log beat so go ahead and click on the wind log beat pattern and then you'll see the information and all the wonderful fields that are available one nice thing about using the beats again is that it automatically puts it in the last two common schema which is the new standardized field names that everything is in sits in this um tree structure now so like here's the host which is like you know the root right and then you have a dot and then host host name host dot architecture and so that just makes it a lot easier when you have multiple vendors when you have multiple pieces of software they're all using the same name structures so that your data doesn't get confusing you know exactly what it is and you can actually share dashboards and machine learning jobs and everything between all these sources of data so again if you wanted to just use the same application you can go to this icon here and you wouldn't click on it and you could go to hosts and then you can see that we have two hosts and there's been user authentication x' there's been IP address activity and this is over the last 24 hours you can see one host was the factory and the other one was the the laptop that we're doing taking the information from that so this is actually a very useful powerful tool but let's say you're either using it for some you're using an elastic for something other than security or maybe there's some sort of custom dashboard that you want to make yourself you know you don't want to just use this built in um one thing is when long beat any of the beats do come with default dashboards if you want to take a look at those for instance you go to the dashboard button here and you'll see that there's a lot of different audit beat system ones and then there's also the win log beat dashboard and it actually has a lot of useful graphs made for you already and then the audit beat ones are just as useful but let's say you still didn't quite quite go for it you still want to be able to make your own stuff or maybe you just want to become a you know an elastic certified engineer and you want you need to know how to do this so I'm gonna do a demonstration of how to make a simple dashboard first thing I'm gonna do actually is put Kabana into dark mode because I always run it in dark mode and it's good to know how to do that so we're gonna go to the management tab we're gonna go into Cabana which is here go to the Advanced Settings and then if we scroll down actually we could just you can turn on dark mode this'll save it you do have to reload the page for the change to happen and notice that yes you can break stuff here in the settings but this is also where you would come and change like CSV separators de the time formats location formats this is where all the Cabana formatting goes settings and then also this is very important on the cm this is how you would add custom indexes to the indices to the sim is notice here it says elastic search indices this is all the index patterns that the CM application is going to look at for data so if it's pulling Network if it's pulling host data bonus it's even pulling a p.m. which is application monitoring data this is where if you have a firewall that you want pulled in or if you have some sort of custom intrusion detection system you want pulled in you just put a comma and then put the index pattern that's associated with those indices and then it'll automatically pull it into the CM application so this was actually really good to show you other than the fact that I always were in Cabana in dark mode for the sea so the first thing we're gonna do is go to the visualize tab we're gonna go ahead and click visualize and this is all the visualizations but we want to create a new one so we're gonna create visualization and let's say we want to create a pie chart so we're gonna click on pie chart we're gonna choose a source and we're gonna use one log B as our source index pattern okay so far it's just blank so we're going to leave the aggregation on count there different ones but we're gonna leave the aggregation on count but what we're gonna change is the buckets the buckets you can think of them as the collection of data that's being aggregated and I'll show you so what we're gonna do is split the slices according to the buckets so we're gonna select an aggregation type I like terms because terms what it does is it counts how many of a particular field are in there and we'll look at this so I choose turns and then I gotta choose a field I'm gonna choose let's say we want it to know what were the what were the different destination IPS that were that went places so we could choose that and then we're gonna go ahead and leave it on account and let's say we want to know the top 10 right now it would be set for 5 we're gonna change that to 10 and then we're gonna go ahead so we're gonna change the time there we make sure the time is set when there's records notice I there was a lot in the past fifteen minutes so it didn't have a lot to give me but once I change the time to an hour there had been a lot of activity now we can change the formatting of how this looks cuz I don't like the middle missing for instance that just messes with me and we go to options and for instance I don't like donuts I love him in real life but I don't like them for my pie charts you know actually yeah I will leave it as a donut because I put 10 if there weren't as many and then we can tell it to show labels for instance this is always useful to show labels and then you can if you don't want this all the way over to the right you could put it on the bottom so that might be a little easier for us okay we're gonna make sure to save it give it a name so these were destination heipiess we'll just call it that for now and let's say then we want it to start a dashboard where we put multiple visualizations in so what we do is go to the dashboards create one and then it's it will say add an existing or new object to this dashboard so we would say add an existing and here's our visualization destination heipiess so we click that and then there it is and we can size it to how we want to size it you can actually do some editing on how these names show up you can do a lot of different settings and if you come here and then edit the visualization it'll take you back to where you made it so you can change it or if you customize the panel you can tell it to either show the panel title or not you can change the pattern panel title so there's a lot of customization that can be done canvas is another application where you can make graphs and charts canvas is created to basically make up for what was called a lack of artistic creativity with the original cabana dashboards so you can do a lot of interesting visualizations word like let's say you have a website with coffee cup you know a coffee website coffee shop and you can actually use an image with coffee cups and then you know use it as a graph with a percentage and it gets filled up and you know cute things like that we want to be more creative that's where canvas comes in so again the process you go to visualizations and then you tell that you want to create a new one and then you can go from there they have all sorts of different types you can make gauges data tables heat maps maps which really come in handy there's all sorts of different there's also a tool called lens let me show you this real fast this is really cool ok let's say you just started using cabaña you're still having some problems with what kind of graph might be the best to use ok and like let's say we're looking at audit beat and we want to know what we want to know what kind of event we want to know the event IDs that are happening so we can actually just drag this in and then it'll actually suggest different possible ways of making this graph or making the visualization and they're already pre-configured for you so like we can do a count over all it would do an overtime if we gave it some more time to work with ya have to play with how much time it's gonna need to be able to use that one but as you can see it's really useful how it automatically starts telling you hey you can make a data table and this is how you would do it you could do a count of all the different IDs and so that's just a really fast way to produce charts and you can save each one like let's say I wanted to save this data table I said oh that looks really cool well then I save it was saved and then I can go back and then remake another one and save that as a different visualization so let's say I wanted one of the bar graphs save that you know save as give it a new name as long as you give it a new name it won't overwrite the previous visualization so you all up suddenly you have a date data table a bar graph and you know the count over all visualizations that's pretty much two-thirds your dashboard right there so that's why Linds is a very powerful tool it's just been at it just recently maybe two or three months ago was just added to Kabana and so it's really speeds up putting together visualizations you know to make entire dashboards so it's a good thing we went over that and again you create visualization you have all the different ones to choose from or you can choose lens and it will actually start you know get telling you hey for this field you might want to consider these visualizations so all sorts of different ways doing it and then you would go to dashboards and then you would add add those to your dashboards and that's that's how you start building out you know just play around be creative think about what information is most important to you and there are a lot of pre-made visualizations and pre-made dashboards that are really useful like this audit beat dashboard you know they you can click into the look you can look at the logins just by clicking we can look at all the processes just by clicking there this is also a good idea of how to get you know learn a little more about the most productive dashboard designs is just look at the default ones that have been loaded in even if you don't plan on using them they can teach you something and maybe you're not using on it beat but you like the way it's laid out these default dashboards and then you can just you know adapt that to your data so plenty of powerful tools you can visualize by specific graphs you can use lens and drag fields around look at the sample dashboards and like I said if nothing else you if you're doing security the sim application is definitely very powerful with its ability to make timeline investigations so again I like to thank you for watching this video on this video we installed and configured sesemann which provided an extra layer of security logging we installed win log beats so that we could get all those security logs from a Windows device into elastic and then we went over how to visualize some more in Cabana by making your own visualizations and dashboards I like to thank you for watching this video by skills build training on how to setup the elastic searching Cabana remember to Like and subscribe leave any comments and questions you have and thank you again skills pill training where we teach you how to be an IT pro fast

Info

Channel: SkillsBuild Training

Views: 4,086

Rating: undefined out of 5

Keywords: elastic, elasticsearch, Kibana, Beats, Auditbeat, Logstash, SIEM, linux, elasticsearch tutorial, elasticsearch tutorial for beginners, free elasticsearch tutorial, elastic stack tutorial, elasticsearch basics, elasticsearch query tutorial, elasticsearch course, elasticsearch training, what is elasticsearch, kibana tutorial, beats tutorial, elk stack, Security information and event management, sysmon, swiftonsecurity

Id: epFvBlB7i4c

Channel Id: undefined

Length: 42min 40sec (2560 seconds)

Published: Thu May 21 2020