How To Setup ELK | Elastic Agents & Sysmon for Cybersecurity

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I have always wanted to do this for a video but it's been a little bit daunting because configuring elk elastic log stash Cabana this whole structure and setup for a seam solution or Sim however you pronounce it can be a little bit a lot of moving pieces right so I'm excited I'm stoked I'm super happy to be able to do this with the help of John strand's courses his introductory Labs that are freely available all online just as a gentle reminder you can always be jumping into any of John strands and anti-siphon training and black hills information security and this awesome tribe of companies pay what you can training if you haven't seen it it's just literally courses education free training that you can choose the price tag for but if you take a look they do have some incredible courses coming up like their active defense and cyber deception course in tons and tons more there's things that you could learn all about making hackers earn their access and making them cry when you're wasting their time doing some great defense and depth and tons of great stuff from John strand well he's always putting out a lot of these pay what you can train it if you haven't registered for these before you just cruise through it hey fill out whatever forms you need to but you get down to the price section look you can pay the minimum you can pay 50 you can pay 95 but if you want to bring this down even lower to make it more accessible for you if you just don't have the cash it is pay what you can so for tuition assistance you can click here and then you'll get a new form where all of those pricing options go away and you just register and you sign up and that's it you can make this course free accessible to you there are tons of other pay what you can courses and it's always worth just taking a look at what is anti-siphon training up to what is black kills information security up to and hey how can I jump into Wild West hacking Fest their conference anyway publicly accessible and free introductory Labs that are part of these pay what you can courses you can find them online just on GitHub strand.js intro labs and in the past couple of videos we set up a virtual machine where we've gotten a chance to play with a lot of these Labs but there are so many that you can just cruise through so in this video I want to get into elk elastic log stash Cabana and this is a three-part series for their walkthrough for their write-ups of the labs but I want to cram this all into one video so look they get into the good stuff we're setting up a seam and you could also toggle on rules to alert us when Defenders are attacking our organization what tradecraft what ttps from the miter attack framework and all are they all up to but this is awesome you can get started with elk using the elastic Cloud just 14 day trial doesn't require a credit card you just need an email and a password and all we do is just set up a free account so I'm gonna do it jumping over to this URL this is all it takes just start your free elastic Cloud trial let me fill out my email address choose a password and then sign up with email nice and easy now we can just cruise through a a super simple form hey I'll just put my name company is self I am new to elastic and I'm more interested in security I'd like to just learn more about elastic let's do it all right now we need to create a new deployment I can just call mine I don't know security deployment how about that uh we could change some of the settings but I think I'm just fine with the defaults let's go ahead and create our deployment and cool oh what we have 150 days left of our trial goodness it's more than 14. okay now it's doing its thing it is creating our deployment doing whatever configuration things that it needs we could cruise through with the tour um but I don't really need to do that I just kind of want to go back to my deployment um oh shoot and it showed me credentials can I get back to that these root credentials are shown only once oh goodness okay I guess I'll just check the frame of the video maybe and it is still creating the deployment the video is cruising through but I have now seen after a little bit of time the Cabana menu open up in the navigation so kind of taking a look at what the lab suggests we should be able to go ahead and open up Cabana and once this thing finishes up we can go ahead and move on with the lab here okay now this has popped up looks like I have my cabana instance up and running um I can edit the configuration I can play with monitoring the health here copy endpoint can I just open this oh okay cool yeah now we're going somewhere new all right now we've loaded up Cabana seemingly or we're still in elastic but let me go ahead and manage this deployment and I could move down to okay Security Management oh fleet Fleet is what I'm looking for that is what is suggested next in the lab and we want to be able to add an agent here so I'm going to go ahead and click on this add agent button and then adding elastic agents to your host allows it to collect data and send it to the elastic stack okay what type of host are you adding or they're controlled by an agent policy creating new policy to get started um I realize my face is in the way uh the advanced options no I think that's all just fine I'm going to assume again totally defaults are good I'll hit create policy and then we'll be able able to allow the other options to enroll in Fleet and install the elastic agent will all be done for me cool yep okay seemingly good we will enroll in Fleet install the elastic agent on your host ooh okay we will toggle this to Windows and that should be all good for me I'll just want to copy the syntax and then the lab suggests hey we just save this we just take note of it so we know how we can go ahead and install this when the time comes but then we'll move into part two of this little lab walkthrough and that way we'll be able to actually install and configure the elastic agent so let me just open up notepad I suppose that's fine and I'll paste this in so it looks like this syntax like the Powershell code that they give here is just everything that you need to actually download the elastic agent expand the archive like decompress the zip file and then install the elastic agent uh I think we could basically skip over what would be lab number two here on installing the whole agents so let me go ahead and copy the syntax and it'll open up a Windows terminal I'll hit Ctrl shift enter on my keyboard so that I can open this up in the admin mode I'm gonna go in full screen this and I suppose I will make a directory for like elastic so at least this is kind of clean and not just randomly in my user profile now I'll go ahead and paste all this in because there's currently nothing in the path here and I'll let it download the elastic agent for me now that that's done it's going to try and decompress the zip archive expand archive and Powershell okay and now it's going to go ahead and install the agent it says the elastic agent will be installed and see program files elastic agent and will run as a service you want to continue let's hit y for yes enter that and let it do its thing okay it took a little bit but uh looks like it says successfully triggered restart on running elastic agents successfully enrolled the elastic agent the elastic agent has been successfully installed awesome let me clear the screen here toggling back over to elastic over in the web browser you can see hey One agent has been enrolled incoming data is confirmed and we are ingesting everything that we need we can click on that view enrolled agent and here it is there's my desktop host name now I can click on this and go take a look at what is all coming from this here's the last activity last check-in message agent policy that we Define the agent version platform okay so now in the intro Labs walkthrough we basically just jumped over what would be part two and now we can move on to part three where we're chatting about what data we might ingest into elastic and they say look by default Windows logs are not ideal because it's just kind of a smorgasbord of whatever actually comes through for it and some things might not actually be audited by default so to get logs that are more readable and useful we can use and we should be using sysmon by the way you'll practically like never ever find a client organization an environment that is actually using and has deployed sysmon but when you do if you do it's awesome we can follow this link to download sysmon it is part of the tool sets that are created by Mark versonovic let me open this up in a new tab here I can scroll down and click the download sysmon and now I do have that zip archive once more let's move back to our uh administrative Powershell window and move into the downloads directory oh forgive me that should be downloads and I know look yeah I could probably do this all in one command but I just like typing CD over and over again uh so let's get our sysmon.zip file that I see there let's go ahead and expand archive just as we saw in the elastic agent syntax to go ahead and extract this ZIP archive and now we should have a sysmon directory as we do so let's move into that directory and I have the sysmon 64 that we probably want to run on our 64-bit architecture we can go ahead and run our sysmon64.exe failed to start the service the operation completed successfully what does that mean uh what does the lab suggest okay these uh end up using sysmon on its own attack I attack n and accept Euler is Tac eye to install is there like attack H for help yeah okay cool okay the usage we can install with sysmon tech I what is Tech n was that even a thing uh it doesn't seem to be anymore anyway so let me use that sysmon 64 attack I sysmon is already registered and install sysmon before reinstalling okay so we're good like it's just doing its thing right now can I get service oh yeah yeah okay there are 64-bit uh sysmon running as a service so I'm assuming all is good and now that sysmon is running on our system we need to configure our elastic agent to configure and gather these logs sign into your account navigate back to Cabana move into Fleet and then check out the Integrations as to what agents might be pulling stuff in now we can add the integration for Windows and then toggle on the button for sysmon uh let's go try it out so back in Cabana as part of our elk stack we'll move over to Fleet and I don't see any Integrations oh oh if we go into agent policies you can click in on the policy that you've defined and now in the Integrations is there let me see if I can add integration and I'm going to assume I would be able to browse for Windows there's a whole lot of entries here uh let me just go and search for it let me search for Windows there we go click on Windows I just want to scroll down into this overview does it actually give me a little bit more like sysmon specifically I don't know let's try it let me just add windows there we go and integration name is Windows 1 forwarded Powershell Powershell operational oh assist one operational okay perfect I think all of this looks good we can add it to existing hosts with the agent policy one and let me click the bottom right button that my face is in the way save and continue save and deploy changes I'm good with that okay Windows one integration added now our agent policy one has system integration and windows perfect uh let me go take a look back at our Fleet let's check our agent and we should see that it is working with the windows integration and can pull from sysmon just as well now it says Hey play around on the computer that has the elasticage installed move files around create file Start program make a few Google searches this will generate some logs to ensure we have sysmon logs reaching our Cloud after you've created some log activities you can navigate to kibana discover well okay uh let me get back to I suppose our little command line here let's just fire up the calculator of course that's normal operations can I run like who am I I don't know if that'll do anything um I don't know should I just open up wordpad how about that is that gonna run is it in the path how do you access wordpad Powershell probably just didn't know where the heck it was whatever uh so hopefully we have some system on log events now I think uh sysmon process start is just one when it's created a process uh the event ID for sysmon is one so if we navigate back to kibana move into the Discover dashboard set the source to logs then we can look at the time constraint for today uh let me go back to the little hamburger menu and let's go to discover let's set our data view source to logs we'll set this to today as it is good and now I need to go figure out and find what Fields would be worthwhile to search for our agent name is probably worthwhile because I want to get the things from our desktop good and if I put this in the documents view then it'll actually show it with the timestamp uh can I get any specific like process names that are started we have event action that might be worth adding okay not a whole lot of entries there DNS queries interesting oh process create process create that is good that's got to be an event ID that comes with that right okay event ID let me add this a lot of those are empty even on process create so that's dumb are there any processes that we can run oh even Powershell stuff though that could be worthwhile process ooh okay process command line let me add this okay now can I see us trying to run oh yeah I can here's my word pad excellent here's who am I as I just type those in the command line and calc oh check it out here's us trying to run sysmon oh the lab actually says you can set a filter on your data to limit the results just to sysmon data that can be done by setting the datastream.datasetfield for Windows dot sysmon operational uh okay we can try that okay so add filter um we wanted datastream.dataset is and then windows.sysmon operational right let's add filter Okay cool so it was looking at the same sort of stuff we were looking at just a moment ago and check it out there is our process create wordpad who am I in calc nice so if we wanted to filter that even more I think we could do like uh what is it it's win log events ID can be colon 1 right so it's setting to a value of one and that should be the I don't I don't want an and I just want that please can I do that go filter yeah okay so now we're only getting the process created and you can see sysmon you can see uh elastic stack and the agent coming together that is super duper cool and that can help us do some further analysis with an elk and that is that that is three of the kind of written GitHub free Labs part of the introductory courses of John strand anti-siphon training Black Hills information security all of their pay what you can courses and really really cool that we finally just got an opportunity to spin up elk because now we can do a little bit more of that you know sweet stuff detection engineering I don't know tracking around an EDR and a scene to see what logs are happening where when and how all the stuff that can help you for your job and like the real world in the industry I hope that's pretty cool I hope that is actually tactical information security education so hey check out Black Hills information security anti-siphon training pay which you can courses all the incredible stuff that John Trin is up to and thank you so much for watching this video hope it was fun hope you learned something new hope you had a great time together and I'll see you in the next video like comment subscribe become a member become a member of the channel that really really helps support all the stuff that we're doing here thanks again

Info

Channel: John Hammond

Views: 50,342

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: wiQ8U5mFncw

Channel Id: undefined

Length: 14min 34sec (874 seconds)

Published: Wed May 10 2023