Security information and event management Lab Project
The objective of this SIEM (Security Information and Event Management) lab project is to design and implement a comprehensive security monitoring solution that effectively detects, investigates, and responds to security incidents within an enterprise environment. Through hands-on exercises and simulations, participants will gain practical experience in configuring SIEM tools, creating custom detection rules, analyzing security events, and orchestrating incident response workflows. By the end of the project, participants will have developed a proficient understanding of SIEM technologies and best practices, equipping them with the skills necessary to enhance the security posture of organizations through proactive threat detection and mitigation.
- Elastic Stack SIEM Configuration and Management: Successfully set up and configured Elastic Stack SIEM in a home lab environment. Demonstrated proficiency in deploying a Kali Linux VM, configuring Elastic Agents for log collection, and forwarding data to the SIEM for effective security event monitoring.
- Security Event Simulation and Analysis: Acquired hands-on experience in generating and analyzing security events using Nmap on Kali Linux. Proficient in querying Elastic SIEM to identify and investigate security incidents, enhancing skills in network security monitoring and threat detection.
- Visualization and Alerting in SIEM: Developed a custom dashboard in Elastic SIEM to visualize security events, demonstrating skills in data interpretation and pattern recognition. Successfully created and tested alert rules for detecting specific security events, showing competency in proactive incident response and alert management.
- VirtualBox
- Kali Linux
- Elastic Cloud Service
- Sign up for a free trial to use Elastic Cloud at https://cloud.elastic.co/registration
- Start your free trial.
- Create Deployment
- Download VirtualBox or VMware
- Download the Kali Linux https://www.kali.org/get-kali/#kali-platforms
- Setup your Kali Linux VM
- Update your Kali Linux
- Click on the hamburger menu on the top left, then select +Add Integration at the bottom
- In the integration Tab, Search for Elastic Defender and select +Add Elastic Defender
- Installing Elastic agent on your host
- Copy the commands provided
- Open terminal on your Kali VM paste the commands and press enter wait for the installtion to complete.
- To verify if the agent installed correctly run the following command sudo systemctl status elastic-agent.service
- Use nmap to generate security events
- Different nmap commands [ sudo nmap , sudo nmap -A -p- , sudo nmap -Ss , sudo nmap -sT ]
- Go to the hamburger menu select logs under the observability section
- Check the endpoint.events.process, Click on the menu and select view details
- Check for the nmap commands that were ran on the host
- Go to the hamburger menu, Select Dashboard under the analytics section
- Select +Create new dashboard, +Create Visualization
- Add layers using Horizontal axis and Vertical axis.
- After adding different layers the dashboard should look something like this
- Click on the “Save” button to save the visualization and then complete the rest of the settings.
- To create an alert go to the hamburger menu and select Alerts under the Security section
- Click on manage rule, +Create new rules
- Under "custom query", define the rules using KQL syntax
- Use the following command for nmap scan alerts
- Click on Continue
- Under the about rule section, Add name and description for the rule
- Complete the other settings
- Finally, click the “Create and enable rule” button to create the alert.
This project is intended for educational purposes only. Use responsibly and only with proper authorization on systems you own or have explicit permission to monitor.