Skip to content

Latest commit

 

History

History
85 lines (77 loc) · 3.64 KB

setup_elastic.md

File metadata and controls

85 lines (77 loc) · 3.64 KB
Raw

Elastic

For the lastest installation instructions for this repo please see this blog post: IR TALES: THE QUEST FOR THE HOLY SIEM: ELASTIC STACK + SYSMON + OSQUERY

WARNING
This Ansible playbook will allocate half of the systems memory to Elasticsearch. For example, if a machine has 16GBs of memory, 8GBs of memory will be allocated to Elasticsearch.
WARNING

Init Ansible playbook

  1. vim macos-workshop/ChooseYourSIEMAdventure/hosts.ini and add the Elastic server IP address under [elastic]
  2. vim macos-workshop/ChooseYourSIEMAdventure/group_vars/all.yml and set:
  3. base_domain<external_domain - group_vars/all.yml>
  4. timezone – OPTIONAL – The default timezone is UTC+0
  5. siem_username – Ignore this setting
  6. siem_password – Ignore this setting
  7. Elastic Ansible - group_vars/all.yml
  8. vim macos-workshop/ChooseYourSIEMAdventure/group_vars/elastic.yml and set:
  9. hostname – Set the desired hostname for the server
  10. elastic_repo_version – Change the repo version to install the Elastic stack – best to leave as default
  11. elastic_version – Set the version of the Elastic stack to install
  12. Elastic Ansible - group_vars/elastic.yml

Run Ansible playbook

  1. ansible-playbook -i hosts.ini deploy_elastic.yml -u <username> --key-file terraform/ssh_keys/id_rsa

Generate Let's Encrypt certificate

  1. SSH into Elastic EC2 instance
  2. sudo su
  3. apt install certbot python3-certbot-nginx -y
  4. certbot --nginx -d elastic.<external domain>
  5. Enter the e-mail for the admin of the domain
  6. Enter A for Terms of Service
  7. Enter N to share e-mail with EFF
  8. Enter 2 to redirect HTTP traffic to HTTPS
  9. Review NGINX config: /etc/nginx/conf.d/kibana.conf
  10. systemctl restart nginx

Create workshop user

  1. Open browser to https://elastic.<external domain> and login
  2. Enter elastic for username
  3. Enter <ealstic user password generated during Ansible playbook - cat /tmp/elasticsearch-setup-passwords.txt>
  4. Settings > Management > Stack Management
  5. Security > Users
  6. Select "Create user" in the top-right
  7. Enter threathunter into username
  8. Enter threathunter into full name
  9. Leave e-mail blank
  10. Enter a password for the user
  11. Select viewer for roles
  12. Create Elastic workshop user
  13. Select "Create user"

Create index patterns

  1. Open browser to https://elastic.<external domain> and login
  2. Enter elastic for username
  3. Enter <ealstic user password generated during Ansible playbook - cat /tmp/elasticsearch-setup-passwords.txt>
  4. Settings > Management > Stack Management
  5. Kibana > Index patterns
  6. Select "Create index patterns" in the top-right
  7. Define an index pattern 1. Enter osquery-* into index pattern name 1. elastic_osquery_index_pattern
  8. Configure settings 1. Select @timestamp for Time field
  9. Select "Create index pattern"
  10. Repeat for sysmon and test

Clearing index data

References