Build a SIEM Home Lab with Elastic Security and Create Custom Alerts

In this guide, we’ll configure Elastic Security in a home lab to analyze and interpret logs, understand key values, and create custom alerts for effective threat detection.

1. Download VirtualBox: Download link
2. Download Parrot Security (or any other operating system ): Download link

Notes:

• Ensure your chosen operating system is up and running.
• The system must have internet access.

Step 1: Sign Up for Elastic

Sign up for elastic account by going to the following link: https://cloud.elastic.co/registration

Step 2: Install the Elastic Agent

Once logged in to your Elastic account, navigate to the left sidebar and click on Integrations.

In the search bar, type Elastic Defend and press Enter, then click on it to begin the configuration process.

Click the blue Add Elastic Defend button to integrate Elastic into your environment.

After clicking Add Elastic Defend, you will be redirected to a page with instructions to install the Elastic Agent.

Select the appropriate platform (e.g., Linux, Mac, Windows, etc.) from the tabs above.

For our setup, choose Linux. Copy the full command provided and paste it into your terminal to proceed with the installation.

At this step, the installation process will prompt you to confirm if you want to continue. Type Y and press Enter.

After completing the installation, return to the Elastic website, where you should see the confirmation message: "1 agent has been enrolled."

Step 3: Testing Detection and Understanding Logs

Now that everything is set up, let’s perform a test to verify detection and analyze the logs.

• Run an Nmap Scan:

Open your Linux terminal and execute the following command:

nmap -A -sV localhost        

• Review the Logs in Elastic:

1. Return to the Elastic website.
2. Click on Discover from the left-hand menu.
3. In the search bar at the top, type nmap and press Enter to filter logs related to the Nmap scan.
4. Scroll down to the Documents section to view the details of the detected Nmap activity.

When you click on the log, additional details will be displayed. Here are the most important ones:

Command Executed: The process.command_line field displays the full command: nmap -A -sV localhost.

Process Name: The process.name field identifies the process as nmap.

Note: This field will be used to create a custom alert targeting processes named "nmap."

User and Host Information:

• user.name: Shows the user who executed the command, user.
• host.name: Displays the hostname as parrot, running a Linux operating system.

Parent Process: The process.parent.name field shows the parent process as bash, confirming it was executed via the terminal.

Although the logs contain many additional details, these key fields are the most relevant for understanding the detected activity and will be used in the next step to create an alert.

Step 4: Creating an Alert

Navigate to the Alerts Section:

• Go to the Alerts section by clicking on it from the left-hand menu.
• On the Alerts page, you can view a summary of alerts, including severity levels, alert names, and hosts involved.
• To create new rules, click on the Manage rules button.
• Click on the Create new rule button at the top-right to open the rule creation wizard.

This will open a rule creation wizard where you can define the conditions and triggers for your alert based on specific events or data patterns.

Select Rule Type:

• Choose the type of rule you want to create. For example, select Custom Query to create a rule based on specific queries.

Define the Query:

• In the Index Patterns section, specify the relevant index patterns (e.g., logs-* for process logs).
• Write the query to filter events. For instance, to detect nmap scans, use:

process.name: "nmap"        

Click Continue to proceed to the next step.

In the About Rule section,

you can define the following details for your custom rule:

• Name: Provide a meaningful name for the rule, such as "Nmap Scan Detection".
• Description: Add a brief description of what the rule does, e.g., "Detects Nmap scans based on process activity logs."
• Default Severity: Choose a severity level for alerts generated by this rule. Options include Low, Medium, High, and Critical, depending on the importance of the activity.
• Default Risk Score: Set a numerical risk score (0–100) for alerts. This helps prioritize responses based on potential impact.
• Tags: Add relevant tags (optional) to help organize or search for this rule, such as "nmap", "port scan", or "custom rule".

In the Schedule Rule section:

1. Set the interval for the rule to run, e.g., every 5 minutes, to ensure timely detection.
2. Add a look-back time, like 1 minute, to capture any missed events.

After completing the configuration, click Continue to proceed to the next step.

Set Actions for Triggered Alerts:

• Select a Connector Type: Choose Email for notifications, as we will use it for our explanation. Other options include IBM Resilient, Webhook, and more.
• Osquery: Enables automated queries to investigate the alert using Osquery.
• Elastic Defend: Takes automated security actions (e.g., isolating a host or blocking a process) via Elastic's built-in endpoint security solution.

When selecting Email:

• To: Add recipient email addresses.
• Subject: Customize the subject, e.g., "Nmap Detection Alert".

Once the configuration is complete, click Create & enable rule to finish creating the alert.

Step 5: Testing the Alert and Verifying Detection

Now that the alert rule has been created, let’s test it by performing another Nmap scan.

• Run the Nmap Scan:

Open your Linux terminal and execute the following command:

nmap -A -sV localhost        

Check the Alerts Section:

After performing the Nmap scan, go to the Alerts section in Elastic Security.

The generated alerts should display the following details:

The alert rule "Nmap Scan Detection" was triggered, confirming that the system identified the scan activity.

The severity is set to High, with a risk score of 73, indicating a significant security event.

The alert specifies that a network event was detected with the process nmap originating from 127.0.0.1.

The alert is associated with the host parrot, where the scan was executed.

This email from Elastic Security confirms the "Nmap Scan Detection" rule was triggered. It includes a link to view the rule in Kibana for further details.

Everything is now set up! You can explore more of Elastic Security's powerful capabilities, and it certainly doesn't stop here.