DEV Community

Austin
Austin

Posted on

Creating a SIEM Homelab with Elastic Cloud!

The Why

I think that it's important to understand the why when you decide to do any project. I have been diving into Cybersecurity for a while now while I am currently unemployed. I've done a lot of focus on the red team side of things and have completed the Junior Penetration Tester learning path from TryHackMe. I also have purchased a voucher for the TCM Security PJPT (Practical Junior Penetration Tester) certification.

Of course, being unemployed, I am looking for a job. While I very much enjoy attacking, I understand that the end goal for any successful red team engagement or penetration test is to solidify a good defense. I on order for me to be valuable to a team or even as a freelancer, I need to be able to understand what makes a good defense and how to properly patch holes that I find while I attack.

Finally, I do understand that though I have 7 years of experience in Support Engineering, getting a job on the red side is not typically an entry into cybersecurity. I enjoy all aspects of cybersecurity, and I know that my best bet is to get my foot in the door on the blue team. Thus, I have taken a small couple days break from studying for the PJPT via TCM's PEH (Practical Ethical Hacker) learning path to setup a homelab with Elastic Cloud.

The Goal

My goal for this small project was not to dive into the weeds and create custom alerts and Kibana dashboards yet. I am right about to start the Active Directory section of the PEH, and I didn't want to overload myself with knowledge and then not be able to retain as much when it comes time to take the PJPT.

My goal for this project was to successfully deploy a hosted cloud instance of the Elastic Stack, add an agent, and play around with discover to see how things work from a higher level. I have some experience with utilizing Splunk to review email deliverability logs from a previous employer, so I figured I would be able to find some basic logs in order to call this project a success.

Initial Setup

After review documentation from Elastic, and watching this video from John Hammond I figured that this project wouldn't take too much time away from studying for the PJPT, and I decided to dive in.

I started off by choosing Elastic Cloud via a hosted deployment as it would allow me to get straight into things with minimal headache for the time being (I do plan on doing this on bare metal and diving deeper later).

I chose then chose the Elastic Security option, as it came with everything I'd want for a homelab SIEM.

I then picked a super creative name for my deployment, and left the rest of the settings to their default, as they seemed good enough for this project and also considering it's a 14 day free trial.

If you decide that you want to do this yourself, after you press "Create Hosted Deployment, you will want to make sure you save the credentials that are provided on the next screen. That is VERY important.

After waiting for my deployment to be fully configured, I was eventually met with a success banner letting me know my deployment was ready!

The first thing I do in any application I use is switch to dark mode. I have blue eyes, and this is essential for my comfort. Here is the screen you're met with (in dark mode, of course!)

And we're in! Onto the next step.

Adding an Agent

So now that Elastic Cloud is deployed, the next important step is to add an agent. For an agent, I decided to deploy a VM specifically for this project.

Setting up a Virtual Machine to use as an Agent

I started by creating an Arch Linux Virtual Machine. Now, I know what you're thinking, Arch Linux is a bit of an undertaking to only be deployed as an agent for this project. For one, I use Arch as my main Linux distro. I don't use Windows at home anymore. I've gotten very fast at installing Arch Linux manually, but there is also the archinstall script that I ran for this VM as I didn't need anything fancy. The installation also takes less time than deploying an Ubuntu server VM. So with these points in mind, it made my choice of OS both practical, but also fast.

Adding the Agent into Elastic

This process was actually pretty simple for me. You just need to navigate to the following: Assets > Agents > Add Agent

I left everything at their defaults again for now.

I then made sure to keep the box checked for enrolling to fleet. From there, I initially made the mistake of copying down the incorrect script. I chose the ARM script instead of x86-64. For some reason, it was the default script shown, and I didn't pay attention to the full descriptor and just saw Linux.

Before realizing my mistake with the incorrect script, I tried to copy and paste from my host to my VM. I was having issues with virtual box when attempting this (I normally use QEMU + KVM). To work around it for now, I decided to just open up a web server using python on my host machine and then pull the script from a text file I created on my host to my VM.

After troubleshooting why the elastic-agent script wasn't working I realized my mistake and copied the correct script. The script is provided to you in the installer. Just be sure to double check you are using the correct script unlike I did initially.

I ran elastic-agent install and... success!

I now had a working agent connected to my Elastic Cloud deployment!

Final Thoughts and Future Plans

After confirming I could see my agent within Elastic Cloud, I did get around to playing with discover, and even installed some integrations such as Auditd-Manager.

This was a very fun project, and it showed me a lot about Elastic in general. I had never used it before, but I figured now was a better time than any to experiment. I also was able to gain familiarity with the search syntax and was even able to locate logs of SSH connections and attempts!

I will absolutely be diving deeper into Elastic as it is both practical learning and valuable hands on experience for future employment opportunities. Here are a few goals I have for next steps involving Elastic:

  • Deploy Elastic on my laptop via docker (until I have a home server)
  • Configure Kibana dashboards
  • Configure a few custom rules
  • Enroll all possible home devices onto my self-hosted Elastic instance for both practical experience and home network security.

For now, I am going to dive back into the PEH and continue to take notes, practice, and learn. This was a fun side project that has given me ideas for larger projects, but I don't want to wear myself thin while studying for a certification exam.

I will definitely be doing more posts soon following my experience and thoughts on the PEH and PJPT. Feel free to follow along with me on my journey with Cybersecurity!

Top comments (0)