ELK Detection Lab
An ELK environment loaded with the following datasets:
- Mordor from Roberto Rodriguez @Cyb3rWard0g and Jose Luis Rodriguez @Cyb3rPandaH
- EVTX-ATTACK-SAMPLES from Samir Bousseaden SBousseaden
- malware-traffic-analysis.net PCAPs from @malware_traffic processed with Suricata.
Thanks to the authors of the datasets as well as:
- Shinta Nakano for evtx2es that I used to import the EVTX-ATTACK-SAMPLES dataset.
Prerequisites
You need at least:
- a working Docker CE installation with docker-compose
- 8 GB free disk space
- 2 GB RAM for a reasonable Elasticsearch performance
Installation
Clone this repository and the dataset submodules with:
git clone --recurse-submodules https://github.com/thomaspatzke/elk-detection-lab.git
Run this command to start the ELK environment and import the datasets:
./elk-detection-lab.sh init
Wait at least until the document count of all winlogbeat-*
and filebeat-*
indices stops to
increase which can take several 10 minutes.
After this was run once, the ELK environment can be started without importing the data again:
./elk-detection-lab.sh run
Usage
Open the local Kibana in your browser.
The Windows log data starts in November 2018 and the field naming follows the ECS scheme and Winlogbeat 7 conventions.
The data created from the malware-traffic-analysis.net PCAPs is located in the index filebeat-*
and goes back to 2013. Please adjust the Kibana time range accordingly.