Setting Up Elastic SIEM: A Step-by-Step Tutorial
Introduction:
Elastic SIEM (Security Information and Event Management) is a powerful security solution provided by Elastic Stack (formerly known as ELK Stack) that helps organizations monitor, detect, and respond to security incidents.
In this tutorial, we will walk you through the process of setting up Elastic SIEM step-by-step.
Before we begin, make sure you have a basic understanding of Elastic Stack components (Elasticsearch, Logstash, Kibana, and Beats).
Prerequisites:
- Elastic Stack version 7.0 or higher installed (Elasticsearch, Kibana, Logstash, and Beats).
- Access to a server or virtual machine with internet connectivity.
Step 1: Configure Elasticsearch
- Open the Elasticsearch configuration file (elasticsearch.yml) located in the config directory of your Elasticsearch installation.
- Make sure the following lines are added or uncommented:
cluster.name: my-elastic-cluster
node.name: node-1
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
- Save and close the file.
- Restart Elasticsearch to apply the changes.
Step 2: Set up Elasticsearch security
- In the terminal, navigate to the Elasticsearch installation directory.
- Run the following command to set up passwords for built-in users:
./bin/elasticsearch-setup-passwords auto
- Save the generated passwords for future reference.
Step 3: Configure Kibana
- Open the Kibana configuration file (kibana.yml) located in the config directory of your Kibana installation.
- Make sure the following lines are added or uncommented:
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_password>"
Replace <kibana_password> with the password you generated in Step 2. - Save and close the file.
- Restart Kibana to apply the changes.
Step 4: Install Filebeat and configure data ingestion
- Download and install Filebeat on the server where logs are generated (e.g., web servers, application servers).
- Open the Filebeat configuration file (filebeat.yml) located in the config directory of your Filebeat installation.
- Configure the input by adding or uncommenting the following lines:
filebeat.inputs:
- type: log
enabled: true
paths:
- /path/to/your/logfiles/*.log
Replace /path/to/your/logfiles/ with the actual path to your log files.
- Configure the output by adding or uncommenting the following lines:
output.elasticsearch:
hosts: ["http://<elasticsearch_host>:9200"]
username: "filebeat_internal"
password: "<filebeat_password>"
Replace <elasticsearch_host> with the IP address or hostname of your Elasticsearch server, and <filebeat_password> with the password you generated in Step 2.
-
Save and close the file.
-
Run the following command to enable Filebeat's system module:
./bin/filebeat modules enable system
- Run the following command to set up Filebeat:
./bin/filebeat setup
- Start Filebeat by running:
./bin/filebeat -e
Step 5: Enable Elastic SIEM in Kibana
- Open Kibana in your web browser by navigating to http://<kibana_host>:5601, replacing <kibana_host> with the IP address or hostname of your Kibana server.
- Log in with your Elasticsearch credentials (the elastic user and the password generated in Step 2).
- On the left sidebar, click on the "hamburger" menu icon to expand the navigation menu.
- Click on "Stack Management" at the bottom of the menu.
- Click on "Advanced Settings" under the Kibana section.
- Search for "siem" in the search bar.
- Set the "xpack.siem.enabled" setting to "true."
- Click "Save changes" at the top right corner of the page.
Step 6: Explore Elastic SIEM
- In the Kibana navigation menu, click on "Security" to access the Elastic SIEM app.
- You will see various tabs such as "Overview," "Hosts," "Network," "Timelines," "Cases," "Rules," and "Management." Explore these tabs to get familiar with Elastic SIEM and its features.
- Use the "Rules" tab to create and manage detection rules that will alert you to security incidents based on the ingested data.
Step 7: Create custom rules (optional)
- In the "Rules" tab, click on "Create new rule."
- Choose a rule type, such as "Threshold" or "Machine Learning."
- Fill in the required fields, such as "Name," "Severity," "Risk Score," "Index Patterns," "Custom Query," "Threshold," etc.
- Configure the rule actions, such as creating an incident in an external system, sending an email, or generating an alert in Kibana.
- Click "Create and activate rule" to save and enable the rule.
Conclusion:
You have now successfully set up Elastic SIEM and can use it to monitor, detect, and respond to security incidents in your environment.
Continue to explore its features and customize it to your organization's needs.
Remember to regularly update your Elastic Stack components and rules to stay up-to-date with the latest security threats and best practices.