Skip to content

Elasticsearch/Kibana environment and log data for Sigma workshop

License

Notifications You must be signed in to change notification settings

thomaspatzke/sigma-workshop

Repository files navigation

Sigma Workshop

Content

This repository contains content and scripts for setting up an Elasticsearch and Kibana environment with logs of a Windows system where some typical attack tools were executed:

The logs contain events from Sysmon 8.0 in the SwiftOnSecurity configuration in addition to the default Windows system, security and application logs.

Further, the Sigma repository is contained as submodule. Clone this repository as follows to get it all:

git clone --recursive https://github.com/thomaspatzke/sigma-workshop.git

Installation

Elasticsearch/Kibana Docker Environment

The workshop environment was tested successfully under Linux Mint 18.3 and should therefore also work fine with Ubuntu 16.04. You should have installed Docker CE from the Docker package sources. Ensure to install the docker-ce package, avoid the old packages docker, docker-engine and docker.io.

First, the Elasticsearch/Kibana stack has to be started with Docker compose:

docker-compose up

This takes a while. Please wait until the environment is running. You can verify this by invocation of Kibana. If no errors regarding the availability of Elasticsearch are shown, the environment should be ready.

WARNING: The usage of the following mentioned script destroys possibly existing Kibana configuration! Don't use this on productive systems or where you don't want this to happen!

Install the index templates, log index and Kibana configuration index by invocation of ./sigma_workshop_prepare_es.sh.

If you plan to use an existing Elasticsearch installation for this workshop, you can also give the host and port as first parameter to the command line: ./sigma_workshop_prepare_es.sh elk:9201

Sigma dependencies

Sigma requires Python 3.6 and PyYAML. Under Ubuntu, these can be installed with (as root):

apt-get install python3 python3-yaml

With an existing Python 3 installation the dependency can be installed with:

pip3 install -r sigma/tools/requirements.txt

In addition PyMISP is required for the sigma2misp tool. This can be installed with

pip3 install pymisp

or

pip3 install -r sigma/tools/requirements-misp.txt

If you don't want to mess with your system Python installation, you can also work from a virtual environment. Sigma supports Pipenv. Run the following command from the Sigma directory to setup and activate a virtual environment with all dependencies installed:

pipenv shell

MISP

For hands-on exercises of sigma2misp a MISP instance is required. I can recommend the MISP dockerized project from DCSO. Run the following commands and answer the asked questions to install one:

git clone https://github.com/DCSO/MISP-dockerized.git
cd MISP-dockerized
make install

Usage

The logs are contained in the time frame between 14:45 and 15:20 on 2019-09-19 and can be viewed in Kibana.

About

Elasticsearch/Kibana environment and log data for Sigma workshop

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages