(Very) Basic Elastic SIEM Set up

Elastic recently released a SIEM product. This post documents a basic lab setup with Elasticsearch, Kibana, and various beat shippers for security event monitoring.

Important Caveats

This is a lab environment setup without production security configurations. My experience is limited to non-daily ELK usage, so alternative approaches may exist.

Installation Steps

Core Components

Install Elasticsearch and Kibana on Ubuntu 18.04 using official guides.

Elasticsearch Configuration

Modifications to elasticsearch.yml were required:

• Set network host to 0.0.0.0 for remote access
• Added discovery.type: single-node for single-node cluster setup

Kibana Configuration

Similar adjustments to kibana.yml enabled network accessibility from remote machines.

Verification

Test connectivity using curl commands targeting the actual server IP rather than localhost to ensure beats can connect successfully.

Data Collection

Deploy beat shippers on Windows hosts:

• Winlogbeat: Collects Windows event logs
• Packetbeat: Requires WinPcap installation; run from command prompt (not PowerShell) for proper error visibility
• Select appropriate network interfaces for packet capture

SIEM Interface Features

Access the Kibana SIEM module at <IP>:5601. Key capabilities include:

• Hosts dashboard: Overview of monitored systems
• Event search: Query logs using intuitive search interface
• Timeline analysis: Drag-and-drop filtering by fields like source IP
• JA3 hash support: Identify TLS fingerprints and correlate similar handshakes across systems
• Raw JSON access: View complete event details

Investigation Workflow

I demonstrated tracking a PowerShell web request, then pivoted through network events, destination IPs, and TLS fingerprints—showcasing how quickly complex queries can be constructed through the GUI’s drag-and-drop interface.