Build a Powerful Home SIEM Lab Without Hassle! (Step by Step Guide)

Рет қаралды 164,008

Күн бұрын

Welcome to your one-stop guide for building a Free valuable Home SIEM Lab quickly and efficiently! This tutorial will help aspiring SOC analysts get practical experience without having the job yet.
Get Ahead in Your Cybersecurity Career: Practical experience is key in the cybersecurity field. This video provides you with actionable skills and knowledge.🚀
📒 Show Notes 📒
Simple Home Siem Lab Blog: / a-simple-elastic-siem-lab
So You Want to Be A SOC Analyst Blog post:
blog.ecapuano....
GET SOC ANALYST EXPERIENCE KZfaq VIDEO:
• Master SOC Analyst Ski...
Virtual Box Download
www.virtualbox...
Kali VM Download
www.kali.org/g...
🚨 RESUME BULLETS: 🚨
Elastic Stack SIEM Configuration and Management: Successfully set up and configured Elastic Stack SIEM in a home lab environment. Demonstrated proficiency in deploying a Kali Linux VM, configuring Elastic Agents for log collection, and forwarding data to the SIEM for effective security event monitoring.
Security Event Simulation and Analysis: Acquired hands-on experience in generating and analyzing security events using Nmap on Kali Linux. Proficient in querying Elastic SIEM to identify and investigate security incidents, enhancing skills in network security monitoring and threat detection.
Visualization and Alerting in SIEM: Developed a custom dashboard in Elastic SIEM to visualize security events, demonstrating skills in data interpretation and pattern recognition. Successfully created and tested alert rules for detecting specific security events, showing competency in proactive incident response and alert management.
⏰ Markers
0:00 Preview
Simply Cyber's mission is to help purpose driven professionals make and and take a cybersecurity career further, faster.
📱 Social Media
Let's Connect: linktr.ee/Simp...
🔥 The Best Free Cyber Resources
simplycyber.io/
📷 🎙 💡 MY STUDIO SETUP
kit.co/GeraldA...
🙌🏼 Donate
Like the channel and got value? Please consider supporting the channel
www.buymeacoff...
😎 Merch 😎
👉🏼 Simply Cyber Branded Gear: www.simplycybe...
Disclaimer: All content reflects the thoughts and opinions of Gerald Auger and the speakers themselves, and are not affiliated with the employer of those individuals unless explicitly stated.

Пікірлер: 136

@levelupgoddess9289 4 ай бұрын

I seriously need to start building my labs so I can get some “experience” under my belt. I need a tech job like yesterday.

@BJMolette Ай бұрын

have you tried it?

@havoc_plays1935 Ай бұрын

Me too

@xCheddarB0b42x 6 ай бұрын

Employers are looking for candidates with hands-on experience. With home lab projects like this, you can build this experience at home outside of any enterprise environment. These activities are _more important_ than certifications or even degrees to Hiring Managers. People at three large companies each told me that. So get crackin

@seann9501 20 күн бұрын

Great advice; thank you

@valyntyno 7 ай бұрын

Probably the most concise, easy-to-follow home SOC lab setup I have seen so far. Kudos to Gerry Auger and to Abdullahi Ali for trying to make these highly marketable cybersecurity skills available to as many people as possible 🙏🏼

@SimplyCyber 7 ай бұрын

that was the goal so NAILED IT! thx for the comment.

@Zikanshi-AG 6 ай бұрын

This is awesome. I initially thought building a SIEM was actually never possible as an entry level SOC analyst. Thank you

@limit_limitless9875 6 ай бұрын

As someone who was forced to change career paths and decided to go with IT you are a saint. I'll be sure to check out more videos. Thank you.

@SimplyCyber 6 ай бұрын

Thx. Really great compliment. 💙

@nerminzlatanovic 7 ай бұрын

This is amazing! I’m going to add this to my Home Lab. I am already using Elastic in my SOC Analyst course with HTB. Thank you Dr. Auger for creating this video and sharing it!

@johnvardy9559 5 ай бұрын

How is going?

@user-gc4mx8zk4e 8 күн бұрын

Thank you so much i remember doing this in class in our labs unfortunately I do not have access to these labs since I have graduated I think that sucks so you have opened up an opportunity to really keep abreast of my cybersecurity skills

@socrayhte 5 ай бұрын

As a newbie in the SOC pathway, This is amazingly so simple to follow. A capital THANK YOU to you!

@jasonp3484 7 ай бұрын

Great video with actual walk through visual instruction. The speed was great too, just knowledge and no fluff. Thank you. Subscribed

@SimplyCyber 7 ай бұрын

The fluff videos kind of annoy me when I’m trying to get info so I’m not into it, despite the almighty algorithm

@damianpodgorski6977 4 күн бұрын

This video comes as a life saver for me! I am struggling to set up the elastic search on my linux vm so this will be my workaround 😊

@TheReconstructionist-ok1yh 28 күн бұрын

I’m saving this vid for later but I just wanted to say thank you for putting my mind at ease with the intro. I was so overwhelmed just looking for a video that didn’t confuse me and told me exactly what I would be doing and how it would help me in building my cyber resume 👌🏿.

@johnnytyler 2 ай бұрын

Patience and persistence are required. Careful, adherence to the instructions on the blogpost (link provided in the description). GA's overview is a high level, fast paced overview and Elastic's website layout has changed. Pay specific attention to the steps of adding the integration, installing the agent, and allowing the agent to be enrolled in Fleet. Very important to allow time for the agent to report the processes from the host to the Elastic Cloud. The results are not as fast as would seem in the video. Don't rush and keep trying! Thanks SC!

@phonogtaphologist 19 күн бұрын

A fun little way to test elastic defend agents, is run “atomic read team invoke” this can automatically run mitre attacks and you can check coverage and generate a bunch of alerts by running all tests. Image your vm before you run this though because it can mess things up when you run all the tests

@sync_arts 6 ай бұрын

It's near impossible that ELK and no-hassle fit in one sentence, thanks to you

@IoXxSekto36 7 ай бұрын

Loved the video definitely gonna do it when I get home and play with this one to. Thanks.

@RB-sv7ru 7 ай бұрын

Great video, love your content and the cyber threat briefing every morning. If anyone goes to integrate and none of them appear try signing out and back in and it works.

@SimplyCyber 7 ай бұрын

Thank you for kind words and thx for tip on lab for others

@cybernaut644 7 ай бұрын

Thank you, Dr. Auger! Not sure if it was just me, but event.action: "nmap_scan" didn't fire any alerts. I replaced with process.name: "nmap" which triggered alerts and sent an email.

@abhinavkohli4293 Ай бұрын

i am still not getting an email even thought its showing on the dashboards

@MD-mo9wb 23 күн бұрын

Saved to my SOC Analyst playlist to review later. I'm new so this went waaaay too fast lol. Edit: Literally playing this back on .75 lol

@nsfam6516 7 ай бұрын

This is exactly what i needed!

@IFBBPRO917 5 ай бұрын

This is my favorite KZfaq channel!

@SimplyCyber 5 ай бұрын

YASSSS!!!! Thank you for making my day! 💙

@leemueller262 7 ай бұрын

Fantastic! I know how I’ll be spending my weekend ❤

@treyanmarioh 5 ай бұрын

I am happy you exist.

@NicholasSouris 7 ай бұрын

First tutorial video I didn't have to fast forward thu

@kumarsiddappa6118 4 ай бұрын

not able to see nmap details , do we need to setup anything on ES to read

@Noir_Nouveau 7 ай бұрын

YOU ARE HIM Dr. G! Thanks!

@christopherayres164 7 ай бұрын

Well done, now how deep does this rabbit hole go? Just remember to keep following that white rabbit neo!

@davidp5280 7 ай бұрын

Good morning everyone! Nothing better than sharing and learning! Love it, love it, LOVE IT!!!❤🎉

@ever6 24 күн бұрын

wOW awesome channel I'm new here and just subscribed and recently finished my bootcamp and have to finish my resume before the jog hunt I'm in a 12 weeks mentor program now with cnl and this channel about projects will be great to add on my resume. I'm switching from 20yrs in motion apture animation in videogames/vfx film to a new career too many layoffs in games but plenty in cyber. I'll post update here when I finish this project hopefully before this weekend,. Darrel C

@emmanueldark993 6 ай бұрын

Is anyone else having trouble setting that "Easy Lab" setup? On the "Install Elastic Agent" step I keep getting a stall and it states "Confirm agent enrollment" "Listening for agent" and there's an infinite scrolling wheel. I asked Chatgpt and it states my settings are probably misconfigured. If anyone has any suggestions or know the fix I will greatly appreciate it.

@babatunde4874 13 күн бұрын

For those having issues with not being able to get alerts/emails, it's because he used the wrong field-name for the rule. You need to use a different field-name (process.args : ‘’nmap’’) and not event.action.

@carol-lo 7 ай бұрын

Thanks so much! Dr Auger! Very nice and concise video!

@danielleglover8111 15 күн бұрын

Im so new here. hpwever im struggling to find the downloads. i downloaded it but where do i find the boxes inside of oracle and linux that look like the ones above?

@markkennedy5449 29 күн бұрын

What’s the option for OS system???

@javierruiz2870 3 ай бұрын

The process.args: nmap logs are not showing up on ES. I did everything just like the video up to that point. I've been stuck with this issue for several days now...

@SCole07 2 ай бұрын

Thank you@@Kaiomonchi

@sloth1762 11 күн бұрын

@@SCole07 what was the solution? I have the same issue

@JordanTTG21 3 ай бұрын

Am I the only one not getting alerts? I set up the alerts and everything exactly as the video states and I have yet to get an alert or email from performing a Nmap scan

@lmartin2422 Ай бұрын

me too. did anything change for you? if so, how did you do it?

@babatunde4874 13 күн бұрын

You need to use a different field-name (process.args : ‘’nmap’’) and not event.action.

@IvanAAnnuh 5 күн бұрын

He used the wrong field name to create the rule, that is why. So use process.args: "nmap" rather than event.action: "nmap_scan" in the query when creating the rule.

@sumitm_11 20 күн бұрын

Thank you

@SirDodge 6 ай бұрын

Who's actually been able to get this SIEM to work? I haven't. After a successful agent install and nmap scans, nothing is being reported to the Logs about the scans.

@eshajadoun5743 6 ай бұрын

Even i am having trouble seeing the logs. But if you go to discover you will find timestamps of the data, and that means the thing is working

@SirDodge 5 ай бұрын

@@eshajadoun5743 I'm glad to see that I'm not the only person who was having trouble and it wasn't just a newbie mistake but Yeah, I've just been messing around with it and setup a Kali VM and Windows VM as well as a honeypot and I've been seeing data being ingested over the last couple of days.

@giangphamngocchau8516 2 ай бұрын

same here. Have you been able to figure out the solution? Thanks in advance

@SirDodge 2 ай бұрын

@@giangphamngocchau8516 Hi, I never finished "this" lab but I did pay for the course and the course is worth it.

@babatunde4874 13 күн бұрын

You need to use a different field-name (process.args : ‘’nmap’’) and not event.action.

@nijatrzayev9962 7 ай бұрын

You are doing great Gerald, Thanks for these invaluable resources.

@SKeee3 5 ай бұрын

I followed every step to a T yet when I set up an email alert for "sudo -sv localhost" and ran the command line I get no email? Any tips on this?

@SimplyCyber 5 ай бұрын

I also had an issue getting the email to fire. Suggest using a web book and validating the alert is firing to try and isolate the issue

@jonathanvasquez393 5 ай бұрын

the only issue i had i could not find custom query in my options :/

@annmae644 4 ай бұрын

question on installing, when installing Kali, am i installing Vmware or virtualbox? i already have oracle vm virtualbox?

@KennithJay 7 ай бұрын

Loved It. Excellent

@ishajatania6980 5 ай бұрын

My fleet agent is not getting connected and the status is showing "listening" but not getting confirmed..What might be the problem please help me

@2kslimey 4 ай бұрын

is elastic lab actually used in a professional setting or just for testing and building home labs?

@jamilpotts8558 18 күн бұрын

Anyone know of a completely free SIEM we could use in lieu of a trial version of Elastic? Just wondering.

@letsgoheat23 7 ай бұрын

Having trouble doing with a Mac. I know it has to do with the linux distribution. 89

@freshkicks23023 Ай бұрын

why does elastic look completely different and not work the same. plz help

@SimplyCyber Ай бұрын

Im not sure. technology can have front end changes made after the video is recorded. potentially that?

@romanxxxx 7 ай бұрын

Hell yes gerry guy, i’m doing this soon

@RowanHawkins 6 ай бұрын

Don't do anything soon. if you want to do something put a date on it. Soon to some software devs is 2.5 years of soon.

@studioyoguishaya6484 Ай бұрын

everything went well but I didn't get any alert even in the dashboard and in my e-mail

@SimplyCyber Ай бұрын

🤔 hmmm

@shockwave716 13 күн бұрын

I'm running into the same thing. Wondering if our KQL syntax for the rule is outdated or incorrect.

@milanmills2824 2 ай бұрын

Maybe it worked before but doesn’t work anymore. Doesn’t installs

@j.williams3 4 ай бұрын

I couldn't get past the Elastic install point

@LearningDFIR 2 ай бұрын

Great video! Late comment but, how long does the free version can be used?

@SimplyCyber 2 ай бұрын

It’s been a minute but I think 7 or 14 days. I can’t recall but enough you can make it happen in a weekend

@Iamjustja 7 ай бұрын

Great content.

@Dkidd076 7 ай бұрын

#TeamSimplyCyber!

@TheSilentLearner786 7 ай бұрын

Sir expecting more siem lab tutorials❤

@franklinmccullough85 7 ай бұрын

I'm having trouble getting the rule for Nmap. I can get process.args:, but nap doesn't show up for me. Please advise.

@ssuriya427 6 ай бұрын

same here

@kayodeolanrewaju5459 Ай бұрын

it gave me an error curl: (18) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream tar (child): elastic-agent-8.14.2-linux-x86_64.tar.gz: Cannot open: No such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now bash: cd: elastic-agent-8.14.2-linux-x86_64: No such file or directory what do i do??

@SimplyCyber Ай бұрын

Ping me on the discord server. I’m not sure what step you’re on or what you’re doing that results in this error and yt comments is tough to communicate for troubleshooting

@kayodeolanrewaju5459 Ай бұрын

@@SimplyCyber alright, I'm trying something now but I'll ping you if this doesn't work out as well

@jacovanderwalt13 7 күн бұрын

is there something to use instead of elastic, that is 100% free and not trial? thnx

@SimplyCyber 6 күн бұрын

its been a minute but i think there is a trial aspect to this so its just an in/out opportunity to learn and do a lab.

@SimplyCyber 6 күн бұрын

I believe Graylog is free

@jacovanderwalt13 6 күн бұрын

@@SimplyCyber great thank you i will check it out. still new in CS scene but allready completed S+ and big interest in expanding my knowledge in SC.

@jworrell89 7 ай бұрын

What do you use to highlight and make the arrow?.

@SimplyCyber 7 ай бұрын

Zoom it by by systernals. It’s in Microsoft website. It’s awesome

@Ben-bf4gn 7 ай бұрын

I'm wondering if its possible to build this lab on prem (vs using the cloud)?

@SimplyCyber 7 ай бұрын

It is, but you need more hardware and configuration. Check out graylog or ELK stacks.

@abdielramos8403 7 ай бұрын

This is good for people that are starting with Cybersecurity or prior "experience"/background is necessary?

@SimplyCyber 7 ай бұрын

No experience is needed to setup, but prior knowledge is needed to know what you’re looking at and what it means in the siem. Mostly networking and operating system prior knowledge

@abdielramos8403 3 ай бұрын

I'm back and ready to spend time to learn and earn experience. Currently starting my major in cybersecurity and want to earn experience at the same time to build my resume.

@razulconde8765 7 ай бұрын

Remarkable Man, Thanks, but slow down a bit. Are you in a rush or something else?

@kamalalleyne2197 6 ай бұрын

how did you get the email to fire off at 9:13? In the video it looks like it was cut off and i didn't get to see exactly what you did.

@SimplyCyber 6 ай бұрын

Thx for asking. I didn’t get the email and couldn’t troubleshoot it for the video. I thought I left a comment in there saying the email didn’t arrive but I guess it didn’t make the final vid. I would set it up w web hooks if I’m being practical since it’s more flexible and you would see it in practice (fire off a slack msg for example)

@RowanHawkins 6 ай бұрын

Slack is awsome for this because its so easy to set up a slack instance and then view the alerts on say your phone.

@tommyshowgun 7 ай бұрын

Thank you.

@SimplyCyber 7 ай бұрын

You're welcome!

@johnvardy9559 5 ай бұрын

Do Something with wazuh

@user-vp1ig6xl7r 7 ай бұрын

#TeamSC

@tyrojames9937 7 ай бұрын

COOL!

@mypassportpicsux 7 ай бұрын

There goes my weekend. 😂Let’s go!! #TeamSC

@rdsii64 4 ай бұрын

This is very interesting, but you really talk fast.

@trblmkr5139 7 ай бұрын

siiiixkkkkkk

@climbing_for_dollars 3 ай бұрын

Thank you for this tutorial ❤

@peek2much3 7 ай бұрын

Nah! Sorry “Doc” lol, anyone in 2024 thinking it’s a good idea sticking with ES is an idiot or is selling licenses. They screwed the pooch dude going that route. Folks, you can do this and more with 100% FOSS. Plenty of OSS SIEMs and log management the whole stack, etc. The list is huge. Why would you use ES for this in a lab? Beats me.

@SimplyCyber 7 ай бұрын

The ease of setup lowers the barrier to entry for learning. Maybe not a great solution for enterprise or long term (i'm not sure what evaluation you are basing your assessment on), but for a student lab and learning quickly, i think its a good fit.

@bobblanchard9480 7 ай бұрын

I find Wazuh ideal for this scenario, and it can be completely on-premise. Fantastic documentation too!

@Zewwy_ca 7 ай бұрын

Enterprise is far more complex with understanding data classification and policies to allow the use to send this type of data to the provider (in this case ES). Sure for a homelab and getting an idea of how a SIEM is suppose to work is an accurate point, but using this "as a point on your resume" is a bit of a stretch.

@angstrom1058 7 ай бұрын

A lot of people don't know what SIEM is, so won't click your vid, dood.

@SimplyCyber 7 ай бұрын

Thx. When ppl learn what a siem is and then need skills on one the video will be here waiting for them.

@angstrom1058 7 ай бұрын

@@SimplyCyber I watched. I appreciate the fast info-packed video. Learned a lot in 13 minutes. Great job. :)

@geoffreygelly9949 7 ай бұрын

I think if someone is here and doesn't know what's SIEM, he's in the wrong place.

@Flakester 7 ай бұрын

Those who would be interested and capable of doing so, do know what SIEM is...

@sdharris10 7 ай бұрын

He is literally explaining it in the video and you click on stuff your interested in so whats your point

@Fry28tv Ай бұрын

event.action: "nmap_scan" doesn't work, wouldn't trigger any alerts.

@IvanAAnnuh 5 күн бұрын

He used the wrong field name to create the rule, that is why. So use process.args: "nmap" rather than event.action: "nmap_scan" in the query when creating the rule.