An ELK environment containing interesting security datasets.
An ELK environment loaded with the following datasets:
Thanks to the authors of the datasets as well as:
You need at least:
Clone this repository and the dataset submodules with:
git clone --recurse-submodules https://github.com/thomaspatzke/elk-detection-lab.git
Run this command to start the ELK environment and import the datasets:
./elk-detection-lab.sh init
Wait at least until the document count of all winlogbeat-*
and filebeat-*
indices stops to
increase which can take several 10 minutes.
After this was run once, the ELK environment can be started without importing the data again:
./elk-detection-lab.sh run
Open the local Kibana in your browser.
The Windows log data starts in November 2018 and the field naming follows the ECS scheme and Winlogbeat 7 conventions.
The data created from the malware-traffic-analysis.net PCAPs is located in the index filebeat-*
and goes back to 2013. Please adjust the Kibana time range accordingly.