ELK Detection Lab

An ELK environment loaded with the following datasets:

• Mordor from Roberto Rodriguez @Cyb3rWard0g and Jose Luis Rodriguez @Cyb3rPandaH
• EVTX-ATTACK-SAMPLES from Samir Bousseaden SBousseaden
• malware-traffic-analysis.net PCAPs from @malware_traffic processed with Suricata.

Thanks to the authors of the datasets as well as:

• Shinta Nakano for evtx2es that I used to import the EVTX-ATTACK-SAMPLES dataset.

Prerequisites

You need at least:

• a working Docker CE installation with docker-compose
• 8 GB free disk space
• 2 GB RAM for a reasonable Elasticsearch performance

Installation

Clone this repository and the dataset submodules with:

git clone --recurse-submodules https://github.com/thomaspatzke/elk-detection-lab.git

Run this command to start the ELK environment and import the datasets:

./elk-detection-lab.sh init

Wait at least until the document count of all winlogbeat-* and filebeat-* indices stops to increase which can take several 10 minutes.

After this was run once, the ELK environment can be started without importing the data again:

./elk-detection-lab.sh run

Usage

Open the local Kibana in your browser.

The Windows log data starts in November 2018 and the field naming follows the ECS scheme and Winlogbeat 7 conventions.

The data created from the malware-traffic-analysis.net PCAPs is located in the index filebeat-* and goes back to 2013. Please adjust the Kibana time range accordingly.