Hi team,
I recentely deployed Security onion lab on Vmware workstation
Allowed allow hosts on Security Onion with my home private Subnet
Checked and verified all services showing up on VM
Checked and verified on PowerShell that Windows Endpoint machine is communicating to
SOC machine on Port 8220
Installed Downloaded Elastic Agent on Endpoint
Checked Elastic Agent status running
As checked and found, the agent is stopped due to not enrolled properly or Enrollment issue.
After some struggle Elastic agent Enrollment was successful.
Successfully enrolled in the Elastic Agent.
Checked again elastic agent status -up and running & healthy
Inside SOC VM:
-
sudo docker ps | grep elastic
Sudo so-status
Now created scenerio created another 2 VMs (Kali Linux & Windows)
Create kali Linux VM with Network Adaptor below detailsIp a
Kali attacker → 192.168.1.18
Windows victim → 192.168.1.5
Security Onion SIEM → 192.168.1.11SOC detection pipeline step-by-step
Both IP’s are pinging from Kali LinuxAlso from windows PC – SOC pinging
-
attacker simulation + detection testing
Confirm Windows logs are flowing (VERY IMPORTANT)In Kibana go:
Security → Hosts → Harry-Machine
Generate first REAL detection from Kali
From Kali run:
nmap -sS -T4 192.168.1.5
(Windows IP)
find Nmap attack logs in Kibana (Elastic)Go to Kibana → Discover
Open:
Kibana → Discover
Now set:
Index pattern = logs-*
OR
logs-endpoint.events.*
Now filter for network scan activity
Added this:
event.category: network
Search by 192.168.1.5
now Enabled Elastic Defend
Go in Kibana:
Management → Fleet → Agent policies
Open your policy:
endpoints-initial
Added integration
After Successfully EDR deployed
Check and verified from kibana -Fleet- Agents-Harry Machine
Status = Healthy
Policy revision updated recently But i need help to learn how to Search logs & events on Kibana Dashboard or next analysis If any one give me one session will be much appreciated
Thankyou