1 00:00:00,000 --> 00:00:00,930 In this lesson, 2 00:00:00,930 --> 00:00:02,580 I'm going to go into my lab environment 3 00:00:02,580 --> 00:00:05,040 and show you how to configure a security information 4 00:00:05,040 --> 00:00:06,990 and event management system. 5 00:00:06,990 --> 00:00:07,920 Now we're going to make sure 6 00:00:07,920 --> 00:00:10,920 that we get the agents on the systems in our network 7 00:00:10,920 --> 00:00:13,080 configured so they can report back to that SIEM 8 00:00:13,080 --> 00:00:15,270 so we can use that for later analysis. 9 00:00:15,270 --> 00:00:17,760 Now in this lesson I'm going to use Security Onion, 10 00:00:17,760 --> 00:00:20,040 which is an appliance that comes as a VM 11 00:00:20,040 --> 00:00:23,010 and it implements things like Elastic Stack, Kibana, 12 00:00:23,010 --> 00:00:25,080 and other SIEM functionalities within it. 13 00:00:25,080 --> 00:00:26,520 Now the first thing we're going to do 14 00:00:26,520 --> 00:00:29,550 is we're going to go and configure our sensor. 15 00:00:29,550 --> 00:00:31,380 Now I've already done this for us, 16 00:00:31,380 --> 00:00:33,900 but if you look on the right side of this diagram, 17 00:00:33,900 --> 00:00:36,780 you're going to see the Unified Threat Management System 18 00:00:36,780 --> 00:00:38,280 up at the top. 19 00:00:38,280 --> 00:00:41,400 On that, we have a connection going to vLOCAL, 20 00:00:41,400 --> 00:00:45,690 and vLOCAL has a sensor feeding data into my SIEM. 21 00:00:45,690 --> 00:00:46,740 Now in addition to that, 22 00:00:46,740 --> 00:00:48,390 I'm also going to be collecting information 23 00:00:48,390 --> 00:00:50,543 from the Windows virtual machines down in the bottom, 24 00:00:50,543 --> 00:00:53,340 MS1 and DC1. 25 00:00:53,340 --> 00:00:56,370 Both of those have data that's being fed up into vLOCAL, 26 00:00:56,370 --> 00:00:57,660 and using that sensor port, 27 00:00:57,660 --> 00:01:00,720 I'm going to collect that information and send it to my SIEM. 28 00:01:00,720 --> 00:01:02,490 All right, so the next thing I want to do 29 00:01:02,490 --> 00:01:05,310 is go into my SIEM and we're going to open a terminal. 30 00:01:05,310 --> 00:01:06,270 And from within here, 31 00:01:06,270 --> 00:01:09,090 we're going to start dumping that information from the network 32 00:01:09,090 --> 00:01:11,310 that we're capturing over that sensor wire. 33 00:01:11,310 --> 00:01:16,060 So I'm going to type in sudo tspdump -ni eth1 ip, 34 00:01:17,580 --> 00:01:18,750 and hit Enter. 35 00:01:18,750 --> 00:01:20,820 Using the -n switch is going to tell us 36 00:01:20,820 --> 00:01:22,500 that we don't want to use name resolution 37 00:01:22,500 --> 00:01:24,450 because I'm not connected to the internet, 38 00:01:24,450 --> 00:01:26,550 so I can't look up things like google.com. 39 00:01:26,550 --> 00:01:28,380 I have to use IP addresses. 40 00:01:28,380 --> 00:01:30,330 And by using the ip at the end, 41 00:01:30,330 --> 00:01:33,240 this is going to filter out any IPv6 traffic. 42 00:01:33,240 --> 00:01:36,210 So I'm just going to be focused on IPv4 traffic. 43 00:01:36,210 --> 00:01:37,680 This will make sure that I see things 44 00:01:37,680 --> 00:01:39,930 for traffic going to and from my host 45 00:01:39,930 --> 00:01:41,400 in those two Windows machines 46 00:01:41,400 --> 00:01:44,160 and to that unified threat management system. 47 00:01:44,160 --> 00:01:45,750 All right, once I'm done capturing this, 48 00:01:45,750 --> 00:01:47,190 I'm going to hit Ctrl + Z 49 00:01:47,190 --> 00:01:49,710 and that will stop this traffic capture. 50 00:01:49,710 --> 00:01:53,160 Now this traffic is going to be monitored by bro. 51 00:01:53,160 --> 00:01:55,560 Bro is a passive network sensor 52 00:01:55,560 --> 00:01:56,393 that we're going to use 53 00:01:56,393 --> 00:01:58,590 basically as an intrusion detection system. 54 00:01:58,590 --> 00:02:01,230 It's part of that unified threat manager. 55 00:02:01,230 --> 00:02:03,000 Now those events have already been configured, 56 00:02:03,000 --> 00:02:05,100 so it's going to write into the SIEM. 57 00:02:05,100 --> 00:02:07,230 The SIEM is going to allow me to see what's in there 58 00:02:07,230 --> 00:02:10,139 and we're going to use Elastic Stack to do that. 59 00:02:10,139 --> 00:02:12,420 So if I go ahead and see if Elastic Stack 60 00:02:12,420 --> 00:02:13,620 is running properly, 61 00:02:13,620 --> 00:02:18,620 I can do this by typing in sudo so-status, and hit Enter. 62 00:02:19,710 --> 00:02:20,730 This will give me the output 63 00:02:20,730 --> 00:02:23,160 that shows that each service is up and okay. 64 00:02:23,160 --> 00:02:24,930 If I get some kind of a warning message, 65 00:02:24,930 --> 00:02:27,510 that means one of the things that I'm using to collect this, 66 00:02:27,510 --> 00:02:28,650 things like Logstash, 67 00:02:28,650 --> 00:02:30,210 which is part of Elastic Stack, 68 00:02:30,210 --> 00:02:31,560 might not be quite ready yet. 69 00:02:31,560 --> 00:02:35,040 So I would have to wait and then run that status again. 70 00:02:35,040 --> 00:02:36,390 All right, from my desktop, 71 00:02:36,390 --> 00:02:38,700 I'm going to go ahead and open up Kibana. 72 00:02:38,700 --> 00:02:39,600 Inside of Kibana, 73 00:02:39,600 --> 00:02:41,850 I'm going to log in with my username and password, 74 00:02:41,850 --> 00:02:44,160 and this is going to bring me to a dashboard. 75 00:02:44,160 --> 00:02:45,930 Kibana is a virtualization tool 76 00:02:45,930 --> 00:02:48,030 and it's part of Elastics Stack. 77 00:02:48,030 --> 00:02:49,920 It's going to be used to configure the dashboards 78 00:02:49,920 --> 00:02:52,320 for different categories, showing us different information 79 00:02:52,320 --> 00:02:54,930 in a graph format or a table format. 80 00:02:54,930 --> 00:02:56,790 Now if I go down under Bro Hunting, 81 00:02:56,790 --> 00:02:58,440 I can select Connections. 82 00:02:58,440 --> 00:03:01,260 And from here, I can scroll down to verify that the host 83 00:03:01,260 --> 00:03:04,320 from the 10.1.0.0/24 network 84 00:03:04,320 --> 00:03:06,780 are present and accounted for. 85 00:03:06,780 --> 00:03:08,670 This will make sure that I'm seeing the information 86 00:03:08,670 --> 00:03:11,340 being sent to me by my intrusion detection system. 87 00:03:11,340 --> 00:03:13,050 All right, now that we see that Kibana 88 00:03:13,050 --> 00:03:16,230 is properly configured, I want to start doing some scans 89 00:03:16,230 --> 00:03:17,460 and make sure that Kibana 90 00:03:17,460 --> 00:03:20,280 is seeing this inside of there with live data. 91 00:03:20,280 --> 00:03:21,660 So I'm going to go into Zenmap, 92 00:03:21,660 --> 00:03:23,280 which is on my Windows machine, 93 00:03:23,280 --> 00:03:24,510 and I'm going to run a scan 94 00:03:24,510 --> 00:03:29,460 using a default intent scan against 10.1.0.1. 95 00:03:29,460 --> 00:03:32,670 Now, Zenmap is essentially just a graphical version of Nmap, 96 00:03:32,670 --> 00:03:34,230 which is a network scanner. 97 00:03:34,230 --> 00:03:36,510 So it's going to go through and perform the scan for me, 98 00:03:36,510 --> 00:03:38,520 and now I'm going to go back into Kibana. 99 00:03:38,520 --> 00:03:40,620 If I go there under Alert Data, 100 00:03:40,620 --> 00:03:42,540 I can then view the Bro Notices 101 00:03:42,540 --> 00:03:45,780 and NIDS categorization for scanning activity alerts. 102 00:03:45,780 --> 00:03:47,250 Now if there are no results, 103 00:03:47,250 --> 00:03:49,380 you want to click on the Update button. 104 00:03:49,380 --> 00:03:52,110 Now as we do this, we should be detecting that scan 105 00:03:52,110 --> 00:03:54,507 that the Windows machine is doing against this network 106 00:03:54,507 --> 00:03:57,660 and Kibana as the SIEM is seeing all that data 107 00:03:57,660 --> 00:03:59,820 because we have that port mirroring enabled 108 00:03:59,820 --> 00:04:01,290 off of that switch. 109 00:04:01,290 --> 00:04:04,560 Now as you can see here, the NIDS alerts are being counted 110 00:04:04,560 --> 00:04:05,880 and we can see those scans 111 00:04:05,880 --> 00:04:09,690 because we have this scan being run by our Zenmap. 112 00:04:09,690 --> 00:04:12,360 So this is telling me this process is working 113 00:04:12,360 --> 00:04:14,640 and we're able to see it in real time. 114 00:04:14,640 --> 00:04:16,019 Now the next thing we want to look at 115 00:04:16,019 --> 00:04:18,060 is how to install a Beats agent 116 00:04:18,060 --> 00:04:20,970 so we can capture network traffic directly from the host 117 00:04:20,970 --> 00:04:23,610 instead of just capturing things off of the network switch 118 00:04:23,610 --> 00:04:24,630 using port mirroring 119 00:04:24,630 --> 00:04:26,670 like we are doing up to this point. 120 00:04:26,670 --> 00:04:29,010 To do this, we want to capture that log information. 121 00:04:29,010 --> 00:04:31,080 So we're going to install the Beats agent. 122 00:04:31,080 --> 00:04:33,930 So let me go ahead and log into my DC1. 123 00:04:33,930 --> 00:04:35,970 And from here, I want to configure Beats, 124 00:04:35,970 --> 00:04:37,950 and I do that by going under my LABFILES 125 00:04:37,950 --> 00:04:39,930 and then winlogbeat. 126 00:04:39,930 --> 00:04:42,600 In here, you'll see winlogbeat.yml, 127 00:04:42,600 --> 00:04:44,160 which is the configuration file, 128 00:04:44,160 --> 00:04:45,330 and I'm going to right click it 129 00:04:45,330 --> 00:04:47,939 and edit it with Notepad++. 130 00:04:47,939 --> 00:04:49,320 Now as I edit this file, 131 00:04:49,320 --> 00:04:51,180 you have to remember that YAML files 132 00:04:51,180 --> 00:04:52,920 are very sensitive to white space. 133 00:04:52,920 --> 00:04:55,890 So every space is actually used and counted. 134 00:04:55,890 --> 00:04:58,380 So you can't just add spaces willy-nilly. 135 00:04:58,380 --> 00:05:00,420 You got to make sure you count correctly. 136 00:05:00,420 --> 00:05:04,020 These files use two spaces per indentation level. 137 00:05:04,020 --> 00:05:06,180 So if you want to use two, 138 00:05:06,180 --> 00:05:07,770 that would be the first column. 139 00:05:07,770 --> 00:05:09,600 Two more, that gets you four spaces, 140 00:05:09,600 --> 00:05:10,920 that's the second column 141 00:05:10,920 --> 00:05:12,660 and it keeps going like that. 142 00:05:12,660 --> 00:05:14,010 All right, so we're going to scroll down 143 00:05:14,010 --> 00:05:16,407 and locate where it says output.logstash:. 144 00:05:18,210 --> 00:05:20,850 Now in this section I'm going to find line 111, 145 00:05:20,850 --> 00:05:23,430 which is the #hosts:, 146 00:05:23,430 --> 00:05:25,500 and I want to change where it says localhost 147 00:05:25,500 --> 00:05:27,480 to my IP address of my SIEM. 148 00:05:27,480 --> 00:05:30,870 So I can send the data from this machine over to the SIEM, 149 00:05:30,870 --> 00:05:34,530 and that SIEM is at 10.1.0.246. 150 00:05:34,530 --> 00:05:39,530 So my line should now read host: "10.1.0.246:5044", 151 00:05:45,000 --> 00:05:47,190 and that 5044 is the port 152 00:05:47,190 --> 00:05:49,800 that my SIEM is configured to listen on. 153 00:05:49,800 --> 00:05:52,140 Now this will allow me to get data from this, 154 00:05:52,140 --> 00:05:54,870 any of the log files and send it back to that SIEM, 155 00:05:54,870 --> 00:05:57,030 which gives me another way to collect data. 156 00:05:57,030 --> 00:05:59,160 So I'm going to save this and close the file, 157 00:05:59,160 --> 00:06:02,100 and then I'm going to copy the winlogbeat folder 158 00:06:02,100 --> 00:06:06,510 to the C:\Program Files x86 directory. 159 00:06:06,510 --> 00:06:08,040 Now I'm going to go into PowerShell 160 00:06:08,040 --> 00:06:10,890 and run a command to be able to start this up. 161 00:06:10,890 --> 00:06:12,510 So I'm going to change directories 162 00:06:12,510 --> 00:06:17,370 into the 'C:\Program Files x86 \winlogbeat' directory 163 00:06:17,370 --> 00:06:18,630 that I just started. 164 00:06:18,630 --> 00:06:21,240 Then I'm going to run winlogbeat. 165 00:06:21,240 --> 00:06:23,730 And to do this, I'm going to use the Linux style notation. 166 00:06:23,730 --> 00:06:28,730 So .\winlogbeat test config -c winlogbeat.yml -e. 167 00:06:34,800 --> 00:06:37,260 And what this says is I'm going to run winlogbeat, 168 00:06:37,260 --> 00:06:40,110 I'm going to use it in a test and configuration mode, 169 00:06:40,110 --> 00:06:43,590 and the configuration file is going to be winlogbeat.yml, 170 00:06:43,590 --> 00:06:45,330 and then I'm going to execute this. 171 00:06:45,330 --> 00:06:49,080 So this last part is going to say Configure OK. 172 00:06:49,080 --> 00:06:50,190 Now if there is an error, 173 00:06:50,190 --> 00:06:52,320 that means I messed up the configuration file, 174 00:06:52,320 --> 00:06:54,930 but if not, I'm ready to keep going. 175 00:06:54,930 --> 00:06:57,180 Now at this point, I'm going to run two more commands 176 00:06:57,180 --> 00:06:58,530 because I need to install that agent 177 00:06:58,530 --> 00:07:00,180 as a service inside Windows 178 00:07:00,180 --> 00:07:02,970 so it starts up every time I reboot this computer. 179 00:07:02,970 --> 00:07:07,970 To do this, I'm going to do .\install-service-winlogbeat, 180 00:07:08,284 --> 00:07:09,930 and then I'm going to start the service 181 00:07:09,930 --> 00:07:13,440 by doing start-service winlogbeat. 182 00:07:13,440 --> 00:07:15,000 All right, now that I have that running, 183 00:07:15,000 --> 00:07:16,050 I have started this up, 184 00:07:16,050 --> 00:07:17,640 I have configured it as a service, 185 00:07:17,640 --> 00:07:19,350 and anytime I restart this computer, 186 00:07:19,350 --> 00:07:21,720 Beat is going to be running for me. 187 00:07:21,720 --> 00:07:23,820 So let me go back into my SIEM now 188 00:07:23,820 --> 00:07:28,820 and I want to run the command sudo so-allow-view. 189 00:07:29,550 --> 00:07:32,400 Now this is going to show me the output that has the firewall 190 00:07:32,400 --> 00:07:34,620 that's already been configured to allow the traffic 191 00:07:34,620 --> 00:07:39,180 from beats over port 5044 into my SIEM. 192 00:07:39,180 --> 00:07:40,770 Now if I go back into Kibana, 193 00:07:40,770 --> 00:07:42,810 I should again see those NIDS dashboards 194 00:07:42,810 --> 00:07:45,360 and those Bro notices for those scan alerts 195 00:07:45,360 --> 00:07:47,820 that I saw before from those scanning alerts 196 00:07:47,820 --> 00:07:50,130 that I cause by using Zenmap. 197 00:07:50,130 --> 00:07:53,460 Now if I go into the Beats dashboard under Host Hunting, 198 00:07:53,460 --> 00:07:55,650 I can start seeing events from DC1 199 00:07:55,650 --> 00:07:58,920 where I just started that Beats agent to send data back. 200 00:07:58,920 --> 00:08:00,930 Now it may take some time for that to come in, 201 00:08:00,930 --> 00:08:02,160 and if yours aren't there yet, 202 00:08:02,160 --> 00:08:04,110 you can click on Update or Refresh 203 00:08:04,110 --> 00:08:05,610 and keep checking for those alerts. 204 00:08:05,610 --> 00:08:07,890 Over time, they're going to start coming in 205 00:08:07,890 --> 00:08:10,560 and you'll see those different logs from that system. 206 00:08:10,560 --> 00:08:11,940 Now the next thing I'm going to do 207 00:08:11,940 --> 00:08:14,250 is configure some application logging. 208 00:08:14,250 --> 00:08:16,830 Now by default, Beats is going to capture 209 00:08:16,830 --> 00:08:19,350 the application system and security logs 210 00:08:19,350 --> 00:08:21,510 when you set it up on a Windows Server. 211 00:08:21,510 --> 00:08:23,220 Now this is going to collect a lot of data 212 00:08:23,220 --> 00:08:24,990 and send a lot of it back to our SIEM, 213 00:08:24,990 --> 00:08:26,730 and some of it may or may not be relevant 214 00:08:26,730 --> 00:08:28,050 for what you want to do. 215 00:08:28,050 --> 00:08:30,120 If you're doing incident detection or threat hunting, 216 00:08:30,120 --> 00:08:31,950 a lot of this just isn't something you need. 217 00:08:31,950 --> 00:08:33,299 If you're doing system troubleshooting, 218 00:08:33,299 --> 00:08:34,350 it's stuff you may need. 219 00:08:34,350 --> 00:08:36,150 So you need to figure that out inside your organization 220 00:08:36,150 --> 00:08:38,850 and determine what you want to log and how much. 221 00:08:38,850 --> 00:08:41,010 So let's say we want to configure our application log. 222 00:08:41,010 --> 00:08:43,380 So we're starting to send data to the SIEM. 223 00:08:43,380 --> 00:08:44,850 Well, let's go over to MS1, 224 00:08:44,850 --> 00:08:47,130 which was my IIS server machine. 225 00:08:47,130 --> 00:08:48,060 And I want to go in there 226 00:08:48,060 --> 00:08:49,590 and look at the access logs 227 00:08:49,590 --> 00:08:50,760 from the event viewer 228 00:08:50,760 --> 00:08:52,980 and then have Beats forward that to the SIEM. 229 00:08:52,980 --> 00:08:55,980 That way I can get data about my web server. 230 00:08:55,980 --> 00:08:58,800 So let me go ahead and go into MS1. 231 00:08:58,800 --> 00:09:01,320 And from here, I'm going to go under Server Manager, 232 00:09:01,320 --> 00:09:04,230 select Tools, and then Internet Information Services 233 00:09:04,230 --> 00:09:06,510 or IIS manager. 234 00:09:06,510 --> 00:09:08,010 Inside the IIS manager, 235 00:09:08,010 --> 00:09:10,110 I'm going to select the server MS1, 236 00:09:10,110 --> 00:09:11,040 and I'm going to double click 237 00:09:11,040 --> 00:09:13,800 on the Logging app in the middle pane. 238 00:09:13,800 --> 00:09:15,720 This will show me the different options I have 239 00:09:15,720 --> 00:09:17,310 for log formats. 240 00:09:17,310 --> 00:09:19,590 Now if you remember from our log formatting lesson, 241 00:09:19,590 --> 00:09:20,423 you're going to see 242 00:09:20,423 --> 00:09:22,050 that there's lots of different formats you can use, 243 00:09:22,050 --> 00:09:24,510 but I'm going to use the standard of W3C, 244 00:09:24,510 --> 00:09:27,420 which is really good for web application logs. 245 00:09:27,420 --> 00:09:29,430 Now under the Log Event Destination, 246 00:09:29,430 --> 00:09:33,060 I can select Both the log file and an ETW event, 247 00:09:33,060 --> 00:09:34,410 and click Apply. 248 00:09:34,410 --> 00:09:36,840 This means I'm going to log it locally to the computer 249 00:09:36,840 --> 00:09:39,510 and I'm going to send it as this type of event 250 00:09:39,510 --> 00:09:41,340 over through Beats. 251 00:09:41,340 --> 00:09:42,750 Now if I go to Explorer, 252 00:09:42,750 --> 00:09:44,700 I can copy the winlogbeat 253 00:09:44,700 --> 00:09:47,160 from my domain controller that I installed it on before 254 00:09:47,160 --> 00:09:51,270 to the local system here with MS1, my web server. 255 00:09:51,270 --> 00:09:54,000 I'm then going to go into PowerShell as an administrator 256 00:09:54,000 --> 00:09:57,480 and I need to run this big long scary command. 257 00:09:57,480 --> 00:09:58,313 Now again, this is something 258 00:09:58,313 --> 00:10:00,120 you don't have to memorize for the exam, 259 00:10:00,120 --> 00:10:01,530 but it is what we need to run 260 00:10:01,530 --> 00:10:03,510 to be able to check the name of the event log 261 00:10:03,510 --> 00:10:05,970 that's capturing those IIS events. 262 00:10:05,970 --> 00:10:08,080 So I'm going to do get-winevent -listlog 263 00:10:10,407 --> 00:10:15,407 * | where-object { $_.logname -like "*IIS*"} 264 00:10:30,314 --> 00:10:35,314 | format-list -property logname. 265 00:10:37,800 --> 00:10:39,150 Whew, that was a long one. 266 00:10:39,150 --> 00:10:40,410 So what is this saying? 267 00:10:40,410 --> 00:10:42,570 Well, I want to get all of the Windows events 268 00:10:42,570 --> 00:10:44,490 that meet these conditions. 269 00:10:44,490 --> 00:10:47,940 If it's listing the logs that have a *, meaning anything, 270 00:10:47,940 --> 00:10:49,440 I want to grab those 271 00:10:49,440 --> 00:10:51,870 or I want to grab things where there's an object 272 00:10:51,870 --> 00:10:55,650 where the log name has something like IIS in it, 273 00:10:55,650 --> 00:10:58,230 or I want to get anything that's formatted as a list 274 00:10:58,230 --> 00:10:59,988 with the property of logname. 275 00:10:59,988 --> 00:11:01,530 So if I take all those things, 276 00:11:01,530 --> 00:11:03,150 I can gather those events 277 00:11:03,150 --> 00:11:04,680 and then I can figure out what I want. 278 00:11:04,680 --> 00:11:07,170 This query is going to match a couple of logs. 279 00:11:07,170 --> 00:11:08,490 In fact, three of them. 280 00:11:08,490 --> 00:11:09,990 And then I want to copy the text, 281 00:11:09,990 --> 00:11:14,190 Microsoft-IIS-Logging/Logs. 282 00:11:14,190 --> 00:11:16,140 And copy the value from the prompt, 283 00:11:16,140 --> 00:11:17,943 select it and press Enter. 284 00:11:18,840 --> 00:11:21,630 Now I'm going to open up the Program Files directory 285 00:11:21,630 --> 00:11:23,700 under winlogbeat that I just installed 286 00:11:23,700 --> 00:11:25,770 and find that configuration file. 287 00:11:25,770 --> 00:11:27,570 I want to go ahead into that file. 288 00:11:27,570 --> 00:11:29,697 And under the winlogbeat.event_logs:, 289 00:11:31,830 --> 00:11:33,000 I want to add the text 290 00:11:33,000 --> 00:11:38,000 that says - name: Microsoft-IIS-Logging/Logs. 291 00:11:39,870 --> 00:11:41,640 All right, now that I have this file 292 00:11:41,640 --> 00:11:42,720 configured the way I want, 293 00:11:42,720 --> 00:11:45,300 I'm going to close it and say yes to save it, 294 00:11:45,300 --> 00:11:48,030 and then I'm going to go back into my administrator mode 295 00:11:48,030 --> 00:11:50,040 and go into my PowerShell prompt. 296 00:11:50,040 --> 00:11:51,510 I now want to run the command 297 00:11:51,510 --> 00:11:53,640 to get into the directory for winlogbeat, 298 00:11:53,640 --> 00:11:58,640 which is cd 'c:\Program Files \winlogbeat'. 299 00:11:59,400 --> 00:12:01,680 And then I want to run the configuration file 300 00:12:01,680 --> 00:12:02,700 and load it up. 301 00:12:02,700 --> 00:12:04,596 So just like I did on the domain controller, 302 00:12:04,596 --> 00:12:09,596 .\winlogbeat test config -c winlogbeat.yml -e. 303 00:12:12,060 --> 00:12:13,740 Now if I got that last part right, 304 00:12:13,740 --> 00:12:16,680 I'm going to see output that says Config OK. 305 00:12:16,680 --> 00:12:18,750 This means I'm ready to move on. 306 00:12:18,750 --> 00:12:20,460 Now I need to start it up as a service 307 00:12:20,460 --> 00:12:22,467 just like I did on the domain controller, 308 00:12:22,467 --> 00:12:27,300 .\install-service-winlogbeat, hit Enter, 309 00:12:27,300 --> 00:12:31,740 and then start-service winlogbeat, and hit Enter. 310 00:12:31,740 --> 00:12:34,470 Now we have winlogbeat or Beats 311 00:12:34,470 --> 00:12:37,440 running on both the domain controller and the web server. 312 00:12:37,440 --> 00:12:39,810 Now I want to be able to start generating some traffic here. 313 00:12:39,810 --> 00:12:43,170 So I'm going to go over to my PC1 and my PC2, 314 00:12:43,170 --> 00:12:44,250 and I'm going to do some things 315 00:12:44,250 --> 00:12:46,590 like going and accessing share drives 316 00:12:46,590 --> 00:12:48,780 or browsing to different websites 317 00:12:48,780 --> 00:12:51,150 or using Zenmap to start scanning some things. 318 00:12:51,150 --> 00:12:53,550 And when I do this, this is going to generate some traffic 319 00:12:53,550 --> 00:12:55,020 for this lab environment 320 00:12:55,020 --> 00:12:57,180 and it should generate both network traffic 321 00:12:57,180 --> 00:13:00,120 that's captured by the SIEM based on that port mirroring, 322 00:13:00,120 --> 00:13:02,160 and it's going to capture application logs 323 00:13:02,160 --> 00:13:04,230 and event logs from the domain controller 324 00:13:04,230 --> 00:13:05,970 and from the web server. 325 00:13:05,970 --> 00:13:07,680 All right, the next thing I want to do 326 00:13:07,680 --> 00:13:10,740 is install a host base intrusion detection system. 327 00:13:10,740 --> 00:13:12,510 And I'm going to do this by using an agent 328 00:13:12,510 --> 00:13:14,220 on one of these clients. 329 00:13:14,220 --> 00:13:15,780 So with the Windows clients, 330 00:13:15,780 --> 00:13:17,640 we are going to install OSSEC, 331 00:13:17,640 --> 00:13:19,350 which is a HIDS agent. 332 00:13:19,350 --> 00:13:20,280 Now this is going to produce 333 00:13:20,280 --> 00:13:22,230 only security relevant information for us, 334 00:13:22,230 --> 00:13:24,060 and again, we want to configure that 335 00:13:24,060 --> 00:13:26,520 to send that data back to our SIEM. 336 00:13:26,520 --> 00:13:28,890 So I'm going to go into PC1 337 00:13:28,890 --> 00:13:32,460 and I'm going to go ahead and run this program called Wazuh, 338 00:13:32,460 --> 00:13:34,800 which is W-A-Z-U-H. 339 00:13:34,800 --> 00:13:37,183 To run it, I'm going to go into my LABFILES directory 340 00:13:37,183 --> 00:13:42,030 \wazuh-agent-, the version number, .msi. 341 00:13:42,030 --> 00:13:43,800 This will start my installer. 342 00:13:43,800 --> 00:13:45,930 I'm going to go through this installer pretty basically, 343 00:13:45,930 --> 00:13:47,910 and I'm going to accept and install it. 344 00:13:47,910 --> 00:13:49,440 And when the setup is completed, 345 00:13:49,440 --> 00:13:52,530 I'm going to click Run Agent configuration interface, 346 00:13:52,530 --> 00:13:54,000 and then click Finish. 347 00:13:54,000 --> 00:13:55,380 If I get a UAC prompt, 348 00:13:55,380 --> 00:13:58,350 I'm going to go ahead and approve it and say Yes. 349 00:13:58,350 --> 00:14:00,870 Now the next thing I want to do is open a Command Prompt 350 00:14:00,870 --> 00:14:05,210 as the administrator and run "C:\Program Files x86 351 00:14:05,210 --> 00:14:10,210 \ossec-agent\agent-auth.exe" -m 10.1.0.246. 352 00:14:15,120 --> 00:14:17,730 Remember that's the IP address of my server. 353 00:14:17,730 --> 00:14:19,410 So where am I sending these things? 354 00:14:19,410 --> 00:14:21,930 I'm going to send 'em back to that same server. 355 00:14:21,930 --> 00:14:23,820 All right, now that we've done that, 356 00:14:23,820 --> 00:14:26,460 we've associated this agent with the manager 357 00:14:26,460 --> 00:14:27,390 that's running on the SIEM. 358 00:14:27,390 --> 00:14:29,310 That's what that -m is for. 359 00:14:29,310 --> 00:14:30,840 Now this will make sure there's a connection 360 00:14:30,840 --> 00:14:33,450 between the two so I can send the data there. 361 00:14:33,450 --> 00:14:36,240 Now if I switch back to the Wazuh Agent Manager dialogue, 362 00:14:36,240 --> 00:14:37,920 I can click the Refresh button 363 00:14:37,920 --> 00:14:39,210 and I should see a key 364 00:14:39,210 --> 00:14:41,570 that's loaded in the Authentication key box. 365 00:14:41,570 --> 00:14:43,380 If I go to the Manager IP box, 366 00:14:43,380 --> 00:14:45,600 I can type in my manager's IP address 367 00:14:45,600 --> 00:14:49,473 that of the SIEM, 10.1.0.246. 368 00:14:50,310 --> 00:14:52,170 Once I do that, I'm going to save it 369 00:14:52,170 --> 00:14:56,100 and then select Manage, Start, and OK. 370 00:14:56,100 --> 00:14:58,590 Now if I wanted to do this on the other PC of my network, 371 00:14:58,590 --> 00:15:00,210 I would do the exact same thing 372 00:15:00,210 --> 00:15:02,100 and configure all of them the same way, 373 00:15:02,100 --> 00:15:03,480 and that way all of my devices 374 00:15:03,480 --> 00:15:05,640 can go back and reach to that SIEM. 375 00:15:05,640 --> 00:15:07,080 All right, now that we've done that, 376 00:15:07,080 --> 00:15:08,610 let's go back into our SIEM 377 00:15:08,610 --> 00:15:10,350 and start looking at some data. 378 00:15:10,350 --> 00:15:11,910 We want to start extracting data 379 00:15:11,910 --> 00:15:14,610 and aggregating these records to make use of our SIEM 380 00:15:14,610 --> 00:15:16,410 and understand what's in there. 381 00:15:16,410 --> 00:15:20,100 So inside my SIEM, I'm going to go under the OSSEC dashboard 382 00:15:20,100 --> 00:15:21,660 under Host Hunting. 383 00:15:21,660 --> 00:15:24,000 Here, I'm going to use the update or refresh 384 00:15:24,000 --> 00:15:26,070 to check for any new alerts. 385 00:15:26,070 --> 00:15:27,060 Now once I do that, 386 00:15:27,060 --> 00:15:28,740 I'm going to click the Management tab 387 00:15:28,740 --> 00:15:33,180 and select Index Patterns and then Create Index Pattern. 388 00:15:33,180 --> 00:15:34,980 Now in the index pattern box, 389 00:15:34,980 --> 00:15:36,987 I want to type logstash-ossec-* 390 00:15:39,750 --> 00:15:41,670 and then click Next step. 391 00:15:41,670 --> 00:15:44,100 This is the pattern I'm identifying. 392 00:15:44,100 --> 00:15:46,200 Then from the time filter, 393 00:15:46,200 --> 00:15:48,450 I can select I don't want to use a time filter 394 00:15:48,450 --> 00:15:49,950 'cause I want everything to show up, 395 00:15:49,950 --> 00:15:52,050 or I might just want to look at today's stuff 396 00:15:52,050 --> 00:15:53,310 or the last three hour stuff 397 00:15:53,310 --> 00:15:54,840 or a certain time period 398 00:15:54,840 --> 00:15:58,260 based on what we saw from some kind of a malicious event. 399 00:15:58,260 --> 00:15:59,730 Now once I've done that, 400 00:15:59,730 --> 00:16:01,830 I can click the Create index pattern button 401 00:16:01,830 --> 00:16:03,630 and this creates my pattern. 402 00:16:03,630 --> 00:16:06,030 From here, I can click the Discovery tab. 403 00:16:06,030 --> 00:16:07,380 Now from the list box, 404 00:16:07,380 --> 00:16:11,490 I want to select logstash-ossec-*, 405 00:16:11,490 --> 00:16:13,920 which is the index pattern that I just created. 406 00:16:13,920 --> 00:16:15,360 Now under my search box, 407 00:16:15,360 --> 00:16:17,250 I want to create a filter string 408 00:16:17,250 --> 00:16:18,240 and then I'm going to update it. 409 00:16:18,240 --> 00:16:22,653 So I'm going to do this by typing in agent.name:PC* 410 00:16:23,520 --> 00:16:28,520 AND alert_level:>=5. 411 00:16:28,680 --> 00:16:31,530 What this says is, anytime you found an agent 412 00:16:31,530 --> 00:16:35,580 that was PC something in my network, PC1 or PC2, 413 00:16:35,580 --> 00:16:40,080 and the alert_level:>=5, I want you to display it. 414 00:16:40,080 --> 00:16:41,520 Now as I look at these results, 415 00:16:41,520 --> 00:16:43,110 I can see some results here 416 00:16:43,110 --> 00:16:45,780 and I can click the small black arrow to expand the record 417 00:16:45,780 --> 00:16:48,150 and view all of the different event data around it. 418 00:16:48,150 --> 00:16:49,710 And so you can see pretty quickly here 419 00:16:49,710 --> 00:16:51,810 how we can start slicing and dicing data 420 00:16:51,810 --> 00:16:54,030 and searching for things on a particular machine, 421 00:16:54,030 --> 00:16:56,040 such as PC1 or PC2, 422 00:16:56,040 --> 00:16:57,960 or if you wanted to look at all machines 423 00:16:57,960 --> 00:16:59,610 by using wild card characters 424 00:16:59,610 --> 00:17:00,443 and then identifying 425 00:17:00,443 --> 00:17:02,670 what looks malicious across your network. 426 00:17:02,670 --> 00:17:03,840 The great thing about a SIEM 427 00:17:03,840 --> 00:17:06,510 is I'm not looking at everything as individual pieces. 428 00:17:06,510 --> 00:17:08,310 All that data is in one place, 429 00:17:08,310 --> 00:17:10,020 so I can see it across the entire network 430 00:17:10,020 --> 00:17:11,550 and start looking for patterns. 431 00:17:11,550 --> 00:17:14,310 Next let's configure a syslog source. 432 00:17:14,310 --> 00:17:15,329 Now this is important 433 00:17:15,329 --> 00:17:17,250 because a lot of hosts you're going to deal with 434 00:17:17,250 --> 00:17:19,500 may not have the ability to install an agent, 435 00:17:19,500 --> 00:17:21,467 but most things can be configured 436 00:17:21,467 --> 00:17:23,640 for remote syslog monitoring. 437 00:17:23,640 --> 00:17:24,810 So to do this, 438 00:17:24,810 --> 00:17:26,130 I'm going to go ahead and do that 439 00:17:26,130 --> 00:17:28,230 on my pfSense Security Appliance, 440 00:17:28,230 --> 00:17:30,840 which is my unified threat management system. 441 00:17:30,840 --> 00:17:33,630 So when I go into that unified threat management system, 442 00:17:33,630 --> 00:17:36,360 I can click on Status and System Logs 443 00:17:36,360 --> 00:17:38,790 and then click on the Settings tab. 444 00:17:38,790 --> 00:17:40,200 Here if I scroll down, 445 00:17:40,200 --> 00:17:42,840 I'll find the option for remote logging. 446 00:17:42,840 --> 00:17:45,930 When I click that, I can enable remote logging, 447 00:17:45,930 --> 00:17:50,930 then I can type in my server name, 10.1.0.246, 448 00:17:51,060 --> 00:17:53,910 and I'm going to put that on port 514 449 00:17:53,910 --> 00:17:56,340 because that is the port for syslog. 450 00:17:56,340 --> 00:17:58,378 Now from the remote syslog contents, 451 00:17:58,378 --> 00:18:02,100 I can check the system events and the firewall events 452 00:18:02,100 --> 00:18:03,540 because those are the ones I want, 453 00:18:03,540 --> 00:18:05,100 and then I'll click Save. 454 00:18:05,100 --> 00:18:08,280 Now if I go back into my SIEM and I go back into Kibana, 455 00:18:08,280 --> 00:18:10,020 I can click on the Management tab 456 00:18:10,020 --> 00:18:11,640 and then select Index Patterns, 457 00:18:11,640 --> 00:18:14,490 and then we can create a new index pattern. 458 00:18:14,490 --> 00:18:15,720 So in this index pattern, 459 00:18:15,720 --> 00:18:18,153 I'm going to call it logstash-syslog-*, 460 00:18:19,890 --> 00:18:21,510 and click Next step. 461 00:18:21,510 --> 00:18:22,560 For the time filter, 462 00:18:22,560 --> 00:18:24,960 again, I don't want to use the time filter 463 00:18:24,960 --> 00:18:27,480 and then click Create index pattern. 464 00:18:27,480 --> 00:18:29,220 If I go to the Discovery tab, 465 00:18:29,220 --> 00:18:33,870 here I can find logstash-syslog-*. 466 00:18:33,870 --> 00:18:35,250 Now if I search for something, 467 00:18:35,250 --> 00:18:39,297 for instance, syslog-sourceip:10.1.0.254 468 00:18:40,950 --> 00:18:42,150 and then hit Update, 469 00:18:42,150 --> 00:18:44,280 I can find all of the syslog things 470 00:18:44,280 --> 00:18:46,980 that are associated with that IP address. 471 00:18:46,980 --> 00:18:49,860 So at this point, we have looked at some different options 472 00:18:49,860 --> 00:18:52,290 for taking information into our SIEM. 473 00:18:52,290 --> 00:18:55,140 We can do it based on traffic sources by a network tap, 474 00:18:55,140 --> 00:18:57,030 we can use agents like Beats, 475 00:18:57,030 --> 00:18:59,970 and we can use syslog for our more generic systems 476 00:18:59,970 --> 00:19:01,950 that don't have Beats installed. 477 00:19:01,950 --> 00:19:03,870 Now once we've done all that, 478 00:19:03,870 --> 00:19:06,510 we might have a lot of log data coming in, 479 00:19:06,510 --> 00:19:08,880 so it'll be important for us to define our use cases 480 00:19:08,880 --> 00:19:11,250 and tune our sensors and tune our logging 481 00:19:11,250 --> 00:19:13,140 to exactly what we're looking for. 482 00:19:13,140 --> 00:19:15,810 But this lab should have given you a great introduction 483 00:19:15,810 --> 00:19:16,800 to Security Onion 484 00:19:16,800 --> 00:19:19,740 and how to set up these different things on your network. 485 00:19:19,740 --> 00:19:22,410 Again, like all the tools we've talked about in this course, 486 00:19:22,410 --> 00:19:24,120 I do recommend downloading this 487 00:19:24,120 --> 00:19:27,270 onto a virtual machine in your network, set up an appliance, 488 00:19:27,270 --> 00:19:29,370 and then start capturing your own network traffic 489 00:19:29,370 --> 00:19:31,170 and see what patterns you can identify. 490 00:19:31,170 --> 00:19:32,790 Learn how to read these logs 491 00:19:32,790 --> 00:19:34,410 and learn how to use these tools. 492 00:19:34,410 --> 00:19:36,600 It'll make you a much better cybersecurity analyst 493 00:19:36,600 --> 00:19:38,640 and it'll help you pass your job interviews, 494 00:19:38,640 --> 00:19:40,110 because employers are going to want to know 495 00:19:40,110 --> 00:19:42,660 that you know how to use a SIEM and how to read it.