https://github.com/thomaspatzke/elk-detection-lab
An ELK environment containing interesting security datasets.
https://github.com/thomaspatzke/elk-detection-lab
Last synced: 3 months ago
JSON representation
An ELK environment containing interesting security datasets.
- Host: GitHub
- URL: https://github.com/thomaspatzke/elk-detection-lab
- Owner: thomaspatzke
- Created: 2020-01-03T23:15:34.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2020-05-11T20:51:35.000Z (over 5 years ago)
- Last Synced: 2025-04-02T03:10:00.575Z (7 months ago)
- Language: Shell
- Size: 52 MB
- Stars: 136
- Watchers: 9
- Forks: 23
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - thomaspatzke/elk-detection-lab - An ELK environment containing interesting security datasets. (Shell)
README
# ELK Detection Lab
An ELK environment loaded with the following datasets:
* [Mordor](https://github.com/hunters-forge/mordor) from Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) and Jose Luis Rodriguez [@Cyb3rPandaH](https://twitter.com/Cyb3rPandaH)
* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) from Samir Bousseaden [SBousseaden](https://twitter.com/SBousseaden)
* [malware-traffic-analysis.net](https://www.malware-traffic-analysis.net/) PCAPs from [@malware_traffic](https://twitter.com/malware_traffic) processed with Suricata.
Thanks to the authors of the datasets as well as:
* [Shinta Nakano](https://sumeshi.github.io/) for [evtx2es](https://github.com/sumeshi/evtx2es) that I used to import the EVTX-ATTACK-SAMPLES dataset.
## Prerequisites
You need at least:
* a working Docker CE installation with docker-compose
* 8 GB free disk space
* 2 GB RAM for a reasonable Elasticsearch performance
## Installation
Clone this repository and the dataset submodules with:
```
git clone --recurse-submodules https://github.com/thomaspatzke/elk-detection-lab.git
```
Run this command to start the ELK environment and import the datasets:
```
./elk-detection-lab.sh init
```
Wait at least until the document count of all `winlogbeat-*` and `filebeat-*` indices stops to
increase which can take several 10 minutes.
After this was run once, the ELK environment can be started without importing the data again:
```
./elk-detection-lab.sh run
```
## Usage
Open the [local Kibana](http://localhost:5601/app/kibana#/discover) in your browser.
The Windows log data starts in November 2018 and the field naming follows the ECS scheme and
Winlogbeat 7 conventions.
The data created from the malware-traffic-analysis.net PCAPs is located in the index `filebeat-*`
and goes back to 2013. Please adjust the Kibana time range accordingly.