Probably the most concise, easy-to-follow home SOC lab setup I have seen so far. Kudos to Gerry Auger and to Abdullahi Ali for trying to make these highly marketable cybersecurity skills available to as many people as possible 🙏🏼
This is amazing! I’m going to add this to my Home Lab. I am already using Elastic in my SOC Analyst course with HTB. Thank you Dr. Auger for creating this video and sharing it!
Just wanted to say thank you for this and I will be creating my home lab as soon as I get home! I am trying to change my career path due to a loss in the family, I am passionate about protecting people and their information and I'm looking for all the help I can get to land a job. Thank you again for this awesome video!
Employers are looking for candidates with hands-on experience. With home lab projects like this, you can build this experience at home outside of any enterprise environment. These activities are _more important_ than certifications or even degrees to Hiring Managers. People at three large companies each told me that. So get crackin
A fun little way to test elastic defend agents, is run “atomic read team invoke” this can automatically run mitre attacks and you can check coverage and generate a bunch of alerts by running all tests. Image your vm before you run this though because it can mess things up when you run all the tests
Patience and persistence are required. Careful, adherence to the instructions on the blogpost (link provided in the description). GA's overview is a high level, fast paced overview and Elastic's website layout has changed. Pay specific attention to the steps of adding the integration, installing the agent, and allowing the agent to be enrolled in Fleet. Very important to allow time for the agent to report the processes from the host to the Elastic Cloud. The results are not as fast as would seem in the video. Don't rush and keep trying! Thanks SC!
Great video, love your content and the cyber threat briefing every morning. If anyone goes to integrate and none of them appear try signing out and back in and it works.
I’m saving this vid for later but I just wanted to say thank you for putting my mind at ease with the intro. I was so overwhelmed just looking for a video that didn’t confuse me and told me exactly what I would be doing and how it would help me in building my cyber resume 👌🏿.
Thank you so much i remember doing this in class in our labs unfortunately I do not have access to these labs since I have graduated I think that sucks so you have opened up an opportunity to really keep abreast of my cybersecurity skills
Thank you, Dr. Auger! Not sure if it was just me, but event.action: "nmap_scan" didn't fire any alerts. I replaced with process.name: "nmap" which triggered alerts and sent an email.
Is anyone else having trouble setting that "Easy Lab" setup? On the "Install Elastic Agent" step I keep getting a stall and it states "Confirm agent enrollment" "Listening for agent" and there's an infinite scrolling wheel. I asked Chatgpt and it states my settings are probably misconfigured. If anyone has any suggestions or know the fix I will greatly appreciate it.
Hey please im stuck in task 5 because i can't find "Logs" under observability, and the Elastic Cloud interface i'm using has lot of differences from the tutorial
Thx for asking. I didn’t get the email and couldn’t troubleshoot it for the video. I thought I left a comment in there saying the email didn’t arrive but I guess it didn’t make the final vid. I would set it up w web hooks if I’m being practical since it’s more flexible and you would see it in practice (fire off a slack msg for example)
NOTE: If you are using a Kali Linux VM on an Apple Silicon Mac, and you have the arm version of Kali installed, for installing the elastic agent you need to modify 'x86_64' to 'arm64' in the initial installation command you copy+paste to setup the elastic agent on the kali vm
Kali vm connected and the nmap scans are successful but there is no log in kibana when I search for the nmap scans. Great tutorial well paced and informative I will get my issue resolved I hope.
@filippogiorgiorondo6932 Yah. It was under dashboard settings. There is an option to have the ElasticSearch side panels viewed as "classic style" Then I will show each section like security, Dashboard etc....also the defend was successfully installed on my end on kali machine command prompt once I was on a good internet connection. All good. Everything works as the video stated.
what are the recommended computers for homelab that are cost friendly? Not sure if I need to get a new computer that is just reserved for homelabs. Can someone point me in the right direction recommended homelab computers and any accessories that should be included?
The process.args: nmap logs are not showing up on ES. I did everything just like the video up to that point. I've been stuck with this issue for several days now...
This is not working. The setup of elasticsearch itself is a mess, unable to get it. Even after enrolling, only the logs during enrollment are only getting received in elastic and the rest after enrollment logs are not getting feeded.
Am I the only one not getting alerts? I set up the alerts and everything exactly as the video states and I have yet to get an alert or email from performing a Nmap scan
He used the wrong field name to create the rule, that is why. So use process.args: "nmap" rather than event.action: "nmap_scan" in the query when creating the rule.
good morning over here please am i the only one having issues with my elastic defend, its installing but not enrolled and i tried pinging google and it turned out fine
wOW awesome channel I'm new here and just subscribed and recently finished my bootcamp and have to finish my resume before the jog hunt I'm in a 12 weeks mentor program now with cnl and this channel about projects will be great to add on my resume. I'm switching from 20yrs in motion apture animation in videogames/vfx film to a new career too many layoffs in games but plenty in cyber. I'll post update here when I finish this project hopefully before this weekend,. Darrel C
Im so new here. hpwever im struggling to find the downloads. i downloaded it but where do i find the boxes inside of oracle and linux that look like the ones above?
Gerald is there open source SIEM that I install on Ubuntu desktop that has a GUI ? I tried Wazuh , but having some issue with that and I have more resources on my Ubuntu also. Thanks in advance
Am I suppose to type the password when it says "[sudo] password for kali" after I pasted the code to install the agent in kali? if so its not letting me type anything when it gets to that point .
I've figured it out now but now it wont successfully install the agent and I pinged googled like it said and it works It says agent is installed but currently broken
Not sure what I'm doing wrong but it doesn't confirm agent enrollment. I'm stuck at a "Listening for agent" message. Anyone else? Could use some help on how to fix this so I can finally complete the lab
does anyone know how he does the highlight thingy( the sqaure and the arrow) its my first time seeing someone use it, is a software or a inbuilt function, what is it
For those having issues with not being able to get alerts/emails, it's because he used the wrong field-name for the rule. You need to use a different field-name (process.args : ‘’nmap’’) and not event.action.
Go to "Stack Management"-> "Connectors". Test your connector OR While creating a new rule, in custom query, put process.args: "nmap" instead of event.action I was able to receive alerts when i changed the custom query from event.action to process.args
Who's actually been able to get this SIEM to work? I haven't. After a successful agent install and nmap scans, nothing is being reported to the Logs about the scans.
@@eshajadoun5743 I'm glad to see that I'm not the only person who was having trouble and it wasn't just a newbie mistake but Yeah, I've just been messing around with it and setup a Kali VM and Windows VM as well as a honeypot and I've been seeing data being ingested over the last couple of days.
No experience is needed to setup, but prior knowledge is needed to know what you’re looking at and what it means in the siem. Mostly networking and operating system prior knowledge
I'm back and ready to spend time to learn and earn experience. Currently starting my major in cybersecurity and want to earn experience at the same time to build my resume.
He used the wrong field name to create the rule, that is why. So use process.args: "nmap" rather than event.action: "nmap_scan" in the query when creating the rule.
it gave me an error curl: (18) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream tar (child): elastic-agent-8.14.2-linux-x86_64.tar.gz: Cannot open: No such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now bash: cd: elastic-agent-8.14.2-linux-x86_64: No such file or directory what do i do??
Ping me on the discord server. I’m not sure what step you’re on or what you’re doing that results in this error and yt comments is tough to communicate for troubleshooting
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
I seriously need to start building my labs so I can get some “experience” under my belt. I need a tech job like yesterday.
have you tried it?
you get a tech job now ?
As someone who was forced to change career paths and decided to go with IT you are a saint. I'll be sure to check out more videos. Thank you.
Thx. Really great compliment. 💙
Probably the most concise, easy-to-follow home SOC lab setup I have seen so far. Kudos to Gerry Auger and to Abdullahi Ali for trying to make these highly marketable cybersecurity skills available to as many people as possible 🙏🏼
that was the goal so NAILED IT! thx for the comment.
This is amazing! I’m going to add this to my Home Lab. I am already using Elastic in my SOC Analyst course with HTB. Thank you Dr. Auger for creating this video and sharing it!
How is going?
Just wanted to say thank you for this and I will be creating my home lab as soon as I get home! I am trying to change my career path due to a loss in the family, I am passionate about protecting people and their information and I'm looking for all the help I can get to land a job. Thank you again for this awesome video!
Employers are looking for candidates with hands-on experience. With home lab projects like this, you can build this experience at home outside of any enterprise environment. These activities are _more important_ than certifications or even degrees to Hiring Managers. People at three large companies each told me that. So get crackin
Great advice; thank you
I have so many projects its insane
@@ZacharyJansheski Get busy, and good luck!
Degrees are for moving up into higher positions. That's why people get them. Nobody gets a degree for "entry level" lol
Great video with actual walk through visual instruction. The speed was great too, just knowledge and no fluff. Thank you. Subscribed
The fluff videos kind of annoy me when I’m trying to get info so I’m not into it, despite the almighty algorithm
This is awesome. I initially thought building a SIEM was actually never possible as an entry level SOC analyst. Thank you
As a newbie in the SOC pathway, This is amazingly so simple to follow. A capital THANK YOU to you!
A fun little way to test elastic defend agents, is run “atomic read team invoke” this can automatically run mitre attacks and you can check coverage and generate a bunch of alerts by running all tests. Image your vm before you run this though because it can mess things up when you run all the tests
Patience and persistence are required. Careful, adherence to the instructions on the blogpost (link provided in the description). GA's overview is a high level, fast paced overview and Elastic's website layout has changed. Pay specific attention to the steps of adding the integration, installing the agent, and allowing the agent to be enrolled in Fleet. Very important to allow time for the agent to report the processes from the host to the Elastic Cloud. The results are not as fast as would seem in the video. Don't rush and keep trying! Thanks SC!
It's near impossible that ELK and no-hassle fit in one sentence, thanks to you
Great video, love your content and the cyber threat briefing every morning. If anyone goes to integrate and none of them appear try signing out and back in and it works.
Thank you for kind words and thx for tip on lab for others
Loved the video definitely gonna do it when I get home and play with this one to. Thanks.
I’m saving this vid for later but I just wanted to say thank you for putting my mind at ease with the intro. I was so overwhelmed just looking for a video that didn’t confuse me and told me exactly what I would be doing and how it would help me in building my cyber resume 👌🏿.
Set this up! The hardest installing Kali Linux. This elastic stack is super user friendly and is a must have project on your portfolio.
Thank you so much i remember doing this in class in our labs unfortunately I do not have access to these labs since I have graduated I think that sucks so you have opened up an opportunity to really keep abreast of my cybersecurity skills
Thank you, Dr. Auger! Not sure if it was just me, but event.action: "nmap_scan" didn't fire any alerts. I replaced with process.name: "nmap" which triggered alerts and sent an email.
i am still not getting an email even thought its showing on the dashboards
not able to see nmap details , do we need to setup anything on ES to read
This is exactly what i needed!
This was awesome! It took some time setting up Kali Linux for me, not sure why, but once that was good the rest was a breeze! Thanks for the video!
Glad you found it helpful!
your layout is the same of the video?
I cant find the logs, any help?
This video comes as a life saver for me! I am struggling to set up the elastic search on my linux vm so this will be my workaround 😊
Thank you for this video Gerald. It was quite helpful. Thank you
Fantastic! I know how I’ll be spending my weekend ❤
Is anyone else having trouble setting that "Easy Lab" setup? On the "Install Elastic Agent" step I keep getting a stall and it states "Confirm agent enrollment" "Listening for agent" and there's an infinite scrolling wheel. I asked Chatgpt and it states my settings are probably misconfigured. If anyone has any suggestions or know the fix I will greatly appreciate it.
same for me. Did you ever figure this out?
YOU ARE HIM Dr. G! Thanks!
I followed every step to a T yet when I set up an email alert for "sudo -sv localhost" and ran the command line I get no email? Any tips on this?
I also had an issue getting the email to fire. Suggest using a web book and validating the alert is firing to try and isolate the issue
Querying for Security Events in the Elastic SIEM, why there was no nmap or sudo events appear in the logs?
were you able to find a solution, I'm having the same issue.
@@brayan0742 I restarted the services and server. It appeared somehow. But after which, it is no longer appeared.
This is my favorite RUclips channel!
YASSSS!!!! Thank you for making my day! 💙
Hey please im stuck in task 5 because i can't find "Logs" under observability, and the Elastic Cloud interface i'm using has lot of differences from the tutorial
Same here I see logs and metrics but the query screen looks different
did u solve?
First tutorial video I didn't have to fast forward thu
how did you get the email to fire off at 9:13? In the video it looks like it was cut off and i didn't get to see exactly what you did.
Thx for asking. I didn’t get the email and couldn’t troubleshoot it for the video. I thought I left a comment in there saying the email didn’t arrive but I guess it didn’t make the final vid. I would set it up w web hooks if I’m being practical since it’s more flexible and you would see it in practice (fire off a slack msg for example)
Slack is awsome for this because its so easy to set up a slack instance and then view the alerts on say your phone.
NOTE: If you are using a Kali Linux VM on an Apple Silicon Mac, and you have the arm version of Kali installed, for installing the elastic agent you need to modify 'x86_64' to 'arm64' in the initial installation command you copy+paste to setup the elastic agent on the kali vm
Thx for the tip to help the people
does this apply to Apple Sonoma as well?
@ your macOS version doesn’t matter, its the type of chip that’s inside
I am just happy he's reading it off from a Medium Post written by a Nigerian! At least we're good at something too!
Kali vm connected and the nmap scans are successful but there is no log in kibana when I search for the nmap scans. Great tutorial well paced and informative I will get my issue resolved I hope.
Thanks so much! Dr Auger! Very nice and concise video!
Saved to my SOC Analyst playlist to review later. I'm new so this went waaaay too fast lol.
Edit: Literally playing this back on .75 lol
@@MD-mo9wb this was literally what i did, the guy was so fast that i had to slow him down by myself 😁
did everything in the video, but can't find any logs after running nmap commands. Nothing shows in logs related to nmap. Any idea why?
same here.
@@ellatechieI had some trouble 2 weeks ago but decided to try it again and fortunately I got it.
Did the agent install successfully?
did u solve?
@@Destrudo5359 did the elastic agent successfully connect to Kali Linux ?
@filippogiorgiorondo6932 Yah. It was under dashboard settings. There is an option to have the ElasticSearch side panels viewed as "classic style" Then I will show each section like security, Dashboard etc....also the defend was successfully installed on my end on kali machine command prompt once I was on a good internet connection. All good. Everything works as the video stated.
Idk about anyone else but I can't find Logs under Observability. Any ideas?
same and the interface is very different
did u solve?
Thanks for sharing this!
what are the recommended computers for homelab that are cost friendly? Not sure if I need to get a new computer that is just reserved for homelabs. Can someone point me in the right direction recommended homelab computers and any accessories that should be included?
Hi, I am having trouble pasting the Linux command into the terminal in my virtual machine. It's not pasting. Any insight?
I'm having trouble getting the rule for Nmap. I can get process.args:, but nap doesn't show up for me. Please advise.
same here
The process.args: nmap logs are not showing up on ES. I did everything just like the video up to that point. I've been stuck with this issue for several days now...
Thank you@@Kaiomonchi
@@SCole07 what was the solution? I have the same issue
This doesn't work anymore. Added the agent to kali, checked systemctl, did a few scans.. It sees the agent but there is nothing in the logs.
This is not working. The setup of elasticsearch itself is a mess, unable to get it. Even after enrolling, only the logs during enrollment are only getting received in elastic and the rest after enrollment logs are not getting feeded.
is elastic lab actually used in a professional setting or just for testing and building home labs?
Hi, I followed your steps to set up the nmap detection alert. But I cannot receive any emails for the alert. Do anyone know how to solve this problem?
Loved It. Excellent
question on installing, when installing Kali, am i installing Vmware or virtualbox? i already have oracle vm virtualbox?
Am I the only one not getting alerts? I set up the alerts and everything exactly as the video states and I have yet to get an alert or email from performing a Nmap scan
me too. did anything change for you? if so, how did you do it?
You need to use a different field-name
(process.args : ‘’nmap’’) and not event.action.
He used the wrong field name to create the rule, that is why. So use process.args: "nmap" rather than event.action: "nmap_scan" in the query when creating the rule.
@@IvanAAnnuh I still dont get any alerts, was there any other solution you found to trigger alerts?
It is very good to become one of a cyber professional
You are doing great Gerald, Thanks for these invaluable resources.
good morning over here
please am i the only one having issues with my elastic defend, its installing but not enrolled and i tried pinging google and it turned out fine
wOW awesome channel I'm new here and just subscribed and recently finished my bootcamp and have to finish my resume before the jog hunt I'm in a 12 weeks mentor program now with cnl and this channel about projects will be great to add on my resume. I'm switching from 20yrs in motion apture animation in videogames/vfx film to a new career too many layoffs in games but plenty in cyber. I'll post update here when I finish this project hopefully before this weekend,.
Darrel C
Great video, thank you.
Good morning everyone! Nothing better than sharing and learning! Love it, love it, LOVE IT!!!❤🎉
Im so new here. hpwever im struggling to find the downloads. i downloaded it but where do i find the boxes inside of oracle and linux that look like the ones above?
For some reason, I'm not getting any entries logs from nmap to the ES. Does anybody know how to fix this?
Gerald is there open source SIEM that I install on Ubuntu desktop that has a GUI ? I tried Wazuh , but having some issue with that and I have more resources on my Ubuntu also. Thanks in advance
I can’t find the log menu
did u solve?
everything done but whatto do with this lab? i am confused, someone help me here
Am I suppose to type the password when it says "[sudo] password for kali" after I pasted the code to install the agent in kali? if so its not letting me type anything when it gets to that point .
I've figured it out now but now it wont successfully install the agent and I pinged googled like it said and it works
It says agent is installed but currently broken
Got it ✅ made a new elastic account free trial expired
Not sure what I'm doing wrong but it doesn't confirm agent enrollment. I'm stuck at a "Listening for agent" message. Anyone else? Could use some help on how to fix this so I can finally complete the lab
does anyone know how he does the highlight thingy( the sqaure and the arrow) its my first time seeing someone use it, is a software or a inbuilt function, what is it
it just seems so helpful when writing documenting the stuff ur doing
It’s “zoomit” it’s part of a utility kit you can download from Microsoft
For those having issues with not being able to get alerts/emails, it's because he used the wrong field-name for the rule.
You need to use a different field-name
(process.args : ‘’nmap’’) and not event.action.
My fleet agent is not getting connected and the status is showing "listening" but not getting confirmed..What might be the problem please help me
What do you use to highlight and make the arrow?.
Zoom it by by systernals. It’s in Microsoft website. It’s awesome
What’s the option for OS system???
I did everything as shown but when running "nmap" i do not get any alerts! please help
Go to "Stack Management"-> "Connectors". Test your connector
OR
While creating a new rule, in custom query, put process.args: "nmap" instead of event.action
I was able to receive alerts when i changed the custom query from event.action to process.args
@@abhinavakaranth3813 I dont think that's he problem, I think the problem is that he's not getting any entries logs at all. I'm having the same issue.
the only issue i had i could not find custom query in my options :/
Well done, now how deep does this rabbit hole go? Just remember to keep following that white rabbit neo!
Having trouble doing with a Mac. I know it has to do with the linux distribution.
89
Who's actually been able to get this SIEM to work? I haven't. After a successful agent install and nmap scans, nothing is being reported to the Logs about the scans.
Even i am having trouble seeing the logs. But if you go to discover you will find timestamps of the data, and that means the thing is working
@@eshajadoun5743 I'm glad to see that I'm not the only person who was having trouble and it wasn't just a newbie mistake but Yeah, I've just been messing around with it and setup a Kali VM and Windows VM as well as a honeypot and I've been seeing data being ingested over the last couple of days.
same here. Have you been able to figure out the solution? Thanks in advance
@@giangphamngocchau8516 Hi, I never finished "this" lab but I did pay for the course and the course is worth it.
You need to use a different field-name
(process.args : ‘’nmap’’) and not event.action.
I'm wondering if its possible to build this lab on prem (vs using the cloud)?
It is, but you need more hardware and configuration. Check out graylog or ELK stacks.
How am I just finding this Video, I’m building this ASAP
Great content.
Great video! Late comment but, how long does the free version can be used?
It’s been a minute but I think 7 or 14 days. I can’t recall but enough you can make it happen in a weekend
everything went well but I didn't get any alert even in the dashboard and in my e-mail
🤔 hmmm
I'm running into the same thing. Wondering if our KQL syntax for the rule is outdated or incorrect.
This is good for people that are starting with Cybersecurity or prior "experience"/background is necessary?
No experience is needed to setup, but prior knowledge is needed to know what you’re looking at and what it means in the siem. Mostly networking and operating system prior knowledge
I'm back and ready to spend time to learn and earn experience. Currently starting my major in cybersecurity and want to earn experience at the same time to build my resume.
Hell yes gerry guy, i’m doing this soon
Don't do anything soon. if you want to do something put a date on it. Soon to some software devs is 2.5 years of soon.
event.action: "nmap_scan" doesn't work, wouldn't trigger any alerts.
He used the wrong field name to create the rule, that is why. So use process.args: "nmap" rather than event.action: "nmap_scan" in the query when creating the rule.
it gave me an error
curl: (18) HTTP/2 stream 1 was not closed cleanly before end of the underlying stream
tar (child): elastic-agent-8.14.2-linux-x86_64.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
bash: cd: elastic-agent-8.14.2-linux-x86_64: No such file or directory
what do i do??
Ping me on the discord server. I’m not sure what step you’re on or what you’re doing that results in this error and yt comments is tough to communicate for troubleshooting
@@SimplyCyber alright, I'm trying something now but I'll ping you if this doesn't work out as well
Anyone know of a completely free SIEM we could use in lieu of a trial version of Elastic? Just wondering.
why does elastic look completely different and not work the same. plz help
Im not sure. technology can have front end changes made after the video is recorded. potentially that?
is there something to use instead of elastic, that is 100% free and not trial? thnx
its been a minute but i think there is a trial aspect to this so its just an in/out opportunity to learn and do a lab.
I believe Graylog is free
@@SimplyCyber great thank you i will check it out. still new in CS scene but allready completed S+ and big interest in expanding my knowledge in SC.
Try Wazuh its a fork of elastic and will be widely used in training labs
I couldn't get past the Elastic install point
Sir expecting more siem lab tutorials❤
Maybe it worked before but doesn’t work anymore. Doesn’t installs
Thank you
I am happy you exist.
Thank you.
You're welcome!
Remarkable Man, Thanks, but slow down a bit. Are you in a rush or something else?
#TeamSimplyCyber!
Can someone confirm, does this work now?
Yes
Did hours of tinkering just to realize my nmap commands and stuff don’t work or transfer anything to my elastic defender logs.
did you find a way to fix that?
@@BrianBChess about to try again soon
COOL!
#TeamSC
Looks completely different from dashboard on elastic. Could probably use an updated video.
Thx for update. I’ll add it the queue. Will probably pull this one down
@@SimplyCyber thank you.
Subbed based off comments