# 課程最終目錄 ``` . ├── elk-server │   ├── elasticsearch_user_pw │   └── http_ca.crt └── kibana_server    ├── config    │   └── kibana.yml    ├── kibana-verification-code    ├── kibana-xpack.encryptedSavedObjects    └── kibana_enrollment_token ``` # Elasticsearch Build ## Step1 : make SOC repo ``` bash mkdir SOC-Guild-SIEM-ELK cd SOC-Guild-SIEM-ELK ``` ## Step2 : install docker ``` wget "https://get.docker.com" -O docker-setup.sh bash docker-setup.sh ``` ## Step3 : Build elasticsearch with docker ``` # 設置 Docker 的網絡環境 # 創建一個名為 "elastic" 的 Docker 自定義網絡，讓 Elasticsearch 和 Kibana 容器可以相互通信 docker network create elastic # 拉取 Elasticsearch 8.15.3 映像 docker pull docker.elastic.co/elasticsearch/elasticsearch:8.15.3 # 設置 Elasticsearch 運行所需的內核參數 # 調整最大內存映射區域數量，避免 Elasticsearch 運行時出現錯誤 sysctl -w vm.max_map_count=262144 # 啟動 Elasticsearch 容器 # 使用 `-it` 提供交互式終端，`-m 4GB` 限制容器內存為 4 GB # 映射 9200 端口到主機，並將容器加入 "elastic" 網絡 docker run --name es01 --net elastic -p 9200:9200 -d -m 4GB docker.elastic.co/elasticsearch/elasticsearch:8.15.3 ``` ## Step4 : wait elasticsearch complete ``` # 等待 Elasticsearch 完全啟動 # 確保 Elasticsearch 可以接受後續操作請求 sleep 30 ``` ## Step5 : generate necessary configuraion files ``` # 重置 Elasticsearch 預設用戶（elastic）的密碼，並將其保存到文件中 # 密碼將存儲於 elk-server/elasticsearch_user_pw 文件中 mkdir elk-server sudo docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -b > elk-server/elasticsearch_user_pw.txt # 從 Elasticsearch 容器中複製 CA 憑證到當前工作目錄 # 該憑證供 Kibana 和其他客戶端使用 docker cp es01:/usr/share/elasticsearch/config/certs/http_ca.crt elk-server/. ``` # Kibana Build ## Step1 : make directory ``` mkdir kibana_server ``` ## Step2 : start kibana server ``` # 拉取 Kibana 8.15.3 映像 docker pull docker.elastic.co/kibana/kibana:8.15.3 # 啟動 Kibana 容器 # 映射 5601 端口到主機，並掛載主機上的配置目錄到容器內 docker run -d --name kib01 --net elastic -p 5601:5601 docker.elastic.co/kibana/kibana:8.15.3 ``` ## Step3 : generate necessary configuraion files ``` docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana > kibana_server/kibana_enrollment_token docker exec -it kib01 /usr/share/kibana/bin/kibana-verification-code > kibana_server/kibana-verification-code ``` ## Step4 : open your drowser !  ## Step5 : input your password and enrollment token **I didn't prepare pictures. Please check my shared screen.** ## Step6 : input your kibana-verification-code **I didn't prepare pictures. Please check my shared screen.** ## Step7 : Great, We now have SIEM !  # Set SIEM Alters ## Step1 : generate necessary configuraion files ``` mkdir kibana_server/config docker cp kib01:/usr/share/kibana/config/kibana.yml kibana_server/config/kibana.yml chmod 777 kibana_server/config/kibana.yml docker exec -it kib01 /usr/share/kibana/bin/kibana-encryption-keys generate > kibana_server/kibana-xpack.encryptedSavedObjects ``` ## Step2 : modify kibana.yml - open kibana-xpack.encryptedSavedObjects  - modify kibana.yml   ## Step3 : restart kibana server ``` docker cp kibana_server/config/kibana.yml kib01:/usr/share/kibana/config/kibana.yml docker restart kib01 ``` ## Step4 : great, we now have sercurity SIEM !!  ## Step5 : right, we can generate ourself siem rule.  ## Step6 : create test log - open dev tool ``` json # creat an index and set field mapping PUT my-index { "mappings": { "properties": { "date": { "type": "date" } } } } ``` ``` json # Add a document to my-index POST /my-index/_doc { "id": "park_rocky-mountain", "title": "Rocky Mountain", "@timestamp": "2024-11-19T12:00:00Z", "description": "Bisected north to south by the Continental Divide, this portion of the Rockies has ecosystems varying from over 150 riparian lakes to montane and subalpine forests to treeless alpine tundra." } ``` - creat data view  - check data in discover  ## Step7 : test result