Build Your Own IOC Playground with ELastic SIEM

Hunt IOC

Featured image

When it comes to proactive approach of security, threat Hunting comes to the picture. And being aware of IOC aka Indicators of Compromise gives an extra leverage to find malicious urls, hash, IP and block those and take proper action. In this lab, I’m gonna build homelab with Elastic Cloud and Elastic SIEM deployment and generate IOC with AbuseCH .

Basic HLD

image

Steps to create a hosted Deployment

  1. Signup to Elastic Cloud
  2. Click on Add Deployment image
  3. Launching Deployement image
  4. Incoming Data Confirmation image

Agent Installation

  1. Click on the assets, and Add Agent button image

  2. Enroll in Fleet which means elastic agents in fleet to automatically deploy updates and centrally manage the agent.
  3. Install Elastic agent on the host machine, in my case it’s Kali Linux Machine
    curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.1-linux-arm64.tar.gz 
      tar xzvf elastic-agent-9.0.1-linux-arm64.tar.gz
      cd elastic-agent-9.0.1-linux-arm64
      sudo ./elastic-agent install --url=https://a097fdb86de9432ebec921c664a65f9d.fleet.us-east-1.aws.elastic.cloud:443 --enrollment-token=R0FzLTRwWUJtSzFxcVVmU2tyUUo6OUlIdGticVFtcjJhRVNjR2t1NUY4dw==
    

    image

  4. Incoming Data confirmation

image

Now Deploy Elastic Defend

Go to the integration and select Elastic Defend then click Add Elastic Defend

image

  1. Configuration Integration give it a name and Description image
  2. Under Configuration Settings, it should be “Complete EDR with full telemetry” image
  3. under Where to host section, select existing host and pick same host where we had deployed 1st agent policy image

Save & Continue

Now configure Threat Intel feed, from security project left hand menu side click on Intelligence

  1. Click on AbuseCH TI tool image
  2. Add AbuseCH image
  3. Select Deployment option as Agent based and toggle off for “collect AbuseCh logs via API using Elastic Agents” . If you have AbuseCH API key feel free to use this option image
  4. Now check the TI feeds from Intelligence pannel and feel free to build custom dashboard as well. image

IOC Details

image

Custom Dashboards Abusechurls

Most url

In next part we’ll discuss how to create correlation rule with TI feeds.