March 9, 2025 2 min to read

Build Your Own IOC Playground with ELastic SIEM

Hunt IOC

When it comes to proactive approach of security, threat Hunting comes to the picture. And being aware of IOC aka Indicators of Compromise gives an extra leverage to find malicious urls, hash, IP and block those and take proper action. In this lab, I’m gonna build homelab with Elastic Cloud and Elastic SIEM deployment and generate IOC with AbuseCH .

Basic HLD

Steps to create a hosted Deployment

Signup to Elastic Cloud
Click on Add Deployment
Launching Deployement
Incoming Data Confirmation

Agent Installation

Click on the assets, and Add Agent button
Enroll in Fleet which means elastic agents in fleet to automatically deploy updates and centrally manage the agent.

Install Elastic agent on the host machine, in my case it’s Kali Linux Machine

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.1-linux-arm64.tar.gz 
  tar xzvf elastic-agent-9.0.1-linux-arm64.tar.gz
  cd elastic-agent-9.0.1-linux-arm64
  sudo ./elastic-agent install --url=https://a097fdb86de9432ebec921c664a65f9d.fleet.us-east-1.aws.elastic.cloud:443 --enrollment-token=R0FzLTRwWUJtSzFxcVVmU2tyUUo6OUlIdGticVFtcjJhRVNjR2t1NUY4dw==

Incoming Data confirmation

Now Deploy Elastic Defend

Go to the integration and select Elastic Defend then click Add Elastic Defend

Configuration Integration give it a name and Description
Under Configuration Settings, it should be “Complete EDR with full telemetry”
under Where to host section, select existing host and pick same host where we had deployed 1st agent policy

Save & Continue

Now configure Threat Intel feed, from security project left hand menu side click on Intelligence

Click on AbuseCH TI tool
Add AbuseCH
Select Deployment option as Agent based and toggle off for “collect AbuseCh logs via API using Elastic Agents” . If you have AbuseCH API key feel free to use this option
Now check the TI feeds from Intelligence pannel and feel free to build custom dashboard as well.