Skip to content

yannw/sigma-workshop

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits

challenges

challenges

 
 

config

config

 
 

generic-solutions

generic-solutions

 
 

sigma @ be26ada

sigma @ be26ada

 
 

sigma_with_generic_logsources @ 3eaf83c

sigma_with_generic_logsources @ 3eaf83c

 
 

solutions

solutions

 
 

.gitmodules

.gitmodules

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Sigma_Workshop_Slides.pdf

Sigma_Workshop_Slides.pdf

 
 

command-lines.txt

command-lines.txt

 
 

es-search2bulk.sh

es-search2bulk.sh

 
 

es_kibana.docker-compose.yml

es_kibana.docker-compose.yml

 
 

kibana-index_pattern.json

kibana-index_pattern.json

 
 

sigma_workshop_es_logs.bulk.json

sigma_workshop_es_logs.bulk.json

 
 

sigma_workshop_prepare_es.sh

sigma_workshop_prepare_es.sh

 
 

winlogbeat-6.4.0-custom.template.json

winlogbeat-6.4.0-custom.template.json

 
 

Repository files navigation

Sigma Workshop

Content

This repository contains content and scripts for setting up an Elasticsearch and Kibana environment with logs of a Windows system where some typical attack tools were executed:

The logs contain events from Sysmon 8.0 in the SwiftOnSecurity configuration in addition to the default Windows system, security and application logs.

Further, the Sigma repository is contained as submodule. Clone this repository as follows to get it all:

git clone --recursive https://github.com/thomaspatzke/sigma-workshop.git

Installation

Elasticsearch/Kibana Docker Environment

The workshop environment was tested successfully under Linux Mint 8.3 and should therefore also work fine with Ubuntu 16.04. You should have installed Docker CE from the Docker package sources. Ensure to install the docker-ce package, avoid the old packages docker, docker-engine and docker.io.

First, the Elasticsearch/Kibana stack has to be started with Docker compose:

docker-compose -f es_kibana.docker-compose.yml up

This takes a while. Please wait until the environment is running. You can verify this by invocation of Kibana. If no errors regarding the availability of Elasticsearch are shown, the environment should be ready.

WARNING: The usage of the following mentioned script destroys possibly existing Kibana configuration! Don't use this on productive systems or where you don't want this to happen!

Install the index templates, log index and Kibana configuration index by invocation of ./sigma_workshop_prepare_es.sh.

If you plan to use an existing Elasticsearch installation for this workshop, you can also give the host and port as first parameter to the command line: ./sigma_workshop_prepare_es.sh elk:9201

Sigma dependencies

Sigma requires Python 3.5 and PyYAML. Under Ubuntu, these can be installed with (as root):

apt-get install python3 python3-yaml

With an existing Python 3 installation the dependency can be installed with:

pip3 install -r sigma/tools/requirements.txt

If you don't want to mess with your system Python installation, you can also work from a virtual environment that can be set up and activated with:

sudo apt-get install python3 python3-pip virtualenv
virtualenv -p python3 pyenv
pyenv/bin/activate

Usage

The logs are contained in the time frame between 14:45 and 15:20 on 2018-09-19 and can be viewed in Kibana.

About

Elasticsearch/Kibana environment and log data for Sigma workshop

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%