An ELK environment loaded with the following datasets:
- Mordor from Roberto Rodriguez @Cyb3rWard0g and Jose Luis Rodriguez @Cyb3rPandaH
- EVTX-ATTACK-SAMPLES from Samir Bousseaden SBousseaden
Thanks to the authors of the datasets as well as:
- Shinta Nakano for evtx2es that I used to import the EVTX-ATTACK-SAMPLES dataset.
You need at least:
- a working Docker CE installation with docker-compose
- 4 GB free disk space
- 2 GB RAM for a reasonable Elasticsearch performance
Clone this repository and the dataset submodules with:
git clone --recurse-submodules https://github.com/thomaspatzke/elk-detection-lab.git
Run this command to start the ELK environment and import the datasets:
./elk-detection-lab.sh init
After this was run once, the ELK environment can be started without importing the data again:
./elk-detection-lab.sh run
Open the local Kibana in your browser. The data starts in November 2018 and the field naming follows the ECS scheme and Winlogbeat 7 conventions.