Cyber Tasks - sofwerx/mad-jack GitHub Wiki

Install the Network Tap

Logon to bluerange0 Elasticsearch/Kibana

Check indexes

Test Json Script (for searches, etc.)

Check Index sizes

View the Dashboard

Watcher Configuration steps

Execute a watcher automatically

Execute a watcher manually

Edit a watcher

Delete a watcher

Check Alarms

SSH into the Safehouse AP

Access Safehouse AP through Web Interface

Useful Linux Terminal Commands

Install the Network Tap:

1. Plug Internet cable into port A.

2. Plug Access Point or Switch cable into port B.

   NOTE: Network Tap MUST be connected before the Access Point in order to intercept all incoming traffic.

3. Run an ethernet cable from port C directly to the laptop.

back to top

Logon to Elasticsearch/Kibana:

1. Open the Chrome browser (works best in this browser).

2. Type in the URL address for Elasticsearch.

   For example: https://kibana.bluerange0.devwerx.org:20443/

3. Enter account name

4. Enter password

back to top

Check indexes:

1. Click the Discover option (left side menu).

2. Select desired index from the drop-down menu.

3. Select the time-period:

   a. Click the clock icon in the upper right-hand corner. Choose one of the following options:

   • Quick tab - Select one of the time ranges from the list.

   • Relative tab - input the desired time range.

   • Absolute tab - input the desired time range.

back to top

Test Json Script (for searches, etc.):

1. Click the Dev Tools option (left side menu).

2. Enter code into Console.

3. View results in right panel.

back to top

Check Index sizes:

1. Click the Monitoring option (left side menu).

2. Click on Indices.

3. Scroll through list to see data on the indexes.

back to top

View the Dashboard:

1. Click the Dashboard option (left side menu).

2. Navigate through the entries.

back to top

Watcher Configuration steps:

1. Click the Sentinl option (left side menu).

2. Click on the New tab (top row).

3. Click on + Watcher (upper left).

4. In the General tab:

      a. Go to the Title box. Type in the name of the watcher.

      b. Go to the Schedule box. Type in the schedule (e.g. every 5 seconds). This will tell the                     watcher how often to run.

5. In the Input tab:

      b. Go to the Body box. If writing a new script, put the Input code here.

6. In the Condition tab:

      b. Go to the Body box. If writing a new script, put the Condition code here.

7. In the Transform tab:

      b. Go to the Body box. If writing a new script, put the Transform code here.

8. In the Actions tab:

      b. Expand the Add action drop down menu. Select webhook.

      c. Click the > in the New webhook action box (right side of the box).

      d. Check the alarm box.

      e. Check the save payload box ONLY if you want the watcher to save the payload (packet                   information such as IP addresses, etc.)

      f. Customize the title.

      g. Select POST from the Method drop down menu.

      h. Input the Host's IP address.

      i. Input the port number.

      j. Input the path (/).

      k. Input:

    {
      "message": "Found {{payload.hits.total}} Events", "payload": "{{payload.hits.total}}"
    }

      l. Input:

    {
      "Content-Type": "application/json"
    }

      m. Click Save in the upper right-hand corner of screen.

9. Select the Raw tab to see the entire script at once.

back to top

Execute a watcher automatically:

1. Click the Sentinl option (left side menu).

2. Go to the Watchers tab.

3. Enable the watcher by moving the slider button (under ACTIONS) to the right. The watcher will now automatically execute as scheduled in the script.

4. Moving the slider to the left will disable the watcher.

back to top

Execute a watcher manually:

1. Click the Sentinl option (left side menu).

2. Go to the Watchers tab.

3. Click the circle (under ACTIONS).

4. The watcher will execute immediately one time.
   
   

back to top

Edit a watcher:

1. Click the Sentinl option (left side menu).

2. Go to the Watchers tab.

3. Click the three dots (under ACTIONS).

4. Edit the script (see Watcher Configuration Steps).
   
   

back to top

Delete a watcher:

1. Click the Sentinl option (left side menu).

2. Go to the Watchers tab.

3. Click the trashcan (under ACTIONS). WARNING: This will permanently delete the watcher.

   

back to top

Check Alarms:

1. Click the Sentinl option (left side menu).

2. Go to the ALARMS tab.

   
   
   
   
   

   a. Select an alarm from the list.

   b. Click the three dots to view the information and/or payload.

   
   
   
   

   c. Click the trashcan to delete the alarm.

   
   
   
   

   NOTE: List will be empty if there are no alarms during the selected time-period.

   
   
   
   
   
   
   
   
   

3. Change the time-period:

   a. Click the clock icon/time-period in the upper right-hand corner.

   
   
   
   
   
   
   
   
   b. Choose one of the following options:

   • Quick tab - Select one of the time ranges from the list.
     
     
     
     
     
     
     
     
     
     

   • Relative tab - input the desired time range.

     
     
     
     
     
     
     

   • Absolute tab - input the desired time range.

     

     
     
     
     
     
     
     

back to top

SSH into the Safehouse AP

1. Open terminal window (keyboard shortcut: command t).

2. Enter "ssh" followed by the username@IPaddress (IP address of the Access Point)

   For example:

   ssh [email protected]

3. Enter password.

4. Type the desired submenu (left column) to navigate through the options.

back to top

Access Safehouse AP through Web interface

1. Open a browser window.

2. Type the Safehouse AP's IP address into the address bar.

3. Enter username.

4. Enter password.

5. Navigate through the menus (left hand side).

back to top

Useful Linux terminal commands

1. Open a terminal window (keyboard shortcut: command t).

2. Type the following command to show all running docker processes:

   
   
   

3. Type the following to shut down the laptop:

back to top