Lab 5.1: Practice with Auditbeat - squatchulator/Tech-Journal GitHub Wiki

Lab 5.1 - Practice with Auditbeat

Preparation

  • Start Logstash, Kibana, Elasticsearch, and Auditbeat and make sure you can get to Kibana + see Auditbeat data

Security Monitoring with Auditbeat

  • The plan here is to generate some activity to use the Auditbeat dashboards to find evidence of activity.
  • First, install 7-zip with sudo apt-get install 7-zip
  • Create a new user as well with adduser <user>
  • Edit the /etc/ssh/sshd_config file and change "PasswordAuthentication" from No to Yes, and then run systemctl restart sshd
  • SSH into the server with this new user, and try curling a webpage. Also, use Google's DNS server for some lookups. This can be done with nslookup and then entering 8.8.8.8 when prompted for the server. Query a domain like "champlain.edu".

Data Identification

  • Go into Dashboards in Kibana and explore the Auditbeat dashboards.
⚠️ **GitHub.com Fallback** ⚠️