This is an introductory lab for doing log analysis with Kibana. It should only require the installation of Docker and Docker Compose.
This lab is based on real data containing actual malicious indicators. If you attempt to do things such as find and run files, or visit network entities that occur in these logs, you do so at your own risk.
- Download and install Docker.
- Download and install Docker Compose (On Windows Docker Compose should be bundled with the Docker installer, so this step shouldn't be required).
- Download or clone this repository.
- Open up a command prompt, make your way to this repository folder on your local machine and run
docker-compose up. - When
docker-compose upis finished bringing the containers up, open a browser and navigate tohttp://localhost:5601to access the Kibana instance.
compose-and-kibana.gif shows steps four and five in action.
This lab is to start getting you comfortable with Kibana for analysis and familiar with the types of questions that you would try to answer when you find signs of a compromise. A Dashboard called VT Hunting has been created that should provide you the information you need to get started.
- What is the name of the malicious file that has executed?
- What strain of malware does it appear to be?
- What does this malware typically do?
- When was this malware run and by which user on what computer? (Hint: Try pinning a
Dashboardfilter and viewing it inDiscover) - What process wrote the malicious file to disk and when?
- What are MD5, SHA-1, and SHA-256 Hashes, and How Do I Check Them?
- VirusTotal
- Sysmon Events List
- Sysmon Event ID 1 Fields
- Sysmon Event ID 11 Fields
- Kibana Dashboard
- Kibana Discover
Available here.