Skip to content

azotheblue/CyberDefense

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
bootstrap
bootstrap
 
 
lab-logs
lab-logs
 
 
setup
setup
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
STUDENT-GUIDE.md
STUDENT-GUIDE.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Elastic Analyst Lab

A turnkey Docker-based analyst lab for Part 103: one command starts Elasticsearch, Kibana (with Security), pre-loaded logs, and an open case queue for students to triage.

Quick start

  1. Start the lab

    docker-compose up -d

  2. Wait 8–10 minutes for Elasticsearch, Kibana, and the bootstrap (logs, detection rules, cases with alerts) to finish.

  3. Open Kibana

    • URL: http://localhost:5601
    • Username: elastic
    • Password: changeme (or the value of ELASTIC_PASSWORD from your .env)

  4. Go to Security → Cases to see the queue. Each case has detection alerts linked—click an alert to pivot to underlying logs in Discover.

What's included

  • Elasticsearch – single node, security enabled
  • Kibana – with Elastic Security (SIEM); Cases and Discover
  • Pre-loaded logs – proxy, email, endpoint, identity, network (indices logs-lab.proxy, logs-lab.email, etc.)
  • Open cases with alerts – 7 cases with detection-alert drilldowns; students triage each as Benign or True Positive and investigate the incident

Credentials and ports

Service Port Credentials
Kibana 5601 elastic / changeme
Elasticsearch 9200 elastic / changeme

To use a custom password, copy .env.example to .env and set ELASTIC_PASSWORD. If you change the password, update the elasticsearch healthcheck in docker-compose.yml to use the same password (it currently uses changeme).

Student flow

  1. Open Kibana → SecurityCases.
  2. Review each case; use View in Discover on linked alerts to pivot to supporting log events (logs-lab.* indices).
  3. Determine whether each alert is Benign or True Positive and document findings (e.g. close notes).

Verification (after first run)

  1. docker-compose up -d then wait 8–10 minutes for bootstrap to complete.
  2. Check bootstrap: docker-compose logs bootstrap – should show "Bootstrap complete." and "Attached to case:" for each alert.
  3. In Kibana Discover, open index pattern logs-lab.* – you should see documents in logs-lab.proxy, logs-lab.email, etc.
  4. In Kibana Security → Cases – you should see 7 open cases, each with 1 (or more) detection alerts. Click an alert to pivot to the underlying logs.

Regenerating logs

To regenerate sample logs (e.g. after editing the scenario):

python lab-logs/generate.py bootstrap/sample-logs.ndjson
docker-compose build bootstrap
docker-compose up -d

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages