- [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
- [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
- [Part 1] Building a Threat Integration and Testing Lab
You can potentially use a Cloud-hosted instance of Elastic Cloud Enterprise, however since I am trying to avoid putting this environment on the Internet, I will be building ECE in my home lab environment.
Installation is relatively easy, however there are some prerequisites prior to installing ECE itself.
Prior to installing ECE, we need to get some system preparation completed for Docker, Docker-Compose and eventually ECE itself.
sudo apt update -y sudo apt upgrade -y sudo apt-get install curl apt-transport-https ca-certificates software-properties-common -y curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
From here we can move forward with installing Docker and Docker Compose.
Installing Docker and Docker Compose
Docker will be required to eventually deploy ECE, so we need to import the repositories, install the components as well as add the current user to the docker user group. There is also a requirement to boost the max_map_count value to be compatible with ECE.
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" sudo apt update -y sudo apt install docker-ce docker-ce-cli containerd.io -y sudo systemctl status docker sudo usermod -aG docker $USER sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.conf sudo sysctl -w vm.max_map_count=262144 logout
Installing Elastic Cloud Enterprise
By default ECE when installed, will use the /mnt/data/ partition to store the index data. When sizing and installing your own instance, ensure the /mnt/data/ partition has access to enough storage capacity to be able to cater for your threat lab installation.
sudo mkdir /mnt/data sudo chown 1000:1000 /mnt/data/ bash <(curl -fsSL https://download.elastic.co/cloud/elastic-cloud-enterprise.sh) install
Creating an ECE Deployment for Elastic Security
Once you have logged into the Elastic Cloud Enterprise interface (usually on port 12443), you can start creating your deployments from the deployment screen.
For this post, I will be using Elastic Security (mainly due to the included Threat Detection rules which come with it).
I will also be customising the platform name, as well as the operating parameters (RAM etc), so before creating the deployment, ensure you customise the install.
For the purposes of the Threat Lab build, I will be reducing the system resources down to the bare minimum (I do not have infinite resources available to run at increased resources).