[Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)

[Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)

  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

You can potentially use a Cloud-hosted instance of Elastic Cloud Enterprise, however since I am trying to avoid putting this environment on the Internet, I will be building ECE in my home lab environment.

Installation is relatively easy, however there are some prerequisites prior to installing ECE itself.

System Preparation

Prior to installing ECE, we need to get some system preparation completed for Docker, Docker-Compose and eventually ECE itself.

sudo apt update -y
sudo apt upgrade -y
sudo apt-get install curl apt-transport-https ca-certificates software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

From here we can move forward with installing Docker and Docker Compose.

Installing Docker and Docker Compose

Docker will be required to eventually deploy ECE, so we need to import the repositories, install the components as well as add the current user to the docker user group. There is also a requirement to boost the max_map_count value to be compatible with ECE.

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update -y
sudo apt install docker-ce docker-ce-cli containerd.io -y
sudo systemctl status docker
sudo usermod -aG docker $USER
sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.conf
sudo sysctl -w vm.max_map_count=262144
logout

Installing Elastic Cloud Enterprise

By default ECE when installed, will use the /mnt/data/ partition to store the index data. When sizing and installing your own instance, ensure the /mnt/data/ partition has access to enough storage capacity to be able to cater for your threat lab installation.

sudo mkdir /mnt/data
sudo chown 1000:1000 /mnt/data/
bash <(curl -fsSL https://download.elastic.co/cloud/elastic-cloud-enterprise.sh) install

Creating an ECE Deployment for Elastic Security

Once you have logged into the Elastic Cloud Enterprise interface (usually on port 12443), you can start creating your deployments from the deployment screen.

Create a new ECE Deployment

For this post, I will be using Elastic Security (mainly due to the included Threat Detection rules which come with it).

Select Elastic Security

I will also be customising the platform name, as well as the operating parameters (RAM etc), so before creating the deployment, ensure you customise the install.

Customize the installation

For the purposes of the Threat Lab build, I will be reducing the system resources down to the bare minimum (I do not have infinite resources available to run at increased resources).

Scaling the deployment to suit the Test Lab resources

1 comment so far

[Part 1] Building a Threat Integration and Testing Lab – McHugh Security Posted on10:25 pm - April 28, 2021

[…] [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises… […]

Leave a Reply

9 − 4 =