Security Operation Lab

📊 30-Days DFIR Lab: Centralized Logging with Elastic Stack

In this lab, I designed and deployed a centralized log collection and alerting architecture for blue-team and detection engineering practice.

🧠 Lab Overview

• Objective: Collect logs across Windows and Linux systems, forward to ELK stack, visualize with Kibana, and trigger alerts.
• Focus Areas:
  • DFIR readiness
  • Endpoint visibility
  • Threat detection
  • OSINT & alert integration

🖥️ Network & Architecture

Subnet: 192.168.100.0/24
Range: 192.168.100.1 – 254
Hypervisor: Proxmox VE

🧰 Lab Components

🔁 Workflow

1. 🖥️ Fleet agents installed on both Windows + Ubuntu endpoints
2. 📦 Logs forwarded to ElasticSearch
3. 📈 Visualized via Kibana dashboard
4. 🚨 Alerts generated and routed to OS Ticketing System
5. 🧪 Simulated attacker activities via Kali Linux

🔐 Security Focus

• Event monitoring (Sysmon, auditd)
• Inbound SSH & RDP logging
• Alerting via Elastic rules
• Incident triage through ticketing

📸 Screenshots

_Elastic dashboard, Fleet agent overview, triggered alerts…

🚀 Tools Used

• 🔧 Proxmox VE
• 📊 ELK Stack (ElasticSearch + Kibana)
• 📦 Fleet server
• 💻 Windows 2019 (with Elastic Agent)
• 🐧 Ubuntu Server (with SSH + logging)
• 🧪 Kali Linux (Attacker simulation)
• 📬 OS Ticket

🗒️ Notes

• Elastic Agent enrollment required manual token setup
• Fleet provides visual heartbeat of all connected agents
• Custom rules used to detect suspicious logon behavior

✅ What I Learned

• How to create a full log pipeline from scratch
• DFIR alerting in a home lab context
• Elastic detection rules & correlation
• Mapping alerts to real attacker TTPs