Elastic: Using Elastic Defend

As an analyst, visibility into event data is essential for analyzing activity and detecting potential threats. In the previous room, Elastic: Setting up a SOC Lab, you established that foundation by building your Elastic-based SOC environment. Now, we move beyond centralized log analysis and explore Elastic Defend, the endpoint security component of the Elastic Security suite, enabling detection, investigation, and response directly on monitored hosts.

Learning Objectives

• Configure the Elastic Defend integration
• Understand what Elastic Defend monitors and protects
• Explore endpoint telemetry data in Kibana Discover
• Analyze key fields and events within endpoint logs
• Investigate alerts in Elastic Security

Prerequisites

Some familiarity with the Linux command line, SIEM concepts, and log analysis is recommended. However, all required commands and necessary information are provided in the walkthrough.

• Check out Elastic: Setting up a SOC Lab to familiarize yourself with Elastic architecture and basic event analysis

Machine Access

Click the Start Machine button below. The machine will start in Split-Screen mode. Once you gain access, use the Elastic desktop shortcut to open Elastic in your browser. Please allow the machine a few minutes to start up, and use the following credentials to log in.

• Username: elastic
• Password: W4h*Pn=7+WtUUmixs03H

We recommend switching to full screen mode for a more immersive experience. This provides a larger workspace, making it easier to manage the terminal and browser as you progress through the room. If your side menu is stuck while in full screen mode, please enter and exit the split screen view to resolve the issue.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.

Target machine

Status:Off

Start Machine