Listen to this Post
Introduction:
The transition from cybersecurity theory to practical expertise requires hands-on experience with real-world tools. This journey through building a complete Security Operations Center (SOC) lab demonstrates the integration of a SIEM (ELK Stack) and a SOAR (n8n) platform, providing a blueprint for automated threat detection and response. By collecting and analyzing logs from Windows systems and Fortigate firewalls, this lab replicates the core functions of a modern security operations environment.
Learning Objectives:
- Configure and integrate the ELK Stack (Elasticsearch, Logstash, Kibana) for centralized log management and analysis.
- Implement log collection agents and parsers for diverse data sources, including Windows Event Logs and Fortigate syslog.
- Design and deploy an automated SOAR workflow for threat intelligence enrichment and alerting.
You Should Know:
1. SIEM Foundation: Deploying the ELK Stack
The ELK Stack forms the analytical core of the SOC, ingesting, processing, and visualizing security data.
Verified Commands & Configurations:
Install Elasticsearch on Ubuntu wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list sudo apt update && sudo apt install elasticsearch kibana logstash sudo systemctl daemon-reload sudo systemctl enable elasticsearch kibana sudo systemctl start elasticsearch kibana
Step-by-Step Guide:
This installs the core ELK components. First, the Elasticsearch GPG key and package repository are added to the system. The `apt update && apt install` commands fetch and install the three primary applications. Finally, `systemctl` commands configure the services to start automatically upon system boot and launch them immediately. After installation, Kibana is typically accessible via a web browser at http://<your-server-ip>:5601.
2. Windows Log Ingestion with Winlogbeat
Winlogbeat is a lightweight agent that forwards Windows Event Logs to the ELK Stack, providing critical visibility into endpoint activities.
Verified Winlogbeat Configuration Snippet (`winlogbeat.yml`):
winlogbeat.event_logs: - name: Application - name: System - name: Security - name: Microsoft-Windows-Sysmon/Operational output.logstash: hosts: ["your_logstash_server:5044"] setup.template.settings: index.number_of_shards: 1
Step-by-Step Guide:
This YAML configuration tells Winlogbeat which Windows event logs to monitor. The `output.logstash` section directs the agent to send the collected logs to a specified Logstash server. The `setup.template.settings` helps define the initial Elasticsearch index structure. After installing the Winlogbeat `.msi` on a Windows machine, this file must be placed in the installation directory. The service is then installed and started using PowerShell: `PS C:\> Install-Service winlogbeat` and PS C:\> Start-Service winlogbeat.
3. Parsing Fortigate Logs with Fluent Bit
Fluent Bit acts as a versatile log processor and forwarder, crucial for handling non-standard log formats like those from network firewalls.
Verified Fluent Bit Configuration Snippet (`parsers.conf`):
[bash]
Name fortigate
Format regex
Regex ^(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{6}[+-]\d{2}:\d{2}) %{WORD:device_id} %{WORD:type} %{WORD:subtype} ... srcip=(?<src_ip>\d+.\d+.\d+.\d+) dstip=(?<dst_ip>\d+.\d+.\d+.\d+) ...
Step-by-Step Guide:
This parser uses a regular expression (Regex) to dissect a raw Fortigate log entry. It captures key fields like timestamp (time), device ID, and, most importantly, the source and destination IP addresses (src_ip and dst_ip). The named capture groups (?<field_name>) are what extract the specific values. This parser is then referenced in the main Fluent Bit configuration file (fluent-bit.conf) to process data from the input source (e.g., a syslog file) before sending the structured data to Elasticsearch.
4. SOAR Automation: The n8n VirusTotal Workflow
n8n is a SOAR platform used to automate response actions, such as checking suspicious IPs against threat intelligence feeds.
Verified n8n Workflow Node Configuration (HTTP Request to Elasticsearch):
{
"parameters": {
"url": "http://your_elasticsearch_ip:9200/logstash-/_search",
"method": "GET",
"authentication": "predefinedCredentialType",
"nodeCredentialType": "httpBasicAuth",
"sendHeaders": true,
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
},
"sendBody": true,
"bodyParameters": {
"parameters": [
{
"name": "query",
"value": "{\"query\":{\"match_all\":{}}}"
}
]
}
}
}
Step-by-Step Guide:
This node configuration in n8n performs a query against the Elasticsearch API. It specifies the index pattern (logstash-) and uses a `match_all` query to retrieve documents. The authentication is handled via predefined HTTP Basic Auth credentials. The node’s output, which contains the log data from Elasticsearch, is then passed to a subsequent “Code” node where JavaScript logic is used to extract a list of unique IP addresses. These IPs become the input for the next critical step: the VirusTotal API check.
5. Threat Intelligence Enrichment via VirusTotal API
Automating reputation checks is a fundamental SOAR function for rapidly assessing IOC risk.
Verified cURL Command for VirusTotal API:
curl --request GET \ --url 'https://www.virustotal.com/api/v3/ip_addresses/192.168.1.100' \ --header 'x-apikey: YOUR_VIRUSTOTAL_API_KEY'
Step-by-Step Guide:
This command demonstrates how to query the VirusTotal v3 API for a specific IP address’s reputation. The `–url` parameter specifies the API endpoint, appending the IP to be checked. The `x-apikey` header is mandatory for authentication using your personal API key. In an n8n workflow, this would be configured within an “HTTP Request” node. The JSON response from VirusTotal, containing detection stats and categorization, is then parsed to make a decision—for example, triggering an alert if the `malicious` count is greater than zero.
6. Automated Alerting via SMTP Email
Closing the automation loop by delivering actionable intelligence to analysts is key.
Verified n8n SMTP Node Configuration:
{
"parameters": {
"authentication": "oAuth2",
"fromEmail": "[email protected]",
"toEmail": "[email protected]",
"subject": "SOAR Alert: Malicious IP Detected",
"body": "IP {{ $json.ip }} was classified as malicious by VirusTotal. Please investigate.",
"host": "smtp.gmail.com",
"port": 587,
"secure": false
}
}
Step-by-Step Guide:
This node configuration in n8n sets up an email alert. It defines the sender, recipient, and a dynamic subject and body. The body uses n8n’s expression syntax ({{ $json.ip }}) to insert the malicious IP address identified in the previous VirusTotal step into the email text. The node also specifies the SMTP server details (e.g., Gmail’s). When the workflow execution reaches this node, it automatically sends the formatted email, ensuring the SOC team is notified immediately of the potential threat.
7. Data Visualization with Kibana Dashboards
Transforming raw log data into visual insights is critical for rapid situational awareness.
Verified Kibana KQL Query for Dashboard:
source.ip : ( "192.168.1.100" OR "10.0.0.55" ) and event.action : "firewall_deny"
Step-by-Step Guide:
Kibana Query Language (KQL) is used to filter data within Kibana Discover or for building dashboard visualizations. This specific query filters the logs to show only events where the source IP is either `192.168.1.100` or `10.0.0.55` and where the event action indicates a firewall denial. This could be used to create a “Top Denied IPs” bar chart or a “Firewall Denials Over Time” area chart. Dashboards are built by saving and aggregating such visualizations onto a single pane of glass.
What Undercode Say:
- Hands-on Lab Building is Invaluable: Reconstructing a complex environment from scratch, as demonstrated, cements theoretical knowledge and builds irreplaceable troubleshooting skills that are directly transferable to production SOCs.
- Automation is a Force Multiplier: The integration of SIEM and SOAR, even in a lab setting, showcases a significant reduction in Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), moving from manual analysis to automated, intelligent response.
The project underscores a critical evolution in cybersecurity roles: the shift from pure analyst to engineer. By mastering the setup and interoperability of core security technologies, professionals move beyond simply using tools to designing and maintaining the defensive infrastructure itself. This lab proves that the barrier to acquiring these high-value skills is not cost, but dedication, using freely available open-source tools to build an enterprise-grade monitoring system. The ability to automate the correlation of internal logs with external threat intelligence represents a foundational capability for any modern cybersecurity operation.
Prediction:
The democratization of SOC capabilities through open-source tools and detailed knowledge sharing will accelerate the maturity of cybersecurity postures globally. As SOAR platforms like n8n become more accessible, automated threat hunting and response will become the standard even for small and medium-sized businesses, not just large enterprises. This will force adversaries to innovate, leading to an arms race in evasion techniques against automated detection systems, ultimately pushing the industry towards more integrated AI-driven defense platforms that can adapt in real-time.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Abdelwahab Ahmed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
