Ready to flex those cybersecurity muscles? In this guide, I’m going to show you how to set up a home lab using Elastic Stack for Security Information and Event Management (SIEM). We'll use the Elastic Web portal and a Kali Linux VM to make it all happen. Not only will you learn how to generate security events, set up an agent to forward that sweet, sweet data to the SIEM, but you'll also master querying and analyzing logs like a pro. Trust me, this project is the kind of thing that’ll make your resume pop and give you some serious bragging rights in interviews.

What You Need Before We Dive In

Before we jump in, make sure you've got the following essentials:

  • VirtualBox or VMware: Your trusty sidekicks for virtualization.
  • Basic Linux and Virtualization Skills: Not your first rodeo with Linux and virtual machines? Perfect.

Task 1: Spin Up Your Elastic Account

First thing’s first: we need an Elastic account to get our cloud-based SIEM rocking.

  1. Sign up for a free trial at Elastic Cloud.
  2. Once you’re in, log in to the Elastic Cloud console at Elastic Cloud.
  3. Hit “Start your free trial.”
  4. Next, “Create Deployment,” and pick Elasticsearch as your go-to type.
  5. Choose your region, deployment size, and then click “Create Deployment.”
  6. Hang tight while the magic happens.
  7. When it’s done, hit “Continue.”

Task 2: Get the Agent Rolling

The Elastic Agent is like your SIEM’s personal assistant, collecting logs and feeding them back to your Elastic instance.

  1. Log into your Elastic SIEM and head over to Add Integrations via the Kibana menu.



  2. Search for “Elastic Defend” and click to open the page.

  3. Smash that “Install Elastic Defend” button and follow the prompts to install the agent on your Kali VM.

  4. Copy the Linux command they give you and paste it into your Kali terminal.

  5. Wait a few minutes, and you’ll see “Elastic Agent has been successfully installed.” Logs will start flowing soon after.

Task 3: Make Some Noise (Generate Security Events)

Time to create some security events to make sure there are some logs that we can analyze. We’ll use Nmap and hydra to simulate attack.

1. Keep the action going with more scans like:

nmap -sS <ip address>
nmap -sT <ip address>
nmap -p- <ip address>hydra -l mrkk -p passwords.txt ssh://<ip of the machine> -t 4

These scans will generate security events that your SIEM will pick up, like a boss.

Task 4: Hunt Down Those Events in Elastic SIEM

Now that you've flooded your SIEM with logs, let's find them.

Inside your Elastic deployment, click on the menu icon (three lines) and navigate to “Logs” under Observability.


Filter logs by using a search query, like:

event.action: "hydra"
Hit “Search.” Your results should show up below.


Note: If nothing shows up right away, give it a bit of time. The logs are just playing hard to get.

Task 5: Visualize the Chaos

Now, let’s make those logs pretty with some dashboards.

Go back to the Elastic portal, and this time head to “Dashboards” under Analytics.


Click “Create dashboard” in the top right.


Add a new visualization by selecting “Create Visualization” and choose Area or Line depending on your vibe.

In the Metrics section, set it up so that you’re showing Count for the vertical axis and Timestamp for the horizontal.


Save your masterpiece and admire your work.

Task 6: Set Up Alerts and Never Miss a Thing

Finally, let’s set up alerts so you can get a heads-up whenever something fishy happens.

Go to “Alerts” under Security.

Click “Manage rules” and then “Create new rule.”


On create new rule page select custom query and scroll down.


On custom query field type your desired query for this I'll use event_action: "nmap_scan" so type this custom query and scroll down.


On about rule page give the rule name description and severity and number and then scroll down.


On schedule rule page we can schedule the rule run time set this and scroll down.


On rule actions page we can find many services that we can use to get notified when the rule triggers, some are email, slack, jira, MS teams etc.


But we'll use the already installed service Elastic Defend. This allows to response when the alert occurs. We can isolate the host and others and that's all.


Click “Create and enable rule.”

Congrats! Now your SIEM will keep a lookout for Nmap scans and let you know when they happen.

Wrapping It Up

And there you have it! You've just built a home lab using Elastic SIEM and Kali Linux. You’ve set up an agent, generated security events, analyzed logs, created dashboards, and set up alerts—all in a day's work. This lab is an awesome sandbox to practice your security chops and get ready for the real world.

Next Steps

  • Experiment with different security events and see what you can uncover in Elastic SIEM.
  • Test out your alerts by triggering Nmap scans on your Kali VM.
  • Dive deeper into Elastic SIEM’s analysis and visualization tools to get a real handle on your security logs.
  • Explore integrations with cloud providers like AWS or Azure to take your SIEM skills to the next level.

Thanks for hanging out! I hope this guide helped you level up your security game. This is mr1diot signing off until next time Happy Hacking!