Kali Purple SOC

Kali Purple SOC: Part 5 – Installing and Configuring Metricbeat

Arion

May 14, 2023 — 2 min read

Installing Metricbeat

SSH Into Kali Purple VM

Download Metricbeat

curl -L -O https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-8.6.1-amd64.deb

sudo dpkg -i metricbeat-8.6.1-amd64.deb

Modify /etc/metricbeat/metricbeat.yml to set the connection information

sudo nano /etc/metricbeat/metricbeat.yml

for setup.kibana

host: "https://192.168.253.6"
  setup.kibana.ssl.enabled: true
  ssl.certificate_authorities: ["/etc/kibana/kibana-server_ca.crt"]
  setup.kibana.ssl.certificate: "/etc/kibana/kibana-server.crt"
  setup.kibana.ssl.key: "/etc/kibana/kibana-server.key"

for output.elasticsearch

hosts: ["https://192.168.253.6"]
  username: "elastic"
  password: "<your_password>"
  # If using Elasticsearch's default certificate
  ssl.ca_trusted_fingerprint: "<your_cert_fingerprint>"

To find the es cert fingerprint, open another terminal window and input this command:

sudo openssl x509 -fingerprint -sha256 -noout -in /etc/elasticsearch/certs/http_ca.crt | awk 'BEGIN { FS = "=" } ; { print $2 }' | sed 's/://g'

Enable and configure Elasticsearch module

sudo metricbeat modules enable elasticsearch

sudo nano /etc/metricbeat/modules.d/elasticsearch.yml

file should read:

# Module: elasticsearch
# Docs: https://www.elastic.co/guide/en/beats/metricbeat/main/metricbeat-module-elasticsearch.html

- module: elasticsearch
  #metricsets:
  #  - node
  #  - node_stats
  period: 10s
  hosts: ["https://192.168.253.6:9200"]
  username: "elastic"
  password: "<your_password>"

Enable and configure the elasticsearch-xpack module

sudo metricbeat modules enable elasticsearch-xpack

sudo nano /etc/metricbeat/modules.d/elasticsearch-xpack.yml

hosts: ["https://192.168.253.6:9200"]
  protocol: "https"
  username: "elastic"
  password: "<your_password>"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "<es_cert_fingerprint>"
    verification_mode: "certificate"

Start Metricbeat (this will take a few minutes)

sudo metricbeat test config

sudo metricbeat test modules

sudo metricbeat setup

sudo systemctl enable metricbeat --now

Go to the Elastic dashboard

Click Monitor the stack.

Click Ok

Click Enter setup mode

Click Stack Management

Follow the instructions in the screenshot below.

In the next part, we'll be Installing and Configuring Filebeat.

Kali Purple SOC: Part 6

Kali Purple SOC: Part 11 – Installing Kali Eminence VM and Elastic Agent

Setting Up the VM Follow along with the screenshots below to configure the VM. Add serial port Start the graphical install Go through the language and region setup, then follow along with the screenshots below. Reboot, then login Enable SSH for remote administration sudo apt-get install ssh -y sudo systemctl

Kali Purple SOC: Part 10 – Installing Greenbone Vulnerability Scanner

SSH Into Kali Violet VM Install Greenbone Vulnerability Scanner sudo apt update && sudo apt install -y gvm Setup Greenbone Vulnerability Scanner sudo gvm-setup this will take a while* Check config sudo gvm-check-setup Make GVM available on external interface sudo sed -e 's/127.0.0.1/0.0.0.0/

Kali Purple SOC: Part 9 – OpenCTI Installation and Setup

Installing OpenCTI SSH into Kali Violet VM Install dependencies sudo apt update && sudo apt install curl -y Install Docker sudo apt install docker.io -y sudo systemctl enable docker --now Manage Docker as a non-root user sudo usermod -aG docker $USER chmod 666 /var/run/docker.sock Install Portainer docker

Kali Purple SOC: Part 8 – Installing Kali Violet VM and Elastic Agent

Installing Kali Violet VM Follow the below screenshots in Proxmox Create a username and password. Select time zone. Reboot. From a terminal window, enable SSH sudo apt-get install ssh -y sudo systemctl enable ssh --now Install XRDP sudo apt update && sudo apt install xrdp -y sudo systemctl enable xrdp --now