This repository contains content and scripts for setting up an Elasticsearch and Kibana environment with logs of a Windows system where some typical attack tools were executed:
The logs contain events from Sysmon 8.0 in the SwiftOnSecurity configuration in addition to the default Windows system, security and application logs.
Further, the Sigma repository is contained as submodule. Clone this repository as follows to get it all:
git clone --recursive
The workshop environment was tested successfully under Linux Mint 18.3 and should therefore also work fine with Ubuntu 16.04. You should have installed Docker CE from the Docker package sources. Ensure to install the docker-ce package, avoid the old packages docker, docker-engine and
First, the Elasticsearch/Kibana stack has to be started with Docker compose:
docker-compose up
This takes a while. Please wait until the environment is running. You can verify this by invocation of Kibana. If no errors regarding the availability of Elasticsearch are shown, the environment should be ready.
WARNING: The usage of the following mentioned script destroys possibly existing Kibana configuration! Don't use this on productive systems or where you don't want this to happen!
Install the index templates, log index and Kibana configuration index by invocation of
If you plan to use an existing Elasticsearch installation for this workshop, you can also give the host and
port as first parameter to the command line: ./ elk:9201
Sigma requires Python 3.6 and PyYAML. Under Ubuntu, these can be installed with (as root):
apt-get install python3 python3-yaml
With an existing Python 3 installation the dependency can be installed with:
pip3 install -r sigma/tools/requirements.txt
In addition PyMISP is required for the sigma2misp tool. This can be installed with
pip3 install pymisp
pip3 install -r sigma/tools/requirements-misp.txt
If you don't want to mess with your system Python installation, you can also work from a virtual environment. Sigma supports Pipenv. Run the following command from the Sigma directory to setup and activate a virtual environment with all dependencies installed:
pipenv shell
For hands-on exercises of sigma2misp a MISP instance is required. I can recommend the MISP dockerized project from DCSO. Run the following commands and answer the asked questions to install one:
git clone
cd MISP-dockerized
make install
The logs are contained in the time frame between 14:45 and 15:20 on 2019-09-19 and can be viewed in Kibana.