Phase 1 – Set up the Infrastructure!

  • Created a dedicated Ubuntu Server VM in Parallels for Elastic SIEM
  • Installed Elasticsearch
  • Installed and configured Kibana
  • Confirmed dashboard access via browser

Step 1: Prep the System

  • Updated system package list. Prepared system to trust signed repositories
  • sudo apt update 
    sudo apt upgrade -y 
    sudo apt install -y curl apt-transport-https ca-certificates gnupg

    • Step 2: Add Elastic GPG Key

  • Downloaded Elastic’s official signing key. Allows Ubuntu to verify packages are authentic to prevent installing tampered software. 
  • curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | \
    sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg

    • Step 3: Add Elastic APT Repository

  • Told Ubuntu where to download Elastic packages from and registered Elastic as a trusted software source
  • echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | \
    sudo tee /etc/apt/sources.list.d/elastic-8.x.list

    • Step 4: Update Repository List

  • Refreshed package list to include the new Elastic repository
  • sudo apt update

    • Step 5: Install Elasticsearch

  • Installed the Elastic search engine. The backend that stores and indexes logs
  • sudo apt install -y elasticsearch

    • Step 6: Enable and Start Elasticsearch

  • Enabled service to start at boot and started the Elasticsearch service
  • sudo systemctl daemon-reload 
    sudo systemctl enable elasticsearch 
    sudo systemctl start elasticsearch

    • Step 7: Verify Elasticsearch

  • Verified that Elasticsearch is running
  • sudo systemctl status elasticsearch

    • Step 8: Generate / Reset Elastic Password

  • Generated a new password for the admin account
  • sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

    • Step 9: Install Kibana

  • Installed web dashboard interface
  • sudo apt install -y kibana

    • Step 10: Enable & Start Kibana

  • Enabled Kibana to start on boot
  • sudo systemctl enable kibana 
    sudo systemctl start kibana

    • Step 11: Verify Kibana Running

  • Verified that Kibana is running
  • sudo systemctl status kibana

    • Step 12: Allow remote access to Kibana

  • Allowed Kibana to accept remote connections so the dashboard is accessible from my Mac browser
  • sudo nano /etc/kibana/kibana.yml

    • Edit the localhost line #server.host: "localhost" and replace it with server.host: "0.0.0.0". Note to remove the # sign to uncomment the line.

    Step 13: Generate Kibana Enrollment Token

  • Created secure token to connect Kibana to Elasticsearch
  • sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

    • Paste the token into Browser

    Step 14: Get the Kibana Verification Code

  • Got the verification code to confirm server identify and to complete the enrollment process
  • sudo /usr/share/kibana/bin/kibana-verification-code

    • Step 15: Access Kibana Dashboard

  • Accessed the Kibana dashboard from my Mac browser
  • https://<KIBANA_VM_IP>:5601

    • Coming Next

    Phase 2 will cover Elastic Agent deployment on the target endpoint, log ingestion, and attack simulation. Phase 3 will focus on custom detection rules (KQL), MITRE ATT&CK mapping, and alert investigation in Kibana. I’ll update this page as each phase is completed.