Go to the trial page https://cloud.elastic.co/registration?elektra=guide-welcome-cta and sign up for free. The general set up is very simple.
Once complete, Elastic.co will load the Kibanana home page. From here chose to "add intergration" then locate "Network Packet Capture" and add.
Following the instructions found on the tutorial page, install the elastic agent on your server.
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.6.2-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.6.2-linux-x86_64.tar.gz
cd elastic-agent-8.6.2-linux-x86_64
sudo ./elastic-agent install --url=https://#######################.fleet.europe-west2.gcp.elastic-cloud.com:443 --enrollment-token=##################################
The ElastiSIEM page will confirm the installation when the agent has finished installing. Move onto the "add the intergration" and choose to show advanced options, and name the agent, then finalze the instal.
The agent can be uninstalled by running sudo /Library/Elastic/Agent/elastic-agent uninstall
used to montior user acitivity.
Download:
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-8.6.2-amd64.deb
sudo dpkg -i auditbeat-8.6.2-amd64.deb
Modify /etc/auditbeat/auditbeat.yml to add:
cloud.id: "ElastiSIEM:###################################=="
cloud.auth: "elastic:<password>"
Where the password is the password of the elastic user. Then to finish the set up:
sudo auditbeat setup
sudo service auditbeat start
Then confirm the conncetion is active to finish the process.
https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-siem-security.html
https://www.elastic.co/guide/en/beats/auditbeat/8.6/auditbeat-installation-configuration.html