After running a basic VM setup for about a year the next step was adding proper log centralisation so practice could involve realistic threat hunting workflows across multiple data sources rather than running individual tools in isolation. The constraint was no new hardware. Everything had to run on the existing server.
Hardware and stack choice
The server is a Dell PowerEdge R730 with 32GB RAM and eight cores. After evaluating Splunk Free, the Elastic Stack, and Graylog, Elastic won for practical reasons: it appears most frequently in security job descriptions, Elastic Agent handles Windows telemetry collection well out of the box, and the fleet management interface simplifies agent deployment across multiple VMs.
Docker compose setup
version: "3"
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0
environment:
- discovery.type=single-node
- ES_JAVA_OPTS=-Xms4g -Xmx4g
- xpack.security.enabled=true
- ELASTIC_PASSWORD=changeme
volumes:
- esdata:/usr/share/elasticsearch/data
ports:
- "9200:9200"
kibana:
image: docker.elastic.co/kibana/kibana:8.11.0
environment:
- ELASTICSEARCH_URL=http://elasticsearch:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=changeme
ports:
- "5601:5601"
depends_on:
- elasticsearch
volumes:
esdata:After docker compose up -d, reset the kibana_system password:
docker exec -it elasticsearch bin/elasticsearch-reset-password -u kibana_systemSysmon configuration additions for lab use
The SwiftOnSecurity template as a base with two additions: all access to lsass.exe regardless of source, and all DNS queries without the Microsoft hostname exclusions that are in the default template. In a lab you want to see your own tooling make network requests, not have them silently excluded.
<ProcessAccess onmatch="include">
<TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
</ProcessAccess>Getting Windows telemetry into Elastic
# On each Windows VM (admin PowerShell):
.\elastic-agent.exe install --url=https://172.16.10.10:8220 `
--enrollment-token=TOKEN_FROM_FLEET_UI `
--insecureAfter enrollment, Security events, Sysmon events, and PowerShell operational logs appear in Kibana within about 30 seconds. The Windows integration in Fleet handles all field mapping automatically so Sysmon process names, hashes, and network connection fields land in the correct ECS fields without manual index template work.
Zeek integration
zeekctl deploy
zeekctl status
# Filebeat with Zeek module pointing at the log directory:
filebeat modules enable zeek
systemctl restart filebeatHaving Windows endpoint telemetry and network flow data in the same Kibana instance, queryable together by time range, is what makes this useful for building realistic detection scenarios rather than just having individual tools installed in isolation.