Elastic Security Lab is a laboratory environment designed for security analysts (SOC / Threat Hunters) to practice log ingestion, analysis, and detection using Elasticsearch, Kibana, and Filebeat.
It includes a functional architecture, training datasets, and a ready-to-use ingestion pipeline for local environments.
-
Docker
-
Docker Compose
-
WSL2 (Windows only)
-
Git
git clone https://github.com/beathunterzero/elastic-security-lab.git
cd elastic-security-labBefore starting, generate a new password for kibana_system:
docker exec -it elasticsearch bin/elasticsearch-reset-password -u kibana_systemThen update the corresponding variable in docker-compose.yml:
ELASTICSEARCH_PASSWORD=<generated_password>
mkdir -p datasets/windows datasets/linux datasets/aws datasets/azure datasets/firewalldocker-compose up -dDefault access:
http://localhost:5601
Initial credentials:
username: elastic
password: changeme
Place files in the corresponding paths:
datasets/windows/
datasets/linux/
datasets/aws/
datasets/azure/
Filebeat will automatically process the logs and send them to Elasticsearch.
Create a Data View with the pattern:
filebeat-*
This enables:
-
Discover
-
Dashboards
-
Lens
Path in Kibana:
Stack Management → Security → Users
Recommended roles:
-
kibana_admin
-
monitoring_user
-
viewer
elastic-security-lab/
│
├── datasets/
│
├── filebeat/
│ └── filebeat.yml
│
├── docs/
│ ├── architecture/
│ └── procesos/
│
├── docker-compose.yml
└── README.md
The lab uses public datasets for training:
-
Windows Event Logs
-
Linux auth logs
-
AWS CloudTrail / GuardDuty
-
Azure Activity / Sign-In
-
Firewall logs
This project is intended for local environments and educational purposes.
It does not include sensitive data or production configurations.
MIT
beathunterzero
Cyber Threat Hunting & Security