Elastic Stack

The BlackShield Core SIEM architecture relies on a self-hosted instance of the Elastic Stack (Elasticsearch, Logstash, Kibana, and Fleet Server) acting as the central nervous system of the cyber range.

Deployment Architecture

• Elasticsearch (Hot/Warm/Cold architecture for cost-efficient long-term threat hunting).
• Kibana (Exposed internally via Nginx reverse proxy).
• Fleet Server (Manages Elastic Agents deployed on Windows endpoints and Linux containers).

Elastic Agents are deployed to all Active Directory domain controllers, workstations, and application servers. They are configured with the 'Endpoint Security', 'Windows', and 'System' integrations.

Custom Detection Engineering

The lab utilizes a custom CI/CD pipeline to convert Sigma rules into Elasticsearch DSL, which are then pushed directly to the Kibana Detection Engine via API. This allows the lab to rapidly simulate a threat, write a Sigma rule, and verify it fires in real-time.

yaml
title: Suspicious PowerShell Download
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
status: experimental
description: Detects powershell downloading payloads via net.webclient or invoke-webrequest.
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4104
        ScriptBlockText|contains:
            - 'Net.WebClient'
            - 'DownloadString'
            - 'Invoke-WebRequest'
    condition: selection
level: high