Lab 2.2: Fleet and Elastic Agent enrollment¶

Est. Time: 30 minutes

Goals:

Boot your Windows VM
Set up Fleet
Create an agent policy and add an agent
Deploy the Elastic agent to the VM
Install the Windows integration

Instructions¶

Please begin by booting up your Windows VM that was provided with the class (either the raw VM, or CloudLabs). We aren’t going to use it yet, but that way its ready when you need it. Also make sure you can copy and paste to that VM. You won’t want to be typing commands manually.
1. As mentioned previously, the credentials for the VM/Cloud Labs are:
  
  CloudLabs Username: Administrator
  
  Password: S0C!tToTh3m
2. This lab also includes some extra time in case you forgot to download or setup the VM ; )
3. On your host machine (not the VM), log onto your Elastic instance. If prompted whether to log in with ElasticSearch or Elastic Cloud, always go with Cloud. This is how we created the account.
4. You should be on the main page of Elastic now. Let’s configure some logging!
5. On the settings menu, select “More” and then make your way to “Agents”.
6. On the “Agents” tab select “Add agent”.
  1. Name your new agent policy whatever you like, and don’t mess with any of the advanced options. Click “Create policy”.
  2. Once the policy is created some other data will show up on this screen for you. Let’s walk through it:
    1. “Enroll in Fleet?” – Leave this as recommended
    2. “Install Elastic Agent on your host” – this is the command you’ll need to run on the host to set up the Elastic Agent. You’ll note that it says this command installs, enrolls, and starts the agent. I’ll explain the command in greater detail below.
    3. Move over to the Windows section, this is the command we’ll need if you’re using the Windows VM provided. Please remember that if you are using a different host for your labs besides the provided VM, your experience and the lab instructions may differ slightly from here on out. Another host may generate different logs or behave differently than the labs assume.
  3. Copy the Windows command and return to your VM. Open up a PowerShell window as Administrator and run the command.
    1. Important note: Sometimes the tool you use to connect to your VM through the browsers pastes things in reverse, ensure your command is the same order as you see it in Elastic. If you’re running into that issue, go line by line, use Guacamole’s clipboard panel, or paste as a single line.
    2. The command explained
      
      $ProgressPreference = 'SilentlyContinue' - Suppresses progress bars from displaying, making the output look cleaner
      
      Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.12.2-windows-x86_64.zip -OutFile elastic-agent-8.12.2-windows-x86_64.zip - Downloads the Elastic Agent and specifies where to place the file
      
      Expand-Archive .\elastic-agent-8.12.2-windows-x86_64.zip -DestinationPath . - Unzips the Elastic Agent file and places it in the current directory.
      
      cd elastic-agent-8.12.2-windows-x86_64 - Changes the current directory to be the decompressed Elastic Agent folder
      
      .\elastic-agent.exe install --url=<url> --enrollment-token=<token> - Runs and installs the Elastic Agent, specifying your cluster as the destination and providing the necessary enrollment token.
  4. If you copy-paste the command from Elastic the steps will automatically execute in order. It may take a few minutes.
    1. If you get stuck for an extended period (several minutes) waiting while on the “Expand-Archive” step, you may need to hit enter (which happened to me once).
    2. Once you get to the step where you see your enrollment token, you may need to hit Enter again to enroll your host
    3. Enter “Y” (yes) when prompted if you want to install Elastic agent as a service.
      1. Note that for an automated deployment you can make all of these steps automatic.
      2. Once the agent is done being installed, you should get two different forms of confirmation.
        
        Your PowerShell window should confirm that the agent was installed:
  5. Back in Elastic you should see confirmation that your agent has been enrolled and data is flowing:
7. Congratulations on enrolling your host! Hit Close on the “Add agent” window in Elastic, but leave the PowerShell window open and the VM on for now.
  1. Note: From this point on in the class, do not “Destroy” your VM. You can shut it down, but destroying it will reset the VM, meaning it no longer will be enrolled in your Elastic.
8. Back in Elastic you should now see your host in the agents listing.
1. If you see high CPU and memory usage, don’t worry too much. That is over a 5 minute average, and for those 5 minutes the agent was working overtime to install itself. The CPU usage should come down over time.
2. Our host may be enrolled, but spoiler alert: we aren’t done yet. Right now we aren’t getting all of the logs we need. Why? Let’s take a look.
3. Go to “Agent policies” and click on your logging policy. You should see a list of Integrations that is probably pretty small.
4. The logs being gathered by this integration aren’t quite up to par with what we want for our investigations. If you actually click on that integration named “System”, it explains that this integration is for basics logs and metrics.
5. The VM we're using has Sysmon installed, and we definitely want those logs. They will provide us with a wealth of information.
6. Let’s get our Sysmon logs from that host. On your logging policy page, hit Add integration
1. Search for “Windows” and select the Windows option highlighted below:
2. If you look at this integration’s details, it notes that it gathers some of the logs that we’re looking for. For each of Sysmon Operational, Powershell Operational, and Powershell, click “Preserve original event”. The rest of the defaults are fine.
  - What is event original?
    
    The "Preserve original event" option stores the raw, unprocessed log data exactly as it was generated by Windows before Elastic applies any parsing or normalization. This is valuable for SOC analysts because it provides a complete forensic record that can be referenced if Elastic's parsing misses important details or if you need to re-analyze events with different tools. Having the original event ensures you can always go back to the source of truth during investigations, especially when dealing with complex or unusual security incidents where every detail matters.
3. Click “Add Integration”.
4. This is going to ship more of the logs we’re looking for. We don’t necessarily want to ship logs we won’t be using, but for now, we’re probably fine and likely erring towards too few rather than too many log events.
5. Back in your VM, run the command “whoami” in that same PowerShell window you just used to install the agent. That’ll be something for us to take a look at later.
Also run “net user”.

Help and Tips¶

There may be an option to choose between ElasticSearch or Elastic Cloud when logging in; always go with Cloud as this is how we created the account.
Logging best practice is to not ingest logs you will not be using. As this is a test cluster, and we’re still trying to figure out what logs we do and don’t need, we won’t worry too much about that right now. We can always deploy new logging policies to our agents via Fleet later to increase or reduce logging volume.
In some tests, the new host briefly reported as “Unhealthy”. This happens sometimes as part of the install, and it usually resolves itself.

Additional References¶

Installing Elastic Agents