Session 1 | 7.24.2023

[brentcox820]

Meeting 1:

::Activies and Agenda::

• Upgrade Elastic Deployment in Cloud to the following configuration
  • Hot Tier: 8GB
  • Machine Learning: 2GB
  • Kibana: 4GB
  • Enterprise Search: 2GB
  • Intergrations Server: 2GB

:: Start Collection Data via AGENT::

• Create a new Agent Policy
  • Add an integration for Elastic Defend to the newly created Policy
  • Save the Policy and choose to add agents later
• Add Agent via Fleet main page
  • Choose the new Policy you created
  • Navigate to the Mac tab and copy the last line of code

sudo ./elastic-agent install --url=https://f2f020c66d8a4fd4aa043885f69316e3.fleet.us-west-2.aws.found.io:443 --enrollment-token=NWJwZmtJa0JqdmZ0RmtjT0lSQno6cEQtUlVpWXNURWlWS0tPT0RKUVZvQQ==

• Once copied, you will replace the “install” command with “enroll.”
  • This will allow you to repurpose the installed elastic agent and start collecting metrics on your Elastic Deployment so we can begin creating some oy11 “observability data.”
  • Look will be below

sudo elastic-agent enroll --url=https://f2f020c66d8a4fd4aa043885f69316e3.fleet.us-west-2.aws.found.io:443 --enrollment-token=NWJwZmtJa0JqdmZ0RmtjT0lSQno6cEQtUlVpWXNURWlWS0tPT0RKUVZvQQ==

• Next, open a new terminal window on your Mac with Cmd + spacebar and type Terminal
  • Once in the terminal, you will navigate to the /Libary/Elastic folder for us to run the above command.

cd /Library/Elastic

• Now that we are in the Elastic Folder, we can run the above command, enroll the agent, and point the logs and metrics to our elastic cloud deployment.
• If you still have the Fleet page open, you should see the agent enrollment complete, and then data start flowing.

:: Elastic Agent via POC / POV::

• As an SA, we will be participating in POC and POV, in which we will assist our customers in deploying and setting up the elastic agent for not only primary data collection from the systems but also for cloud environments (AWS, AZURE, GCP)
• The main thing to remember is that we need to plan the data flowing through the agent via integrations (API or Filebeat) as an SA. We need to set the customer up for success in how many agents they will need to install on servers ( hosts) to support the number of events and logs they plan to ingest.
  • IE - Customer is doing a security POC with o365 logs, Cisco ASA. Then we need to understand how many events are coming thru a second, as the ASA could be noisy and drop events if we only have one agent running the ingest
    • We will get into this more with integrations, but agent installation is a critical knowledge in planning

:: Elastic Agent via REAL WORLD::

• Once you get through POC, the agent will be deployed via an MDM service or management tool that will install the downloaded package from the Elastic website and then upload and install it to all the hosts.

• Once installed, the customer will run a script to run the enroll with a token to the specific Policy they want the hosts to be tied to.

  • Same Method you did with the script via terminal but on a large scale

    :: We can discuss this more if the team has questions::

::HOMEWORK:::

1. Ensure your Elastic Agent is connected and sends metrics and logs to your Elastic deployment.
   • Please ensure that Elastic Defend is on the integrations list for the new Policy your agent is connected to and linked to your deployment.
2. If you are having issues with this, uninstall and reinstall the agent and re-enroll the agent, and that will solve the 404 Fleet auth issue with the old token.

[jendavido]

LFG!