updates for security/malware (elastic#217)

Installation and Setup.md

@@ -2,7 +2,7 @@
 
 **Check Versions**
 
-All examples should target 5.x of the Elastic Stack.
+We are in the process of updated these examples to target the current 6.x version of the Elastic Stack.  If you stumble upon one for which the instructions have not been migrated please try with the current stack rather than the 5.x
 
 **Check Java version**
 

Security Analytics/malware_analysis/README.md

@@ -36,8 +36,8 @@ Obtaining a copy of the WannaCry malware is left to the user. Any attempt by the
 
 ### Pre-requisites
 
-* Elasticsearch 5.4 or above
-* Kibana 5.4 or above
+* Elasticsearch 6.2 or above
+* Kibana 6.2 or above
 
 ### Installation Steps
 
@@ -70,11 +70,14 @@ Perform the following steps:
       mkdir ./elastic_wanna_cry
       cd elastic_wanna_cry
       # Download index snapshot to your new snapshots directory
-      curl -O http://download.elasticsearch.org/demos/wanna_cry/snapshot_wanna_cry.tar.gz .
+      curl -O http://download.elasticsearch.org/demos/wanna_cry/snapshot_wanna_cry.tar.gz
       # Uncompress snapshot file (uncompressed to wanna_cry subfolder)
-      tar -xf snapshot_wanna_cry.tar.gz
+      tar -xzf snapshot_wanna_cry.tar.gz
       ```
-1. Add the location of the uncompressed snapshot dir to `path.repo` variable in the `elasticsearch.yml` in the `path_to_elasticsearch_root_dir/config/` folder. See example [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-snapshots.html#_shared_file_system_repository). You will need to restart Elasticsearch for the settings to take effect. 
+1. Add the location of the uncompressed snapshot dir to `path.repo` variable in the `elasticsearch.yml` in the `path_to_elasticsearch_root_dir/config/` folder. See example [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-snapshots.html#_shared_file_system_repository). You will need to restart Elasticsearch for the settings to take effect. Your config should look something like: 
+```console
+path.repo: ["/path/to/folder/elastic_wanna_cry/wanna_cry"]
+```
 
 1. Register a file system repository for the snapshot *(change the value of the “location” parameter below to the location of your uncompressed snapshot directory)*
       ```shell
@@ -89,26 +92,38 @@ Perform the following steps:
       }'
       ```
 
+Which should result in
+
+```console
+{"acknowledged":true}
+```
+
 1. Restore the index data into your Elasticsearch instance:
 
     ```shell
     curl -XPOST "localhost:9200/_snapshot/wanna_cry/snapshot-wanna-cry/_restore"
     ```
+Which should result in
+
+```console
+{"accepted":true}
+```
 
 This restoration should take a few seconds. Confirm the index is ready with the following commands:
 
-* `curl http://localhost:9200/packetbeat*/_count` This should return a count of 20797 i.e. `{"count":20797,"_shards":{"total":10,"successful":10,"failed":0}}`
-* `curl http://localhost:9200/winlogbeat*/_count` This should return a count of 8414 i.e. `{"count":8414,"_shards":{"total":10,"successful":10,"failed":0}}`
+* `curl http://localhost:9200/packetbeat*/_count` This should return a count of 20524 i.e. `{"count":20524,"_shards":{"total":10,"successful":10,"failed":0}}`
+* `curl http://localhost:9200/winlogbeat*/_count` This should return a count of 8328 i.e. `{"count":8328,"_shards":{"total":10,"successful":10,"failed":0}}`
 
 ### Exploring the data
 
 * Access Kibana by going to `http://localhost:5601` in a web browser
-* Connect Kibana to the `packebeat-*` and `winlogbeat-*` indices in Elasticsearch
+* Connect Kibana to the `packetbeat-*` and `winlogbeat-*` indices in Elasticsearch
     * Click the **Management** tab >> **Index Patterns** tab >> **Create New**. Specify `packetbeat-*` as the index pattern name and click **Create** to define the index pattern. (Leave the **Index contains time-based events** box checked and use @timestamp as the Time Field). Leave all other boxes unchecked.
     * Repeat the above steps for the patterns `winlogbeat-*` and `*` (to allow search across all indices).
 * Open discover
     * Click on **Discover** tab 
-* Navigate to the time period in which testing was performed. Select time selector in the upper right. Select the option **Absolute** and enter the values `2017-05-26 18:00:00.000` and `2017-05-26 20:30:00.000` for the From and To fields respectively.
+* Navigate to the time period in which testing was performed. Select time selector in the upper right. Select the option **Absolute** and enter the values `2017-05-26 00:00:00.000` and `2017-05-26 23:59:59.999` for the From and To fields respectively.
+* Zoom in on the captured data by drawing a rectangle around bars you see
 * Explore the data!
 
 ## Sequence of tests
@@ -120,8 +135,7 @@ As shown below and as described in the blog post, the following tests were perfo
 1. WannaCry executed and propagation amongst Windows VMs monitored
 1. Windows VMs reset to snapshot prior to previous exeuction. Kill Switch domains added to windows_server_2012 and malware re-detonated. 
 
-![Discover View of WannaCry Tests](https://cloud.githubusercontent.com/assets/12695796/26511381/af159f94-4259-11e7-9719-4fcc2897f2c7.png?raw=true)
-
+![Discover View of WannaCry Tests](images/kibana.png?raw=true)