Back to Details

security-generate-security-sample-data

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Generate Security Sample Data

生成安全样本数据

Generate ECS-compliant security events, multi-step attack scenarios, and synthetic alert documents that populate Elastic Security dashboards, the Alerts tab, and Attack Discovery.
生成符合ECS标准的安全事件、多步骤攻击场景以及模拟告警文档,用于填充Elastic Security仪表板、告警标签页和攻击发现模块。

Quick start

快速开始

For a zero-friction experience that generates everything and opens Kibana:
bash
node skills/security/generate-security-sample-data/scripts/demo-walkthrough.js
如需零配置体验,一键生成所有内容并打开Kibana:
bash
node skills/security/generate-security-sample-data/scripts/demo-walkthrough.js

Workflow

操作流程

text
- [ ] Step 1: Set environment variables
- [ ] Step 2: Generate sample data
- [ ] Step 3: Explore in Kibana
- [ ] Step 4: Clean up when done
text
- [ ] 步骤1:设置环境变量
- [ ] 步骤2:生成样本数据
- [ ] 步骤3:在Kibana中探索
- [ ] 步骤4:完成后清理数据

Step 1: Set environment variables

步骤1:设置环境变量

bash
export ELASTICSEARCH_URL="https://your-project.es.region.aws.elastic.cloud"
export ELASTICSEARCH_USERNAME="admin"
export ELASTICSEARCH_PASSWORD="your-password"
export KIBANA_URL="https://your-project.kb.region.aws.elastic.cloud"
bash
export ELASTICSEARCH_URL="https://your-project.es.region.aws.elastic.cloud"
export ELASTICSEARCH_USERNAME="admin"
export ELASTICSEARCH_PASSWORD="your-password"
export KIBANA_URL="https://your-project.kb.region.aws.elastic.cloud"

Step 2: Generate sample data

步骤2:生成样本数据

Generate everything at once

一键生成所有内容

bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  system endpoint okta aws windows --scenarios --alerts
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  system endpoint okta aws windows --scenarios --alerts

Generate only events

仅生成事件

bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  system endpoint --count 100
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  system endpoint --count 100

Generate only attack scenarios

仅生成攻击场景

bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --scenarios
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --scenarios

Generate only synthetic alerts

仅生成模拟告警

bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --alerts
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --alerts

Step 3: Explore in Kibana

步骤3:在Kibana中探索

After generating data, direct the user to these pages:
  • Security > Alerts — synthetic alerts with MITRE ATT&CK mappings
  • Security > Attack Discovery — requires an LLM connector to analyze alerts
  • Security > Hosts — host activity from sample events
  • Security > Overview — summary of all security data
  • Discover — raw events across all data streams
生成数据后,可引导用户查看以下页面:
  • Security > Alerts — 带有MITRE ATT&CK映射关系的模拟告警
  • Security > Attack Discovery — 需要配置LLM连接器来分析告警
  • Security > Hosts — 样本事件中的主机活动数据
  • Security > Overview — 所有安全数据的汇总视图
  • Discover — 所有数据流中的原始事件

Step 4: Clean up when done

步骤4:完成后清理数据

bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --cleanup
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --cleanup

What gets generated

生成内容说明

Sample data spans 5 packages (system, endpoint, windows, aws, okta) and 4 focused attack scenarios covering the most common demo themes: Windows credential theft, AWS cloud privilege escalation, Okta identity takeover, and a full ransomware kill chain. Synthetic alert documents are indexed into 
.alerts-security.alerts-default
with MITRE ATT&CK mappings, severity levels, and risk scores.
All events use RFC 5737 / RFC 2606 safe addresses. For full tables of packages, scenarios, and alerts see references/sample-data-reference.md.
样本数据涵盖5个包(system、endpoint、windows、aws、okta)以及4个聚焦常见演示主题的攻击场景:Windows凭据窃取、AWS云权限提升、Okta身份接管,以及完整的勒索软件杀伤链。模拟告警文档会被索引到
.alerts-security.alerts-default
,并带有MITRE ATT&CK映射、严重级别和风险评分。
所有事件均使用RFC 5737 / RFC 2606标准的安全地址。如需查看包、场景和告警的完整列表,请参阅references/sample-data-reference.md

Continuous mode

持续模式

Stream events to simulate a live environment:
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  --continuous --interval 15
Every 5th batch includes an attack scenario; every 10th batch adds synthetic alerts. Press Ctrl+C to stop.
通过流式传输事件来模拟实时环境:
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  --continuous --interval 15
每第5批事件会包含一个攻击场景;每第10批事件会添加模拟告警。按Ctrl+C可停止。

Tool reference

工具参考

sample-data.js

sample-data.js

FlagDescription
--count
, 
-n
Events per package (default: 50)
--scenarios
Run all attack simulation scenarios
--scenario NAME
Run a specific scenario
--alerts
Generate synthetic alert documents
--cleanup
Remove all sample data and alerts
--continuous
Stream live events (Ctrl+C to stop)
--interval N
Seconds between continuous batches (default: 30)
--json
, 
-j
Output results as JSON
--yes
, 
-y
Skip confirmation prompts
标志描述
--count
, 
-n
每个包生成的事件数量(默认值:50)
--scenarios
运行所有攻击模拟场景
--scenario NAME
运行指定的特定场景
--alerts
生成模拟告警文档
--cleanup
删除所有样本数据和告警
--continuous
流式传输实时事件(按Ctrl+C停止)
--interval N
持续模式下批次间的间隔秒数(默认值:30)
--json
, 
-j
以JSON格式输出结果
--yes
, 
-y
跳过确认提示

demo-walkthrough.js

demo-walkthrough.js

Zero-friction runner that generates everything and opens Kibana.
FlagDescription
--cleanup
Remove all sample data, alerts, case
--continuous
Generate then stream live events
--count N
Events per package (default: 50)
--interval N
Seconds between batches (default: 30)
零配置运行器,可生成所有内容并自动打开Kibana。
标志描述
--cleanup
删除所有样本数据、告警和案例
--continuous
生成数据后启动实时事件流
--count N
每个包生成的事件数量(默认值:50)
--interval N
批次间的间隔秒数(默认值:30)

Examples

示例

Quick demo for a stakeholder

面向利益相关者的快速演示

"Set up a demo environment so I can show Attack Discovery to my VP."
bash
node skills/security/generate-security-sample-data/scripts/demo-walkthrough.js
"搭建一个演示环境,我要向副总裁展示Attack Discovery功能。"
bash
node skills/security/generate-security-sample-data/scripts/demo-walkthrough.js

Targeted scenario testing

针对性场景测试

"Generate only the ransomware attack chain to test our detection rules."
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  --scenario ransomwareChain --alerts
"仅生成勒索软件杀伤链场景,用于测试我们的检测规则。"
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js \
  --scenario ransomwareChain --alerts

Simulating a live SOC

模拟实时SOC环境

"Keep generating events so the dashboards stay active during the demo."
bash
node skills/security/generate-security-sample-data/scripts/demo-walkthrough.js --continuous
"持续生成事件,让演示期间的仪表板保持活跃状态。"
bash
node skills/security/generate-security-sample-data/scripts/demo-walkthrough.js --continuous

Cleaning up after a demo

演示后清理数据

"Remove all sample data from my project."
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --cleanup
"从我的项目中删除所有样本数据。"
bash
node skills/security/generate-security-sample-data/scripts/sample-data.js --cleanup

Guidelines

注意事项

  • All generated documents are tagged with 
    tags: ["elastic-security-sample-data"]
    for safe cleanup. The cleanup command only deletes documents with this marker.
  • If marker fields are not indexed in a data stream, cleanup falls back to scanning 
    _source.tags
    for matching sample documents from the last 14 days.
  • Synthetic alerts are indexed directly into 
    .alerts-security.alerts-default
    — they do not require detection rules to be installed or enabled.
  • Attack Discovery requires an LLM connector (OpenAI, Anthropic, Google Gemini, or similar) configured in Kibana under Stack Management > Connectors. The "Complete" project tier unlocks the feature, but the connector must be set up separately.
  • Use the 
    case-management
    skill for creating investigation cases from alerts.
  • 所有生成的文档都会标记
    tags: ["elastic-security-sample-data"]
    ,以便安全清理。清理命令只会删除带有该标记的文档。
  • 如果数据流中未索引标记字段,清理操作会回退到扫描最近14天内
    _source.tags
    中匹配的样本文档。
  • 模拟告警会直接索引到
    .alerts-security.alerts-default
    ——无需安装或启用检测规则。
  • Attack Discovery功能需要在Kibana的Stack Management > Connectors中配置LLM连接器(OpenAI、Anthropic、Google Gemini等)。该功能需要“Complete”项目层级解锁,但连接器需单独配置。
  • 如需从告警创建调查案例,请使用
    case-management
    工具。

Production use

生产环境使用说明

  • Do not run against production clusters unless you intend to inject synthetic data alongside real alerts. Sample events and alerts are tagged for cleanup but will appear in dashboards, the Alerts tab, and Attack Discovery alongside real data.
  • All write operations (
    generate
    , 
    --cleanup
    , 
    --continuous
    ) prompt for confirmation. Pass 
    --yes
    or 
    -y
    to skip when called by an agent.
  • --cleanup
    runs 
    deleteByQuery
    across all sample data indices — verify environment variables point to the intended cluster before running.
  • --continuous
    mode indexes events indefinitely until manually stopped with Ctrl+C.
  • 请勿在生产集群中运行,除非你有意将模拟数据注入到真实告警中。样本事件和告警虽带有清理标记,但会与真实数据一同出现在仪表板、告警标签页和Attack Discovery模块中。
  • 所有写入操作(
    generate
    --cleanup
    --continuous
    )都会提示确认。如果是由代理调用,可传入
    --yes
    -y
    来跳过确认。
  • --cleanup
    会在所有样本数据索引上执行
    deleteByQuery
    操作——运行前请确认环境变量指向的是目标集群。
  • --continuous
    模式会无限期索引事件,直到手动按Ctrl+C停止。

Environment variables

环境变量

VariableRequiredDescription
ELASTICSEARCH_URL
YesElasticsearch URL
ELASTICSEARCH_API_KEY
Yes*Elasticsearch API key
ELASTICSEARCH_USERNAME
Yes*Elasticsearch username (alternative)
ELASTICSEARCH_PASSWORD
Yes*Elasticsearch password (alternative)
KIBANA_URL
NoKibana URL (for case creation and links)
KIBANA_USERNAME
NoKibana username (if using Kibana features)
KIBANA_PASSWORD
NoKibana password (if using Kibana features)
*Either API key or username/password is required for Elasticsearch.
变量名是否必填描述
ELASTICSEARCH_URL
Elasticsearch的URL地址
ELASTICSEARCH_API_KEY
是*Elasticsearch的API密钥
ELASTICSEARCH_USERNAME
是*Elasticsearch的用户名(替代方案)
ELASTICSEARCH_PASSWORD
是*Elasticsearch的密码(替代方案)
KIBANA_URL
Kibana的URL地址(用于案例创建和链接)
KIBANA_USERNAME
Kibana的用户名(如需使用Kibana功能)
KIBANA_PASSWORD
Kibana的密码(如需使用Kibana功能)
*Elasticsearch需提供API密钥或用户名/密码二选一。