Elastic Controller

Setting up Elastic Stack for detection-based rewards

The Elastic Controller provides behavioral detection as a reward signal.

Overview

The controller runs:

  • Elasticsearch — Alert storage and querying
  • Kibana — Visualization and rule management
  • Fleet Server — Agent management

Quick Setup

1. Run Setup Script

./scripts/Setup-RLVRController.sh

This script:

  1. Installs Docker if needed
  2. Clones elastic-container repository
  3. Configures the Elastic Stack
  4. Starts all services

2. Configure Environment

Edit variables at the top of the script:

ELASTIC_VERSION="8.14.0"
ELASTIC_PASSWORD="your_secure_password"
CONTROLLER_IP="10.0.20.145"

Post-Setup Configuration

Install Elastic Defend

In Kibana:

  1. Go to Fleet → Integrations
  2. Search for “Elastic Defend”
  3. Click Add Elastic Defend
  4. Select your agent policy
  5. Click Save and deploy

Load Detection Rules

In Kibana:

  1. Go to Security → Rules
  2. Click Load Elastic prebuilt rules
  3. Enable Windows-related rules

Get Enrollment Token

For Windows VMs to connect:

  1. Go to Fleet → Enrollment tokens
  2. Copy the token for your policy

malagent Configuration

Edit configs/elastic_verifier.yaml:

elastic:
  host: "10.0.20.145"
  port: 9200
  kibana_port: 5601
  
  auth:
    username: "elastic"
    password: "your_password"
  
  ssl:
    verify: false
  
  detection:
    timeout: 120
    poll_interval: 5
    rule_delay: 30
  
  rewards:
    evaded: 1.0
    low: 0.8
    medium: 0.7
    high: 0.6
    critical: 0.5

Verification

# Check Elasticsearch health
curl -sk -u elastic:password https://localhost:9200/_cluster/health | jq

# Check Fleet Server
curl -sk https://localhost:8220/api/status | jq