Elastic as a security monitoring solution

Elastic Stack with Security module provides security teams with the necessary functionality to identify security events and investigate them. Within Kibana, it is easy to visualize data and detect security anomalies (Threat hunting).  The training is focused on the technical part and security part. During the technical part, participants will learn how to implement their own Elastic cluster environment, work with log collection agents and how to maintain their configuration, participants will be able to set up log filtering and parsing rules. In the security part, they will learn about the functionality of Kibana and the Security module, participants will work with security event detection scenarios. We will also discuss how to use Kibana and the Security module to identify anomalies within the network traffic and in the application layer.

Audience

• Cybersecurity professionals
• System and application administrators

Goals

The goal of the course is to gain an understanding of Elastic Stack with an emphasis on functionality to support cybersecurity. In cases where an organization is considering a refresh of their SIEM solution, the course is a good probe into Open Source capabilities. The course will also cover Linux and Windows Server audit subsystems.

Outline

Implementing Elastic StackGeneral introduction to Elastic Stack components

• Platform installation and configuration
• installing data collection agents
• connecting data sources
• description of ECS and EQL for data exploration
• managing users and data access segregation

Use in security surveillance

• ATT&CK framework
• common usecase for starting SOC
• Linux and network layer audit data offloading
• Windows Server audit data mining
• implementation of the selected detection scenario
• Threat hunting

Prerequisites

• Experience in cybersecurity or systems and application administration