Abstract image of a woman sitting on books and studying on a laptop

ELK in Security Analytics

Download as PDF, PPTX
N
nullowaspmumbai

ELK is a log analysis stack that consists of Elasticsearch for storage, Logstash for transport and processing, and Kibana for visualization. Beats are lightweight shippers that move logs to Logstash or Elasticsearch. The document discusses using ELK for security analytics by ingesting large volumes of logs from various sources for threat hunting, user behavior analytics, and forensic analysis to address limitations of SIEM tools.

1 of 25
Download as PDF, PPTX
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ELK in Security analytics -- Lionel Faleiro Lionel Faleiro [ @sandmaxprime ]
About Me • Trainer and Security Analyst at Institute of Information Technology / Network Intelligence India • 4+ years experience in IT • Conducted Trainings at multiple corporates • Part of the DFIR Team at NII • Key domains – Security Analytics, Malware Analysis, Log Analysis, Intrusion Response Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
What Big Data.. • IS: • Store large volumes of data • Enables us to run queries on the data set • IS NOT: • Hadoop, Hive, Pig, Yarn – these are technologies • Does not automatically give you analytical results Lionel Faleiro [ @sandmaxprime ]
Why use Big Data in Security? • User-behaviour analytics • Fraud Detection • Log correlation from additional sources • Forensic analysis on large volumes of data Lionel Faleiro [ @sandmaxprime ]
Known SIEM Issues • Unable to ingest a lot of log sources • Cost of storage is high • Requires more compute power • Licensing issues • Monitoring on each endpoint is problematic • Current monitoring is static in nature • Too many alerts Lionel Faleiro [ @sandmaxprime ]
SIEM + ELK = SOC 2.0 • SIEM Functions • Alerts for standard IT issues • Rules based correlations • Standard reporting/queries • ELK Functions • Visualize Logs for anomalies • Ingest logs from multiple sources with large volume • Implement Threat-Hunting strategy • Custom search and querying Lionel Faleiro [ @sandmaxprime ]
This is not ELK.. Lionel Faleiro [ @sandmaxprime ]
What is ELK? • E is a NoSQL databased that is based on the Lucene search engine • Stores data in an unstructured way • Cannot use SQL to query it. • L is a log pipeline tool that accepts inputs, executes transformations and outputs the data into various targets • K is a visualization layer Lionel Faleiro [ @sandmaxprime ]
ELK Overview • Beats • Log shippers – Windows events, system status, network traffic • Elasticsearch • Data storage, search engine • Logstash • Log management component. Ingest, Process, Output • Kibana • - Create visualizations and dashboards Lionel Faleiro [ @sandmaxprime ]
ELK Architecture Lionel Faleiro [ @sandmaxprime ]
Elasticsearch • Based on Apache Lucene • Open-source search engine library • Created by Shay Banon • Extends Lucene to store, index and search • JSON over HTTP Lionel Faleiro [ @sandmaxprime ]
Logstash • Integrated Log management framework • Log collection • Centralization • Parsing • Storage • Written in Jruby • Runs in JVM • Multiple input mechanism • TCP/UDP • Files • Sysog Lionel Faleiro [ @sandmaxprime ]
Logstash: Conf • Input {} • Filter {} • Output {} Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
Kibana • Visualization platform • Tight integration with Elasticsearch Lionel Faleiro [ @sandmaxprime ]
Beats • Filebeat • Metricbeat • Packetbeat • Winlogbeat • Hearbeat Lionel Faleiro [ @sandmaxprime ]
Filebeat • A lightweight way to forward and centralize logs and files Lionel Faleiro [ @sandmaxprime ]
Metricbeat Lionel Faleiro [ @sandmaxprime ]
Packetbeat • Packetbeat is a lightweight network packet analyzer that sends data to Logstash or Elasticsearch • It supports many application layer protocols, from database to key-value stores to HTTP and low-level protocols Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
Winlogbeat • Winlogbeat live streams Windows event logs to Elasticsearch and Logstash in a lightweight way • Read from any windows event log channel Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
Heartbeat • Monitor services for their availability with active probing • Heartbeat pings via ICMP, TCP, and HTTP, and also has support for TLS, authentication and proxies. Lionel Faleiro [ @sandmaxprime ]
Use Cases • Nginx/Apache • Sysmon Integration • Forensics Imaging Lionel Faleiro [ @sandmaxprime ]

More Related Content

PPTX
Elastic stack Presentation
Amr Alaa Yassen
 
PDF
Splunk-Presentation
PrasadThorat23
 
PPTX
The Elastic Stack as a SIEM
John Hubbard
 
PPTX
Elastic Stack Introduction
Vikram Shinde
 
PPTX
Fleet and elastic agent
Ismaeel Enjreny
 
PPTX
Elk
Caleb Wang
 
PPTX
Splunk Architecture
Kishore Chaganti
 
PDF
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
Elastic stack Presentation
Amr Alaa Yassen
 
Splunk-Presentation
PrasadThorat23
 
The Elastic Stack as a SIEM
John Hubbard
 
Elastic Stack Introduction
Vikram Shinde
 
Fleet and elastic agent
Ismaeel Enjreny
 
Elk
Caleb Wang
 
Splunk Architecture
Kishore Chaganti
 
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 

What's hot(20)

PDF
Elastic SIEM (Endpoint Security)
Kangaroot
 
PPTX
Apache NiFi Crash Course Intro
DataWorks Summit/Hadoop Summit
 
PDF
Introduction to Kibana
Vineet .
 
PPTX
Splunk Architecture overview
Alex Fok
 
PPTX
Log management with ELK
Geert Pante
 
PDF
Elk - An introduction
Hossein Shemshadi
 
PPTX
Tuning Apache Kafka Connectors for Flink.pptx
Flink Forward
 
PDF
Introduction to Apache NiFi 1.11.4
Timothy Spann
 
PPTX
Centralized log-management-with-elastic-stack
Rich Lee
 
PPTX
Elastic - ELK, Logstash & Kibana
SpringPeople
 
PPTX
SplunkLive 2011 Beginners Session
Splunk
 
PPTX
EDR vs SIEM - The fight is on
Justin Henderson
 
PPTX
Threat Hunting with Splunk Hands-on
Splunk
 
PDF
Apache Nifi Crash Course
DataWorks Summit
 
PDF
What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...
Edureka!
 
PPTX
Threat Hunting with Splunk
Splunk
 
PDF
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
PPTX
Log analysis using elk
Rushika Shah
 
PDF
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
PDF
Apache NiFi Record Processing
Bryan Bende
 
Elastic SIEM (Endpoint Security)
Kangaroot
 
Apache NiFi Crash Course Intro
DataWorks Summit/Hadoop Summit
 
Introduction to Kibana
Vineet .
 
Splunk Architecture overview
Alex Fok
 
Log management with ELK
Geert Pante
 
Elk - An introduction
Hossein Shemshadi
 
Tuning Apache Kafka Connectors for Flink.pptx
Flink Forward
 
Introduction to Apache NiFi 1.11.4
Timothy Spann
 
Centralized log-management-with-elastic-stack
Rich Lee
 
Elastic - ELK, Logstash & Kibana
SpringPeople
 
SplunkLive 2011 Beginners Session
Splunk
 
EDR vs SIEM - The fight is on
Justin Henderson
 
Threat Hunting with Splunk Hands-on
Splunk
 
Apache Nifi Crash Course
DataWorks Summit
 
What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...
Edureka!
 
Threat Hunting with Splunk
Splunk
 
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Log analysis using elk
Rushika Shah
 
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
Apache NiFi Record Processing
Bryan Bende
 

Similar to ELK in Security Analytics (20)

PPTX
ELK Stack Online Training - ELK Stack Training.pptx
eshwarvisualpath
 
PPTX
ELK at LinkedIn - Kafka, scaling, lessons learned
Tin Le
 
PDF
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
PPTX
ELK Elasticsearch Logstash and Kibana Stack for Log Management
El Mahdi Benzekri
 
PDF
2015 03-16-elk at-bsides
Jeremy Cohoe
 
PPTX
Elk for Sysadmins
Tanner Lund
 
PDF
Analysis of Network Traffic and Security through Log Aggregation
IJCSIS Research Publications
 
PDF
Logs aggregation and analysis
Divante
 
PPTX
Filebeat Elastic Search Presentation.pptx
Knoldus Inc.
 
PPTX
Centralized Logging System Using ELK Stack
Rohit Sharma
 
PPTX
PowerPoint Presentation Guide Cyber.pptx
owoturooluwaseun
 
PDF
Elk stack @inbot
Jilles van Gurp
 
PDF
ELK stack introduction
abenyeung1
 
PPTX
438996599-Kibana-101-pptx.pptx
Pranav684095
 
PPTX
ELK Ruminating on Logs (Zendcon 2016)
Mathew Beane
 
PPTX
Installation of Elastic search Blue Teams.pptx
PhongTrn639136
 
PDF
Log analysis with the elk stack
Vikrant Chauhan
 
PDF
Experiences in ELK with D3.js for Large Log Analysis and Visualization
Surasak Sanguanpong
 
PDF
University of Oxford: building a next generation SIEM
Elasticsearch
 
PDF
ELK Wrestling (Leeds DevOps)
Steve Elliott
 
ELK Stack Online Training - ELK Stack Training.pptx
eshwarvisualpath
 
ELK at LinkedIn - Kafka, scaling, lessons learned
Tin Le
 
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
ELK Elasticsearch Logstash and Kibana Stack for Log Management
El Mahdi Benzekri
 
2015 03-16-elk at-bsides
Jeremy Cohoe
 
Elk for Sysadmins
Tanner Lund
 
Analysis of Network Traffic and Security through Log Aggregation
IJCSIS Research Publications
 
Logs aggregation and analysis
Divante
 
Filebeat Elastic Search Presentation.pptx
Knoldus Inc.
 
Centralized Logging System Using ELK Stack
Rohit Sharma
 
PowerPoint Presentation Guide Cyber.pptx
owoturooluwaseun
 
Elk stack @inbot
Jilles van Gurp
 
ELK stack introduction
abenyeung1
 
438996599-Kibana-101-pptx.pptx
Pranav684095
 
ELK Ruminating on Logs (Zendcon 2016)
Mathew Beane
 
Installation of Elastic search Blue Teams.pptx
PhongTrn639136
 
Log analysis with the elk stack
Vikrant Chauhan
 
Experiences in ELK with D3.js for Large Log Analysis and Visualization
Surasak Sanguanpong
 
University of Oxford: building a next generation SIEM
Elasticsearch
 
ELK Wrestling (Leeds DevOps)
Steve Elliott
 

More from nullowaspmumbai(20)

PPTX
Xxe
nullowaspmumbai
 
PPTX
Switch security
nullowaspmumbai
 
PPTX
Radio hacking - Part 1
nullowaspmumbai
 
PPTX
How I got my First CVE
nullowaspmumbai
 
PPTX
Power forensics
nullowaspmumbai
 
PPTX
Infrastructure security & Incident Management
nullowaspmumbai
 
PPTX
Middleware hacking
nullowaspmumbai
 
PPTX
Internet censorship circumvention techniques
nullowaspmumbai
 
PPTX
How i got my first cve
nullowaspmumbai
 
PPTX
Adversarial machine learning updated
nullowaspmumbai
 
PPTX
Commix
nullowaspmumbai
 
PPTX
Adversarial machine learning
nullowaspmumbai
 
PPTX
Dll Hijacking
nullowaspmumbai
 
PPTX
Abusing Target
nullowaspmumbai
 
PDF
NTFS Forensics
nullowaspmumbai
 
PPTX
Drozer - An Android Application Security Tool
nullowaspmumbai
 
PPTX
Middleware hacking
nullowaspmumbai
 
PDF
Ganesh naik linux_kernel_internals
nullowaspmumbai
 
PDF
Buffer overflow null
nullowaspmumbai
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Xxe
nullowaspmumbai
 
Switch security
nullowaspmumbai
 
Radio hacking - Part 1
nullowaspmumbai
 
How I got my First CVE
nullowaspmumbai
 
Power forensics
nullowaspmumbai
 
Infrastructure security & Incident Management
nullowaspmumbai
 
Middleware hacking
nullowaspmumbai
 
Internet censorship circumvention techniques
nullowaspmumbai
 
How i got my first cve
nullowaspmumbai
 
Adversarial machine learning updated
nullowaspmumbai
 
Commix
nullowaspmumbai
 
Adversarial machine learning
nullowaspmumbai
 
Dll Hijacking
nullowaspmumbai
 
Abusing Target
nullowaspmumbai
 
NTFS Forensics
nullowaspmumbai
 
Drozer - An Android Application Security Tool
nullowaspmumbai
 
Middleware hacking
nullowaspmumbai
 
Ganesh naik linux_kernel_internals
nullowaspmumbai
 
Buffer overflow null
nullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 

Recently uploaded(20)

PDF
Be ready for tomorrow’s needs with a longer-lasting, higher-performing PC
Principled Technologies
 
PDF
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 
PDF
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
PDF
Applying Agentic AI in Enterprise Automation
DianaGray10
 
PDF
The Ultimate Guide to Make AI Agents_ From Creation to Advanced Automation.pdf
SOFTTECHHUB
 
PDF
Slides World Game (s) Great Redesign Eco Economic Epochs.pdf
Steven McGee
 
PPTX
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
PDF
BioTapSync: revolutionizing data synchronization with human touch
IAESIJAI
 
DOCX
AI Unit 1 Notes for engineering students
NamanBhola3
 
PDF
Uncertainty-aware contextual multi-armed bandits for recommendations in e-com...
IAESIJAI
 
PDF
TrustArc Webinar - Data Minimization in Practice_ Reducing Risk, Enhancing Co...
TrustArc
 
PPTX
Generative AI at Oracle- The next frontier of enterprise innovation.pptx
Geovanni Vega Velásquez
 
PDF
13 Powerful n8n Alternatives That Will Transform Your Workflow Automation Gam...
SOFTTECHHUB
 
PPTX
0 to AI Nordic APIs 2024 - Kristen Womack.pptx
Kristen Womack
 
PDF
Broiler meats tenderness prediction using near infrared spectroscopy against ...
IAESIJAI
 
PDF
Intravenous drug administration application for pediatric patients via augmen...
IAESIJAI
 
PDF
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
PDF
ment.tech-How to Develop an AI Agent Healthcare App like Sully AI (2).pdf
thomasnova26
 
PDF
“Introduction to Designing with AI Agents,” a Presentation from Amazon Web Se...
Edge AI and Vision Alliance
 
PDF
BRKDCN-2629 Design and Automate Micro-Segmentation in NX-OS VXLAN EVPN Fabric...
dmscott4563
 
Be ready for tomorrow’s needs with a longer-lasting, higher-performing PC
Principled Technologies
 
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
Applying Agentic AI in Enterprise Automation
DianaGray10
 
The Ultimate Guide to Make AI Agents_ From Creation to Advanced Automation.pdf
SOFTTECHHUB
 
Slides World Game (s) Great Redesign Eco Economic Epochs.pdf
Steven McGee
 
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
BioTapSync: revolutionizing data synchronization with human touch
IAESIJAI
 
AI Unit 1 Notes for engineering students
NamanBhola3
 
Uncertainty-aware contextual multi-armed bandits for recommendations in e-com...
IAESIJAI
 
TrustArc Webinar - Data Minimization in Practice_ Reducing Risk, Enhancing Co...
TrustArc
 
Generative AI at Oracle- The next frontier of enterprise innovation.pptx
Geovanni Vega Velásquez
 
13 Powerful n8n Alternatives That Will Transform Your Workflow Automation Gam...
SOFTTECHHUB
 
0 to AI Nordic APIs 2024 - Kristen Womack.pptx
Kristen Womack
 
Broiler meats tenderness prediction using near infrared spectroscopy against ...
IAESIJAI
 
Intravenous drug administration application for pediatric patients via augmen...
IAESIJAI
 
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
ment.tech-How to Develop an AI Agent Healthcare App like Sully AI (2).pdf
thomasnova26
 
“Introduction to Designing with AI Agents,” a Presentation from Amazon Web Se...
Edge AI and Vision Alliance
 
BRKDCN-2629 Design and Automate Micro-Segmentation in NX-OS VXLAN EVPN Fabric...
dmscott4563
 

ELK in Security Analytics

  • 1.
    ELK in Securityanalytics -- Lionel Faleiro Lionel Faleiro [ @sandmaxprime ]
  • 2.
    About Me • Trainerand Security Analyst at Institute of Information Technology / Network Intelligence India • 4+ years experience in IT • Conducted Trainings at multiple corporates • Part of the DFIR Team at NII • Key domains – Security Analytics, Malware Analysis, Log Analysis, Intrusion Response Lionel Faleiro [ @sandmaxprime ]
  • 3.
    Lionel Faleiro [@sandmaxprime ]
  • 4.
    What Big Data.. •IS: • Store large volumes of data • Enables us to run queries on the data set • IS NOT: • Hadoop, Hive, Pig, Yarn – these are technologies • Does not automatically give you analytical results Lionel Faleiro [ @sandmaxprime ]
  • 5.
    Why use BigData in Security? • User-behaviour analytics • Fraud Detection • Log correlation from additional sources • Forensic analysis on large volumes of data Lionel Faleiro [ @sandmaxprime ]
  • 6.
    Known SIEM Issues • Unableto ingest a lot of log sources • Cost of storage is high • Requires more compute power • Licensing issues • Monitoring on each endpoint is problematic • Current monitoring is static in nature • Too many alerts Lionel Faleiro [ @sandmaxprime ]
  • 7.
    SIEM + ELK= SOC 2.0 • SIEM Functions • Alerts for standard IT issues • Rules based correlations • Standard reporting/queries • ELK Functions • Visualize Logs for anomalies • Ingest logs from multiple sources with large volume • Implement Threat-Hunting strategy • Custom search and querying Lionel Faleiro [ @sandmaxprime ]
  • 8.
    This is not ELK.. LionelFaleiro [ @sandmaxprime ]
  • 9.
    What is ELK? •E is a NoSQL databased that is based on the Lucene search engine • Stores data in an unstructured way • Cannot use SQL to query it. • L is a log pipeline tool that accepts inputs, executes transformations and outputs the data into various targets • K is a visualization layer Lionel Faleiro [ @sandmaxprime ]
  • 10.
    ELK Overview • Beats •Log shippers – Windows events, system status, network traffic • Elasticsearch • Data storage, search engine • Logstash • Log management component. Ingest, Process, Output • Kibana • - Create visualizations and dashboards Lionel Faleiro [ @sandmaxprime ]
  • 11.
  • 12.
    Elasticsearch • Based onApache Lucene • Open-source search engine library • Created by Shay Banon • Extends Lucene to store, index and search • JSON over HTTP Lionel Faleiro [ @sandmaxprime ]
  • 13.
    Logstash • Integrated Logmanagement framework • Log collection • Centralization • Parsing • Storage • Written in Jruby • Runs in JVM • Multiple input mechanism • TCP/UDP • Files • Sysog Lionel Faleiro [ @sandmaxprime ]
  • 14.
    Logstash: Conf • Input{} • Filter {} • Output {} Lionel Faleiro [ @sandmaxprime ]
  • 15.
    Lionel Faleiro [@sandmaxprime ]
  • 16.
    Kibana • Visualization platform •Tight integration with Elasticsearch Lionel Faleiro [ @sandmaxprime ]
  • 17.
    Beats • Filebeat • Metricbeat •Packetbeat • Winlogbeat • Hearbeat Lionel Faleiro [ @sandmaxprime ]
  • 18.
    Filebeat • A lightweightway to forward and centralize logs and files Lionel Faleiro [ @sandmaxprime ]
  • 19.
  • 20.
    Packetbeat • Packetbeat isa lightweight network packet analyzer that sends data to Logstash or Elasticsearch • It supports many application layer protocols, from database to key-value stores to HTTP and low-level protocols Lionel Faleiro [ @sandmaxprime ]
  • 21.
    Lionel Faleiro [@sandmaxprime ]
  • 22.
    Winlogbeat • Winlogbeat livestreams Windows event logs to Elasticsearch and Logstash in a lightweight way • Read from any windows event log channel Lionel Faleiro [ @sandmaxprime ]
  • 23.
    Lionel Faleiro [@sandmaxprime ]
  • 24.
    Heartbeat • Monitor servicesfor their availability with active probing • Heartbeat pings via ICMP, TCP, and HTTP, and also has support for TLS, authentication and proxies. Lionel Faleiro [ @sandmaxprime ]
  • 25.
    Use Cases • Nginx/Apache •Sysmon Integration • Forensics Imaging Lionel Faleiro [ @sandmaxprime ]