SlideShare a Scribd company logo

ELK in Security Analytics

N
nullowaspmumbai

ELK is a log analysis stack that consists of Elasticsearch for storage, Logstash for transport and processing, and Kibana for visualization. Beats are lightweight shippers that move logs to Logstash or Elasticsearch. The document discusses using ELK for security analytics by ingesting large volumes of logs from various sources for threat hunting, user behavior analytics, and forensic analysis to address limitations of SIEM tools.

Technology
1 of 25
Downloaded 43 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ELK in Security analytics -- Lionel Faleiro Lionel Faleiro [ @sandmaxprime ]
About Me • Trainer and Security Analyst at Institute of Information Technology / Network Intelligence India • 4+ years experience in IT • Conducted Trainings at multiple corporates • Part of the DFIR Team at NII • Key domains – Security Analytics, Malware Analysis, Log Analysis, Intrusion Response Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
What Big Data.. • IS: • Store large volumes of data • Enables us to run queries on the data set • IS NOT: • Hadoop, Hive, Pig, Yarn – these are technologies • Does not automatically give you analytical results Lionel Faleiro [ @sandmaxprime ]
Why use Big Data in Security? • User-behaviour analytics • Fraud Detection • Log correlation from additional sources • Forensic analysis on large volumes of data Lionel Faleiro [ @sandmaxprime ]
Known SIEM Issues • Unable to ingest a lot of log sources • Cost of storage is high • Requires more compute power • Licensing issues • Monitoring on each endpoint is problematic • Current monitoring is static in nature • Too many alerts Lionel Faleiro [ @sandmaxprime ]
SIEM + ELK = SOC 2.0 • SIEM Functions • Alerts for standard IT issues • Rules based correlations • Standard reporting/queries • ELK Functions • Visualize Logs for anomalies • Ingest logs from multiple sources with large volume • Implement Threat-Hunting strategy • Custom search and querying Lionel Faleiro [ @sandmaxprime ]
This is not ELK.. Lionel Faleiro [ @sandmaxprime ]
What is ELK? • E is a NoSQL databased that is based on the Lucene search engine • Stores data in an unstructured way • Cannot use SQL to query it. • L is a log pipeline tool that accepts inputs, executes transformations and outputs the data into various targets • K is a visualization layer Lionel Faleiro [ @sandmaxprime ]
ELK Overview • Beats • Log shippers – Windows events, system status, network traffic • Elasticsearch • Data storage, search engine • Logstash • Log management component. Ingest, Process, Output • Kibana • - Create visualizations and dashboards Lionel Faleiro [ @sandmaxprime ]
ELK Architecture Lionel Faleiro [ @sandmaxprime ]
Elasticsearch • Based on Apache Lucene • Open-source search engine library • Created by Shay Banon • Extends Lucene to store, index and search • JSON over HTTP Lionel Faleiro [ @sandmaxprime ]
Logstash • Integrated Log management framework • Log collection • Centralization • Parsing • Storage • Written in Jruby • Runs in JVM • Multiple input mechanism • TCP/UDP • Files • Sysog Lionel Faleiro [ @sandmaxprime ]
Logstash: Conf • Input {} • Filter {} • Output {} Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
Kibana • Visualization platform • Tight integration with Elasticsearch Lionel Faleiro [ @sandmaxprime ]
Beats • Filebeat • Metricbeat • Packetbeat • Winlogbeat • Hearbeat Lionel Faleiro [ @sandmaxprime ]
Filebeat • A lightweight way to forward and centralize logs and files Lionel Faleiro [ @sandmaxprime ]
Metricbeat Lionel Faleiro [ @sandmaxprime ]
Packetbeat • Packetbeat is a lightweight network packet analyzer that sends data to Logstash or Elasticsearch • It supports many application layer protocols, from database to key-value stores to HTTP and low-level protocols Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
Winlogbeat • Winlogbeat live streams Windows event logs to Elasticsearch and Logstash in a lightweight way • Read from any windows event log channel Lionel Faleiro [ @sandmaxprime ]
Lionel Faleiro [ @sandmaxprime ]
Heartbeat • Monitor services for their availability with active probing • Heartbeat pings via ICMP, TCP, and HTTP, and also has support for TLS, authentication and proxies. Lionel Faleiro [ @sandmaxprime ]
Use Cases • Nginx/Apache • Sysmon Integration • Forensics Imaging Lionel Faleiro [ @sandmaxprime ]

More Related Content

PDF
Elk - An introduction
Hossein Shemshadi
 
PPTX
Log analysis using elk
Rushika Shah
 
PPTX
Elastic stack Presentation
Amr Alaa Yassen
 
PDF
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
PPTX
The Elastic Stack as a SIEM
John Hubbard
 
PDF
Keynote: Elastic Security evolution and vision
Elasticsearch
 
PPTX
Fleet and elastic agent
Ismaeel Enjreny
 
PPTX
Getting Started with Splunk (Hands-On)
Splunk
 
Elk - An introduction
Hossein Shemshadi
 
Log analysis using elk
Rushika Shah
 
Elastic stack Presentation
Amr Alaa Yassen
 
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
The Elastic Stack as a SIEM
John Hubbard
 
Keynote: Elastic Security evolution and vision
Elasticsearch
 
Fleet and elastic agent
Ismaeel Enjreny
 
Getting Started with Splunk (Hands-On)
Splunk
 

What's hot (20)

PDF
Elastic SIEM (Endpoint Security)
Kangaroot
 
PPTX
Siem solutions R&E
Owais Ahmad
 
PPTX
Elastic Stack Introduction
Vikram Shinde
 
PDF
Elastic Security: Unified protection for everyone
Elasticsearch
 
PPTX
SplunkLive 2011 Advanced Session
Splunk
 
PPTX
IBM Security QRadar
Virginia Fernandez
 
PPTX
SIEM Primer:
Anton Chuvakin
 
PPTX
Elk
Caleb Wang
 
PPTX
EDR vs SIEM - The fight is on
Justin Henderson
 
PDF
2020 07-30 elastic agent + ingest management
Daliya Spasova
 
PPTX
Splunk Architecture overview
Alex Fok
 
PPTX
Introduction to ELK
Harshakumar Ummerpillai
 
PDF
QRadar Architecture.pdf
PencilData
 
ODP
Deep Dive Into Elasticsearch
Knoldus Inc.
 
PPTX
Siem ppt
kmehul
 
PPTX
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
PDF
Apache Kafka for Cybersecurity and SIEM / SOAR Modernization
Kai Wähner
 
PPTX
McAfee SIEM solution
hashnees
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PDF
Elastic Observability keynote
Elasticsearch
 
Elastic SIEM (Endpoint Security)
Kangaroot
 
Siem solutions R&E
Owais Ahmad
 
Elastic Stack Introduction
Vikram Shinde
 
Elastic Security: Unified protection for everyone
Elasticsearch
 
SplunkLive 2011 Advanced Session
Splunk
 
IBM Security QRadar
Virginia Fernandez
 
SIEM Primer:
Anton Chuvakin
 
Elk
Caleb Wang
 
EDR vs SIEM - The fight is on
Justin Henderson
 
2020 07-30 elastic agent + ingest management
Daliya Spasova
 
Splunk Architecture overview
Alex Fok
 
Introduction to ELK
Harshakumar Ummerpillai
 
QRadar Architecture.pdf
PencilData
 
Deep Dive Into Elasticsearch
Knoldus Inc.
 
Siem ppt
kmehul
 
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Apache Kafka for Cybersecurity and SIEM / SOAR Modernization
Kai Wähner
 
McAfee SIEM solution
hashnees
 
Security Information and Event Management (SIEM)
k33a
 
Elastic Observability keynote
Elasticsearch
 
Ad

Similar to ELK in Security Analytics (20)

PDF
Apache NiFi - Flow Based Programming Meetup
Joseph Witt
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PPTX
Getting started with apache flink streaming api
Preetdeep Kumar
 
PPTX
Mentor Graphics Customer Presentation
Splunk
 
PDF
122 naver-deview2013-tizen-universal-device-platform-r20131014
NAVER D2
 
PPTX
Accelerate your business with flow
JoAnna Cheshire
 
PDF
CodeIgniter - PHP MVC Framework by silicongulf.com
Christopher Cubos
 
PDF
All Your Security Events Are Belong to ... You!
Xavier Mertens
 
PDF
All your logs are belong to you!
Security BSides London
 
PPTX
ReflectInsight - Let your application speak volume
Callon Campbell
 
PDF
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
PPTX
Tactical Application Detection (Defeating Advanced Adversaries)
muneeb2kh
 
PPTX
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Sanjay Willie
 
PPTX
CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security...
Health IT Conference – iHT2
 
PPTX
Essential Layers of IBM i Security: Security Monitoring and Auditing
Precisely
 
PPTX
Office 365 and using SharePoint Online
Cliff Ashcroft
 
PDF
Enterprise Security in Mainframe-Connected Environments
Precisely
 
PPTX
Lima - Digital Forensic Case Management System
IntaForensics
 
PPTX
Ephesoft & Linux Webinar: Smart Capture™ is Now Even Smarter!
Zia Consulting
 
PDF
H@dfex 2015 malware analysis
Charles Lim
 
Apache NiFi - Flow Based Programming Meetup
Joseph Witt
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Getting started with apache flink streaming api
Preetdeep Kumar
 
Mentor Graphics Customer Presentation
Splunk
 
122 naver-deview2013-tizen-universal-device-platform-r20131014
NAVER D2
 
Accelerate your business with flow
JoAnna Cheshire
 
CodeIgniter - PHP MVC Framework by silicongulf.com
Christopher Cubos
 
All Your Security Events Are Belong to ... You!
Xavier Mertens
 
All your logs are belong to you!
Security BSides London
 
ReflectInsight - Let your application speak volume
Callon Campbell
 
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Tactical Application Detection (Defeating Advanced Adversaries)
muneeb2kh
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Sanjay Willie
 
CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security...
Health IT Conference – iHT2
 
Essential Layers of IBM i Security: Security Monitoring and Auditing
Precisely
 
Office 365 and using SharePoint Online
Cliff Ashcroft
 
Enterprise Security in Mainframe-Connected Environments
Precisely
 
Lima - Digital Forensic Case Management System
IntaForensics
 
Ephesoft & Linux Webinar: Smart Capture™ is Now Even Smarter!
Zia Consulting
 
H@dfex 2015 malware analysis
Charles Lim
 
Ad

More from nullowaspmumbai (20)

PPTX
Xxe
nullowaspmumbai
 
PPTX
Switch security
nullowaspmumbai
 
PPTX
Radio hacking - Part 1
nullowaspmumbai
 
PPTX
How I got my First CVE
nullowaspmumbai
 
PPTX
Power forensics
nullowaspmumbai
 
PPTX
Infrastructure security & Incident Management
nullowaspmumbai
 
PPTX
Middleware hacking
nullowaspmumbai
 
PPTX
Internet censorship circumvention techniques
nullowaspmumbai
 
PPTX
How i got my first cve
nullowaspmumbai
 
PPTX
Adversarial machine learning updated
nullowaspmumbai
 
PPTX
Commix
nullowaspmumbai
 
PPTX
Adversarial machine learning
nullowaspmumbai
 
PPTX
Dll Hijacking
nullowaspmumbai
 
PPTX
Abusing Target
nullowaspmumbai
 
PDF
NTFS Forensics
nullowaspmumbai
 
PPTX
Drozer - An Android Application Security Tool
nullowaspmumbai
 
PPTX
Middleware hacking
nullowaspmumbai
 
PDF
Ganesh naik linux_kernel_internals
nullowaspmumbai
 
PDF
Buffer overflow null
nullowaspmumbai
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Xxe
nullowaspmumbai
 
Switch security
nullowaspmumbai
 
Radio hacking - Part 1
nullowaspmumbai
 
How I got my First CVE
nullowaspmumbai
 
Power forensics
nullowaspmumbai
 
Infrastructure security & Incident Management
nullowaspmumbai
 
Middleware hacking
nullowaspmumbai
 
Internet censorship circumvention techniques
nullowaspmumbai
 
How i got my first cve
nullowaspmumbai
 
Adversarial machine learning updated
nullowaspmumbai
 
Commix
nullowaspmumbai
 
Adversarial machine learning
nullowaspmumbai
 
Dll Hijacking
nullowaspmumbai
 
Abusing Target
nullowaspmumbai
 
NTFS Forensics
nullowaspmumbai
 
Drozer - An Android Application Security Tool
nullowaspmumbai
 
Middleware hacking
nullowaspmumbai
 
Ganesh naik linux_kernel_internals
nullowaspmumbai
 
Buffer overflow null
nullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Cloud computing and distributed systems.
kkkkkhan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Approach and Philosophy of On baking technology
30anthuong17
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

ELK in Security Analytics

  • 1. ELK in Security analytics -- Lionel Faleiro Lionel Faleiro [ @sandmaxprime ]
  • 2. About Me • Trainer and Security Analyst at Institute of Information Technology / Network Intelligence India • 4+ years experience in IT • Conducted Trainings at multiple corporates • Part of the DFIR Team at NII • Key domains – Security Analytics, Malware Analysis, Log Analysis, Intrusion Response Lionel Faleiro [ @sandmaxprime ]
  • 3. Lionel Faleiro [ @sandmaxprime ]
  • 4. What Big Data.. • IS: • Store large volumes of data • Enables us to run queries on the data set • IS NOT: • Hadoop, Hive, Pig, Yarn – these are technologies • Does not automatically give you analytical results Lionel Faleiro [ @sandmaxprime ]
  • 5. Why use Big Data in Security? • User-behaviour analytics • Fraud Detection • Log correlation from additional sources • Forensic analysis on large volumes of data Lionel Faleiro [ @sandmaxprime ]
  • 6. Known SIEM Issues • Unable to ingest a lot of log sources • Cost of storage is high • Requires more compute power • Licensing issues • Monitoring on each endpoint is problematic • Current monitoring is static in nature • Too many alerts Lionel Faleiro [ @sandmaxprime ]
  • 7. SIEM + ELK = SOC 2.0 • SIEM Functions • Alerts for standard IT issues • Rules based correlations • Standard reporting/queries • ELK Functions • Visualize Logs for anomalies • Ingest logs from multiple sources with large volume • Implement Threat-Hunting strategy • Custom search and querying Lionel Faleiro [ @sandmaxprime ]
  • 8. This is not ELK.. Lionel Faleiro [ @sandmaxprime ]
  • 9. What is ELK? • E is a NoSQL databased that is based on the Lucene search engine • Stores data in an unstructured way • Cannot use SQL to query it. • L is a log pipeline tool that accepts inputs, executes transformations and outputs the data into various targets • K is a visualization layer Lionel Faleiro [ @sandmaxprime ]
  • 10. ELK Overview • Beats • Log shippers – Windows events, system status, network traffic • Elasticsearch • Data storage, search engine • Logstash • Log management component. Ingest, Process, Output • Kibana • - Create visualizations and dashboards Lionel Faleiro [ @sandmaxprime ]
  • 11. ELK Architecture Lionel Faleiro [ @sandmaxprime ]
  • 12. Elasticsearch • Based on Apache Lucene • Open-source search engine library • Created by Shay Banon • Extends Lucene to store, index and search • JSON over HTTP Lionel Faleiro [ @sandmaxprime ]
  • 13. Logstash • Integrated Log management framework • Log collection • Centralization • Parsing • Storage • Written in Jruby • Runs in JVM • Multiple input mechanism • TCP/UDP • Files • Sysog Lionel Faleiro [ @sandmaxprime ]
  • 14. Logstash: Conf • Input {} • Filter {} • Output {} Lionel Faleiro [ @sandmaxprime ]
  • 15. Lionel Faleiro [ @sandmaxprime ]
  • 16. Kibana • Visualization platform • Tight integration with Elasticsearch Lionel Faleiro [ @sandmaxprime ]
  • 17. Beats • Filebeat • Metricbeat • Packetbeat • Winlogbeat • Hearbeat Lionel Faleiro [ @sandmaxprime ]
  • 18. Filebeat • A lightweight way to forward and centralize logs and files Lionel Faleiro [ @sandmaxprime ]
  • 19. Metricbeat Lionel Faleiro [ @sandmaxprime ]
  • 20. Packetbeat • Packetbeat is a lightweight network packet analyzer that sends data to Logstash or Elasticsearch • It supports many application layer protocols, from database to key-value stores to HTTP and low-level protocols Lionel Faleiro [ @sandmaxprime ]
  • 21. Lionel Faleiro [ @sandmaxprime ]
  • 22. Winlogbeat • Winlogbeat live streams Windows event logs to Elasticsearch and Logstash in a lightweight way • Read from any windows event log channel Lionel Faleiro [ @sandmaxprime ]
  • 23. Lionel Faleiro [ @sandmaxprime ]
  • 24. Heartbeat • Monitor services for their availability with active probing • Heartbeat pings via ICMP, TCP, and HTTP, and also has support for TLS, authentication and proxies. Lionel Faleiro [ @sandmaxprime ]
  • 25. Use Cases • Nginx/Apache • Sysmon Integration • Forensics Imaging Lionel Faleiro [ @sandmaxprime ]