🔐 Elastic Stack (ELK): The Basics — SOC Analyst Guide
🔐 Elastic Stack (ELK): The Basics — SOC Analyst Guide
📘 Task 1: Introduction
Elastic Stack (ELK) is widely used in modern Security Operations Centers (SOC) for log analysis and investigations. Although it is not a traditional SIEM, its powerful search and visualization capabilities make it function like one.
🎯 Learning Objectives
-
Understand ELK components
-
Explore features of ELK
-
Learn searching & filtering
-
Investigate VPN logs
-
Create dashboards & visualizations
Understand ELK components
Explore features of ELK
Learn searching & filtering
Investigate VPN logs
Create dashboards & visualizations
📘 Task 2: Components of ELK
Elastic Stack consists of four main components:
1. Elasticsearch
-
Stores and analyzes data
-
Works with JSON documents
-
Provides fast search using REST API
Stores and analyzes data
Works with JSON documents
Provides fast search using REST API
2. Logstash
-
Data processing pipeline
-
Collects, filters, and sends data
Data processing pipeline
Collects, filters, and sends data
Structure:
-
Input → Source of data
-
Filter → Normalize data
-
Output → Destination
3. Beats
-
Lightweight agents
-
Send data from endpoints
Lightweight agents
Send data from endpoints
4. Kibana
-
Visualization tool
-
Used for dashboards and investigations
Visualization tool
Used for dashboards and investigations
✅ Answers:
-
Logstash is used to visualize data → nay
-
Elasticstash supports all formats except JSON → nay
Logstash is used to visualize data → nay
Elasticstash supports all formats except JSON → nay
📘 Task 3: Discover Tab (Log Analysis)
The Discover Tab in Kibana is where SOC analysts spend most of their time.
🔍 Features:
-
Logs view
-
Fields panel
-
Search bar (KQL)
-
Time filter
-
Index pattern
Logs view
Fields panel
Search bar (KQL)
Time filter
Index pattern
✅ Answers:
-
Total hits → 2861
-
Max connections IP → 238.163.231.224
-
User with max traffic → James
-
Emanda max source IP → 107.14.1.247
-
Spike IP (Jan 11) → 172.201.60.191
-
Connections excluding New York → 48
Total hits → 2861
Max connections IP → 238.163.231.224
User with max traffic → James
Emanda max source IP → 107.14.1.247
Spike IP (Jan 11) → 172.201.60.191
Connections excluding New York → 48
📘 Task 4: KQL (Kibana Query Language)
KQL helps in searching logs efficiently.
🔎 Types of Search:
1. Free Text Search
Example:
United States
2. Field-Based Search
Example:
Source_ip : 238.163.231.224
3. Operators
-
AND
-
OR
-
NOT
AND
OR
NOT
✅ Answers:
-
Records (US + James OR Albert) → 161
-
Johny Brown VPN after termination → 1
Records (US + James OR Albert) → 161
Johny Brown VPN after termination → 1
📘 Task 5: Visualization
Kibana allows creating:
-
Tables
-
Pie charts
-
Bar charts
📊 Use Cases:
-
Identify trends
-
Correlate fields
-
Monitor anomalies
Identify trends
Correlate fields
Monitor anomalies
📘 Task 6: Failed Login Analysis
Created a visualization for failed VPN attempts.
✅ Answers:
-
User with most failed attempts → Simon
-
Wrong attempts in January → 274
User with most failed attempts → Simon
Wrong attempts in January → 274
📘 Task 7: Dashboard & Insights
Dashboards provide:
-
Real-time monitoring
-
Centralized view
-
Easy anomaly detection
📘 Task 8: Conclusion
Elastic Stack (ELK) is a powerful tool for SOC analysts. It helps in:
-
Collecting logs
-
Searching data
-
Detecting threats
-
Visualizing insights
It may not be a traditional SIEM, but it is widely used as one in real-world security operations.
🎉 Final Note
This hands-on lab gave a real-world experience of:
-
Investigating VPN logs
-
Detecting anomalies
-
Creating dashboards
Comments
Post a Comment