Elastic Security (ELK)

intermediate40 minWriteup

Using Elastic Stack for security monitoring

Learning Objectives

  • Set up Elastic Security
  • Query with KQL
  • Create visualizations
  • Build detection rules

Elastic Security (part of the ELK Stack) is a powerful open-source SIEM solution. It combines Elasticsearch for storage and search, Kibana for visualization, and Beats/Agents for data collection. Many organizations choose it for its flexibility and cost-effectiveness.

Think of the ELK Stack like building blocks: Elasticsearch is the warehouse where all your logs are stored and indexed, Kibana is the window into that warehouse (dashboards and searches), and Beats are the delivery trucks bringing logs from everywhere.

ELK vs Elastic Security

ELK Stack is the core platform. Elastic Security adds security-specific features: detection rules, case management, and threat intelligence integration. The free tier includes many security features!

ELK Stack Architecture

1ELK Stack Components:
2 
3DATA COLLECTION (Beats)
4─────────────────────────────────────────────────────────────────
5Filebeat    │ Collects log files
6Winlogbeat  │ Windows Event Logs
7Packetbeat  │ Network packet data
8Auditbeat   │ Linux audit data
9Metricbeat  │ System metrics
10Heartbeat   │ Uptime monitoring
11 
12Elastic Agent │ Unified agent (replaces individual Beats)
13 
14DATA PROCESSING
15─────────────────────────────────────────────────────────────────
16Logstash    │ Parse, transform, enrich data
17            │ (Optional - Beats can send direct to Elastic)
18 
19DATA STORAGE
20─────────────────────────────────────────────────────────────────
21Elasticsearch │ Distributed search engine
22              │ Stores and indexes all data
23              │ RESTful API for queries
24 
25VISUALIZATION
26─────────────────────────────────────────────────────────────────
27Kibana      │ Web interface for search and dashboards
28            │ Elastic Security UI
29            │ Detection rules management
30 
31Data Flow:
32Logs → Beat/Agent → (Logstash) → Elasticsearch → Kibana

KQL Query Basics

1KQL (Kibana Query Language) Basics:
2 
3SIMPLE SEARCHES
4─────────────────────────────────────────────────────────────────
5failed                          │ Full-text search
6606070;">#a5d6ff;">"authentication failed"         │ Exact phrase
7error OR warning                │ Either term
8error AND user                  │ Both terms
9NOT error                       │ Exclude term
10 
11FIELD SEARCHES
12─────────────────────────────────────────────────────────────────
13user.name: admin                │ Field equals value
14source.ip: 192.168.1.100        │ Field equals IP
15event.code: 4625                │ Field equals number
16host.name: webserver*           │ Wildcard
17 
18BOOLEAN COMBINATIONS
19─────────────────────────────────────────────────────────────────
20user.name: admin AND source.ip: 192.168.1.*
21(error OR failed) AND user.name: admin
22event.code: 4625 AND NOT source.ip: 127.0.0.1
23 
24RANGE QUERIES
25─────────────────────────────────────────────────────────────────
26response_time >= 1000           │ Greater/equal
27bytes_sent <= 100               │ Less/equal
28http.response.status_code: [400 TO 499]  │ Range
29 
30EXISTS
31─────────────────────────────────────────────────────────────────
32user.name: *                    │ Field exists
33NOT user.name: *                │ Field doesn't exist
34 
35NESTED FIELDS
36─────────────────────────────────────────────────────────────────
37process.parent.name: explorer.exe
38user.effective.name: admin

Security Searches in Kibana

1Security-Focused KQL Queries:
2 
3WINDOWS AUTHENTICATION
4─────────────────────────────────────────────────────────────────
5606070;"># Failed logins
6event.code: 4625
7 
8606070;"># Successful logins
9event.code: 4624
10 
11606070;"># Failed logins from specific IP
12event.code: 4625 AND source.ip: 192.168.1.100
13 
14606070;"># Admin account activity
15event.code: 4624 AND winlog.event_data.TargetUserName: administrator
16 
17606070;"># Network logon (lateral movement)
18event.code: 4624 AND winlog.event_data.LogonType: 3
19 
20POWERSHELL DETECTION
21─────────────────────────────────────────────────────────────────
22606070;"># PowerShell execution
23event.code: 4104
24 
25606070;"># Encoded PowerShell
26powershell.file.script_block_text: *EncodedCommand*
27 
28606070;"># Download cradles
29powershell.file.script_block_text: (*DownloadString* OR *WebClient*)
30 
31PROCESS CREATION
32─────────────────────────────────────────────────────────────────
33606070;"># All process creation (Sysmon)
34event.code: 1
35 
36606070;"># Suspicious processes
37event.code: 1 AND process.name: (cmd.exe OR powershell.exe)
38 
39606070;"># Process from temp folder
40event.code: 1 AND process.executable: *\Temp\*
41 
42NETWORK CONNECTIONS
43─────────────────────────────────────────────────────────────────
44606070;"># Outbound connections (Sysmon)
45event.code: 3
46 
47606070;"># Connection to specific port
48event.code: 3 AND destination.port: 4444
49 
50606070;"># Connections from PowerShell
51event.code: 3 AND process.name: powershell.exe

Detection Rules

1Elastic Security Detection Rules:
2 
3RULE TYPES
4─────────────────────────────────────────────────────────────────
5Custom Query    │ KQL-based detection
6Machine Learning│ Anomaly detection
7Threshold       │ Event count threshold
8EQL             │ Event Query Language (sequences)
9Indicator Match │ Threat intel IOC matching
10 
11CREATING A DETECTION RULE
12─────────────────────────────────────────────────────────────────
131. Security → Detections → Rules → Create new rule
142. Choose rule type
153. Define query/conditions
164. Set severity and risk score
175. Configure schedule
186. Add actions (optional)
19 
20EXAMPLE: Brute Force Detection
21─────────────────────────────────────────────────────────────────
22Type: Threshold
23Index: winlogbeat-*
24Query: event.code: 4625
25Threshold: count >= 10
26Group by: source.ip
27Time window: 5 minutes
28Severity: Medium
29 
30EXAMPLE: Encoded PowerShell
31─────────────────────────────────────────────────────────────────
32Type: Custom query
33Index: winlogbeat-*
34Query: event.code: 4104 AND
35       powershell.file.script_block_text: *-enc*
36Severity: High
37MITRE ATT&CK: T1059.001
38 
39EQL EXAMPLE: PROCESS SEQUENCE
40─────────────────────────────────────────────────────────────────
41Type: EQL
42Query:
43sequence by host.name with maxspan=5m
44  [process where process.name == 606070;">#a5d6ff;">"outlook.exe"]
45  [process where process.name == 606070;">#a5d6ff;">"powershell.exe"]
46  [network where destination.port == 443]
47 
48Detects: Email → PowerShell → Network (possible phish)

Elastic Detection Rules

Elastic provides hundreds of pre-built detection rules aligned to MITRE ATT&CK. Enable them in Security → Detections → Rules → Load Elastic prebuilt rules. Review and enable relevant ones!

Event Query Language (EQL)

1EQL - Advanced Pattern Detection:
2 
3BASIC EQL SYNTAX
4─────────────────────────────────────────────────────────────────
5606070;"># Simple process query
6process where process.name == 606070;">#a5d6ff;">"cmd.exe"
7 
8606070;"># With conditions
9process where process.name == 606070;">#a5d6ff;">"cmd.exe" and
10              process.parent.name == 606070;">#a5d6ff;">"explorer.exe"
11 
12606070;"># Wildcard matching
13process where process.name : 606070;">#a5d6ff;">"power*"
14 
15606070;"># Field existence
16process where process.command_line != null
17 
18SEQUENCES (Most Powerful Feature!)
19─────────────────────────────────────────────────────────────────
20606070;"># Two events in order
21sequence
22  [process where process.name == 606070;">#a5d6ff;">"word.exe"]
23  [process where process.name == 606070;">#a5d6ff;">"cmd.exe"]
24 
25606070;"># With time constraint
26sequence with maxspan=1m
27  [file where file.extension == 606070;">#a5d6ff;">"docx"]
28  [process where process.name == 606070;">#a5d6ff;">"powershell.exe"]
29 
30606070;"># Grouped by host
31sequence by host.name with maxspan=5m
32  [authentication where event.outcome == 606070;">#a5d6ff;">"failure"]
33  [authentication where event.outcome == 606070;">#a5d6ff;">"success"]
34 
35REAL-WORLD DETECTIONS
36─────────────────────────────────────────────────────────────────
37606070;"># Credential dumping (LSASS access)
38sequence by host.name with maxspan=1m
39  [process where process.name == 606070;">#a5d6ff;">"mimikatz.exe"]
40  [file where file.name : 606070;">#a5d6ff;">"*.dmp"]
41 
42606070;"># Ransomware behavior
43sequence by host.name with maxspan=10m
44  [file where event.type == 606070;">#a5d6ff;">"change"]
45  [file where event.type == 606070;">#a5d6ff;">"change"]
46  [file where event.type == 606070;">#a5d6ff;">"change"]
47  [process where process.name : 606070;">#a5d6ff;">"*.exe" and
48   process.args : (606070;">#a5d6ff;">"vssadmin" and "shadows")]
49 
50606070;"># Living off the land (LOLBins)
51process where
52  process.name in (606070;">#a5d6ff;">"certutil.exe", "bitsadmin.exe") and
53  process.args : 606070;">#a5d6ff;">"*http*"

Security Dashboards

1Kibana Security Dashboards:
2 
3BUILT-IN DASHBOARDS (Elastic Security)
4─────────────────────────────────────────────────────────────────
5Overview        │ Alert trends, top rules, severity distribution
6Hosts           │ Host activity, authentications, processes
7Network         │ Traffic flows, connections, DNS
8Timelines       │ Investigation workspace
9Cases           │ Case management
10 
11CREATING CUSTOM VISUALIZATIONS
12─────────────────────────────────────────────────────────────────
131. Kibana → Visualize Library → Create
142. Choose visualization type
153. Select index pattern
164. Configure metrics and buckets
175. Save and add to dashboard
18 
19USEFUL SECURITY VISUALIZATIONS
20─────────────────────────────────────────────────────────────────
21Authentication Failures by IP (Bar Chart):
22├── Metric: Count
23├── Bucket: Terms, source.ip
24├── Filter: event.code: 4625
25 
26Login Trend Over Time (Line Chart):
27├── Metric: Count
28├── Bucket: Date histogram, @timestamp
29├── Split by: event.outcome (success/failure)
30 
31Top Targeted Users (Pie Chart):
32├── Metric: Count
33├── Bucket: Terms, user.name
34├── Filter: event.code: 4625
35 
36Process Execution Table:
37├── Columns: @timestamp, host.name, user.name,
38│           process.name, process.command_line
39├── Filter: event.code: 1 OR event.code: 4688

Timeline Investigation

1Elastic Security Timeline:
2 
3WHAT IS TIMELINE?
4─────────────────────────────────────────────────────────────────
5Interactive investigation workspace where you:
6├── Search and filter events
7├── Add notes and comments
8├── Build investigation timeline
9├── Save for later or attach to case
10 
11USING TIMELINE
12─────────────────────────────────────────────────────────────────
131. Security → Timelines → Create new timeline
142. Add query or filters
153. Drag relevant events into timeline
164. Add notes to events
175. Save timeline with description
18 
19INVESTIGATION WORKFLOW
20─────────────────────────────────────────────────────────────────
211. Alert triggers on suspicious activity
222. Open alert → 606070;">#a5d6ff;">"Investigate in timeline"
233. Pivot on key fields (user, host, IP)
244. Add related events to timeline
255. Add notes documenting findings
266. Create case if confirmed incident
27 
28EXAMPLE: INVESTIGATING ALERT
29─────────────────────────────────────────────────────────────────
30Alert: 606070;">#a5d6ff;">"Encoded PowerShell execution"
31Host: WORKSTATION-42
32User: jsmith
33 
34Timeline Investigation:
35├── Search: host.name: WORKSTATION-42
36│   └── See all activity on that host
37├── Search: user.name: jsmith
38│   └── See what else user did
39├── Search: process.parent.name: outlook.exe
40│   └── Check if email-related
41├── Add suspicious events to timeline
42├── Note: 606070;">#a5d6ff;">"PowerShell launched from Outlook - phishing"
43└── Create case for IR team

Elastic Security Methodology

Elastic Security Workflow

1
IngestConfigure Beats/Agent to collect logs
2
Enable RulesLoad and enable detection rules
3
MonitorReview alerts in Security Overview
4
InvestigateUse Timeline and KQL to dig deeper
5
DocumentCreate cases for confirmed incidents
6
TuneAdjust rules to reduce false positives

Knowledge Check

Quick Quiz
Question 1 of 3

What query language does Kibana use for searching?

Challenges

Write a KQL Query

Challenge
🔥 intermediate

Write a KQL query to find all failed Windows logins (event.code: 4625) from external IP addresses (not starting with 192.168 or 10.).

Need a hint? (4 available)

Key Takeaways

  • ELK Stack: Beats collect, Elasticsearch stores, Kibana visualizes
  • KQL is Kibana's query language: field: value AND/OR/NOT
  • EQL detects sequences - perfect for attack chain detection
  • Elastic provides pre-built detection rules mapped to MITRE ATT&CK
  • Timeline is the investigation workspace - pivot, note, document
  • Free tier includes many security features - great for learning