Elastic Stack

Elastic Stack as a SIEM

The Elastic Stack can function as a SIEM (Security Information and Event Management) system. It allows you to:

• Ingest logs from firewalls, IDS/IPS, endpoints, etc.

• Correlate events and detect threats in Elasticsearch

• Visualize incidents and build dashboards in Kibana

• Hunt threats and investigate with custom queries (KQL)

It’s made up of:

• Elasticsearch: A distributed search and analytics engine (stores and queries data)

• Logstash: Collects, processes, and forwards data (mainly logs)

• Kibana: Visualizes the data stored in Elasticsearch

• Beats: Lightweight agents (e.g. Filebeat, Metricbeat) that send data to Logstash or Elasticsearch.

Kibana Query Language (KQL)

KQL helps SOC analysts filter and analyze logs efficiently using:

• field:value pairs (e.g. event.code:4625)

• Logical operators: AND, OR, NOT

• Comparison operators: :>, :<, :!

• Wildcards (e.g. user.name:admin*)

Examples of queries

windows* and event.code:4625 AND user.name: admin*
windows* and event.code:4625 AND winlog.event_data.SubStatus:0xC0000072 AND @timestamp >= "2023-03-03T00:00:00.000Z" AND @timestamp <= "2023-03-06T23:59:59.999Z"

Useful resource:

• www.ultimatewindowssecurity.com

• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625