Here you will find Elastic references to documentation, examples, and other good resources.
You can always access our public demo environment accessible online, check our website for fresh blog posts and videos or subscribe on our Youtube channel.
You can also learn a lot from Elastic, through our trainings listed online. You can now get certified as Elastic Engineer!
You are using Docker or Kubernetes ? Read this and that, watch the French webinar and try it by yourself in 10mn on Katacoda!
Is GDPR a concern for you? Watch our French webinar, read the related whitepaper and play with our GDPR scanner to inventory your Elasticsearch instances and check for compliance.
We often organize daily hands-on workshops on Operational Analytics, Security Analytics or Search typically. Contact us if you wish to participate.
We often organize meetups in France. You can subscribe for coming ones or watch the recordings of previous meetups.
Using the Elastic stack for Security Analytics
- To start with, of course, the website page, videos & webinars and blog posts
- Watch the 1h webinar of our SIEM
- See the short 15' SIEM demo (in French).
- watch our serie of 3 webinars (in French): episode 1 and episode 2 and episode 3
- and another webinar dedicated to threat hunting!
- have a look at the customer stories and in particular USAA that talks about enrichment and how they transfered many rules from their traditional SIEM, as well as E-Trade that ingests 1M eps and intensively use ML, alerting and drilldown with 145 dashboards!
- Great blog post showing the use of beats and watches to build a SOC, or how to detect Wannacry with auditbeat
- A couple of articles on threat hunting and the interest of Elasticsearch in security
- and our great Security Analytics training course
Ingestion is all about capture as widely as possible, and enriching to bring value to the raw data:
- Using beats to capture processes, OS events, file integrity changes, etc. Check the osquery module, the Suricata Filebeat module and the blog post on the Wazuh HIDS as well as many distros combining the Elastic stack with IDS/IPS/HIDS like Security Onion, Wazuh (cf our blog post), RockNSM, SOF-ELK, HELK, CAPESstack, SELKS...
- Enrich data with threat intelligence feeds like Blueliv, YETI (and a great blog post describing the integration with Elastic but you can also use TheHive-Cortex), AlienVault OTX (direct link to the IP reputation list and a quick script to fetch it), Have I been pwned to check for compromised emails, URL blacklist, Alexa's URL whitelist or the similar one from Majestic (direct link to the million URL), and finally a combine script to fetch these feeds into Logstash.
How do you enrich? mostly using Logstash, see below:
- a first Logstash enrichment webinar, as well as the Logstash enrichment page that includes GeoIP, DNS, CIDR, User agent and other filters
- examples of applying Logstash enrichment in this Security Analytics use case in a blog post
- enrichment can also be performed by TheHive-Cortex
Pseudonizing data at ingestion is key, considering the GDPR regulation (see our related blog post). You can couple this pseudonimization with field-level security to hide personal data from unauthorized users.
Tip: use the newly defined Elastic Common Schema to normalize your data and ease correlation, filtering and eventually sharing of dashboards, ML jobs, etc.
Once data are in, you can leverage the awesomeness of Elastic ML and Graph:
- see our videos and in particular the episode 3 (coming soon)
- have a look at our ML recipes that describe in detail a few attacks and how to detect them
- check a few other ML examples related to security analytics
Elastic Watcher is used to correlate events (static or dynamically identified by ML) and alert via email, Slack, Jira, PagerDuty or any other system (see documentation). A few additional resources:
- first learn about Watcher on our website
- a few examples of watches
- the Sigma rules translated for Watcher on Uncoder (Select a sigma rule on the left, then Watcher on the droplist on the right and click Translate!)
- integration with external SOAR (Security Orchestration and Automated Response) like CyberSponse, SIEMplify, SOCprime or a security incident respones platform like TheHive
Here is a list of content refs to help start and understand Elastic ML:
- beyond our website intro and public demo listed up here, a lot of good stuff can be found in blog posts, including intro, how it works, advanced aggregations with derivative, forecasting
- ML recipes here
- examples of ML jobs on github
- how to display the model in multi-metric jobs on discuss
- there are many other tips & tricks, so come and ping us to learn some more!
Beyond our awesome online documentation, you might be interested in further resources:
- the Elastic stack comes with more and more datasets:
- examples of ML jobs, watches, etc on Elastic github
- examples of canvas on github
- examples of ML jobs focused on Security Analytics on github