The document contains alerts related to malware, backdoors, and hacking attempts. It discusses the limitations of alerts alone without context from raw data. It emphasizes verifying logs and detections using frameworks like MITRE ATT&CK and testing tools. Links are provided for log collection with Winlogbeat, Sysmon, and Auditbeat to gain more visibility.
11. Alerts vs Raw Data
• Alerts give very specific information, but they don’t tell the whole story. Context is
key, but isn’t in the alert.
• Alert logic may not be visible to the analyst or hard to interpret.
• Alert may not give enough details.
• Raw data is high volume and hard to sift through.
• Either create alerts from the raw data or get both.
12. Trust, But Verify
• Log settings can change during an upgrade of a product, by mistake, or
maliciously.
• “Turn on Logs” is not really a setting. Check to see exactly what’s enabled and
where.
• Regularly test to ensure logs (volume and variety) are as expected.
• Operationalize log collection.
• Understand what you have today, and determine what you need
13. MITRE ATT&CK
• Use the framework to determine your visibility gap
(https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html)
• Use testing frameworks to check detections
(https://github.com/redcanaryco/atomic-red-team)
Hi, everyone. Over the past few years, we’ve been making it easier for our users to deploy Elastic for Security Analytics.
We define Security Analytics as the highly scalable collection, indexing, and real-time advanced analysis of all kinds of security-related data…
We’re now introducing Elastic SIEM to provide a curated experience for security analysts and investigators to perform:
Security information and event management
Threat detection
Threat hunting
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why.
This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases.
So what have we been building? Let me share some recent highlights:
We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data.
We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more.
In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute.
We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field.
Saving the best for last, Endgame has joined Elastic.