ELK for Security Analysis
You must master your data If you want to catch bad guys and find evil. But, how can you do that?
That’s where the ELK stack comes in.
ELK is Elasticsearch, Logstash, and Kibana and together they provide a framework for collecting, storing, and investigating network security data. In this course, you’ll learn how to use this powerful trio to perform security analysis. This isn’t just an ELK course; it’s a course on how to use ELK specifically for incident responders, network security monitoring analysts, and other security blue teamers.
You’ll learn the basics of:
- Elasticsearch: How data is stored and indexed. Working with JSON documents.
- Logstash: How to collect and manipulate structured and unstructured data.
- Kibana: Techniques for searching data and building useful visualizations and dashboards.
- Beats: Use the agent to ship data from endpoints and servers to your ELK systems.
I’ll show you how to build complete data pipelines from ingest to search.
This means you’ll get to watch step-by-step guides for dealing with security specific data types like:
- HTTP Proxy Logs
- File-Based Logs (Unix, auth, and application logs)
- Windows Events & Sysmon Data
- NetFlow Data
- IDS Alerts
- Dealing with any CSV file you’re handed
- Parsing unstructured logs, no matter how weird they are
When you walk away from this course, you should be equipped with the skills you need to build a complete IDS alert console, investigation platform, or security analysis lab.
You can view the detailed course syllabus here.
ELK for Security Analysis is delivered completely online using recorded video lectures that you can go through at your convenience. It is modeled like a college course and consists of lectures that overview critical concepts, demonstrations where I walk through ELK configuration, and lab exercises when you practice the concepts you’ve learned. There is also a discussion forum where you can ask questions and share tips and tricks with other students. The course can be completed at whatever pace is comfortable for you.
No prior ELK experience is required.
The demonstrations are done on Linux, so a basic understanding of the Linux command line is helpful.
The course is delivered in English.
ELK for Security Analysis includes:
- Over 12 hours of demonstration videos. These videos will break down the fundamental concepts of the ELK Components. We’ll discuss key concepts and demonstrate steps you’ll take to ingest, parse, search, and visualize security data.
- Hands-on labs to help you develop and test your skills. You’ll complete lab exercises by downloading sample data sets and applying the concepts you’ve learned to build data pipelines. Every data set you’ll interact with is of meaningful security value: Bro/Zeek logs, HTTP proxy logs, firewall logs, Windows event logs, and more.
- Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
- 6 months access to course video lectures and lab exercises. You can extend access later if you need more time.
- A Certification of Completion
- 20 Continuing Education Credits (CPEs/CEUs)
Q: Who is this course designed for?
A: Anyone who wants to learn how to use ELK to collect, store, and investigate data. This course is specifically targeted at blue teamers like DFIR investigators or NSM analysts. However, you’ll also gain a lot from this course as a red teamer or sysadmin too!
Q: How much ELK experience should I have before starting?
A: No previous experience is required. We start with the fundamentals. If you have some prior knowledge and want to get straight into the sections on building security-related data pipelines, you can do that!
Q: Are there any hands-on labs?
A: Yes! Lots of them. You’ll have plenty of opportunities to practice the techniques we discuss. The class is loaded with demonstrations you can follow along with, too!
“This course is easy to follow and provides the necessary foundation in understanding how each component interacts with the others. I find the course is clear, concise, and suggests practical approaches to implement in security environments. The labs were very easy to follow, and having the sample data available allowed me to spend less time configuring additional feeds and more time manipulating. Finally, it has simple navigation and allows you to effortlessly pick-up where you left off. Prior to the course, I only had experience with Kibana. Now, I have a full understanding of the data flow, architecture, and configuration steps!” – Joe
“ELK for Security Analysis provides a great foundation to understanding Lucene databases and ELK’s nuances for unlocking their power. It also has some useful tricks for understanding log data from a security perspective, and with 6 months of access to complete it, it’s a great value for the price!” – Mike Frost
“For those already in the security industry I would advise that if they have even the slightest interest in learning more about the ELK stack beyond the “end user” purposes to check out this course. I really liked the pipelines for Bro data. We do run Bro (among a few others) in our environment so this was very helpful in what it would take to make that happen. This was a great course overall for getting started and familiar with ELK and it’s capabilities.” – Adam
“This course makes learning and understanding ELK something any person can achieve. With this understanding, users are empowered to go beyond the course material and engineer ELK to fit their needs and ultimately catch more bad guys. The Kibana visualizations were the most useful lesson for me as visualizations are the most important in my day to day. However, learning how Logstash and ES actually work was also incredibly valuable.” – Marc Seitz
“This is a hands-on training that will take you from zero knowledge to a confident level to explore more on your own.” – Alfredo
“This is the perfect course for learning ELK, especially if you’re planning to use the SO experimental setup. Also, this is the best way I have found to learn about ELK quickly. The section covering unstructured data was extremely valuable. We sometimes get pen register, trap and trace data for netflow, which is in varying formats depending on who we get it from, and this section will allow us to process that data and review it in Kibana. I thought the balance of material in the course was perfect.” – Kevin
“Easy to follow, very clear and sufficiently detailed. It’s the perfect course to start from 0 up to good expertise level.” – Roberto Veca
“I knew nothing about ELK before this course. I feel I have a pretty good handle on how it works now. The logstash part was especially helpful because I think that is the most complicated part, but I understand how it works.” – Kayleigh Escudero
“A great step-by step practical course that will help you get started with ELK even without any previous ELK knowledge. The most useful thing I learned from this course was how Elasticsearch, Logstash, and Kibana all worked together. Prior to this course, I was given a VM with an instance of ELK. However, it was hard for me to grasp how it all worked together. Thanks to this step-by-step course, I have a better understanding now.” – Paul
“This course provides an end-to-end overview of the ELK stack with plenty of hands on opportunities. I was surprised by the visualization capabilities of Kibana. I expected the ELK visualizations to stink like most SIEM products. I was very happy with the depth and breadth of the content.” – Brandon Young