That’s where the ELK stack comes in.
ELK is Elasticsearch, Logstash, and Kibana and together they provide a framework for collecting, storing, and investigating network security data. In this course, you’ll learn how to use this powerful trio to perform security analysis. This isn’t just an ELK course; it’s a course on how to use ELK specifically for incident responders, network security monitoring analysts, and other security blue teamers.
You’ll learn the basics of:
- Elasticsearch: How data is stored and indexed. Working with JSON documents.
- Logstash: How to collect and manipulate structured and unstructured data.
- Kibana: Techniques for searching data and building useful visualizations and dashboards.
- Beats: Use the agent to ship data from endpoints and servers to your ELK systems.
I’ll show you how to build complete data pipelines from ingest to search.
This means you’ll get to watch step-by-step guides for dealing with security specific data types like:
- HTTP Proxy Logs
- File-Based Logs (Unix, auth, and application logs)
- Windows Events & Sysmon Data
- NetFlow Data
- IDS Alerts
- Dealing with any CSV file you’re handed
- Parsing unstructured logs, no matter how weird they are
When you walk away from this course, you should be equipped with the skills you need to build a complete IDS alert console, investigation platform, or security analysis lab.
You can view the detailed course syllabus here.
ELK for Security Analysis is delivered completely online using recorded video lectures that you can go through at your convenience. It is modeled like a college course and consists of lectures that overview critical concepts, demonstrations where I walk through ELK configuration, and lab exercises when you practice the concepts you’ve learned. There is also a discussion forum where you can ask questions and share tips and tricks with other students. The course can be completed at whatever pace is comfortable for you.
No prior ELK experience is required.
The demonstrations are done on Linux, so a basic understanding of the Linux command line is helpful.
The course is delivered in English.
ELK for Security Analysis includes:
- Over 12 hours of demonstration videos. These videos will break down the fundamental concepts of the ELK Components. We’ll discuss key concepts and demonstrate steps you’ll take to ingest, parse, search, and visualize security data.
- Hands-on labs to help you develop and test your skills. You’ll complete lab exercises by downloading sample data sets and applying the concepts you’ve learned to build data pipelines. Every data set you’ll interact with is of meaningful security value: Bro/Zeek logs, HTTP proxy logs, firewall logs, Windows event logs, and more.
- Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
- 6 months access to course video lectures and lab exercises. You can extend access later if you need more time.
- A Certification of Completion
- Continuing Education Credits (CPEs/CEUs)
Q: Who is this course designed for?
A: Anyone who wants to learn how to use ELK to collect, store, and investigate data. This course is specifically targeted at blue teamers like DFIR investigators or NSM analysts. However, you’ll also gain a lot from this course as a red teamer or sysadmin too!
Q: How much ELK experience should I have before starting?
A: No previous experience is required. We start with the fundamentals. If you have some prior knowledge and want to get straight into the sections on building security-related data pipelines, you can do that!
Q: Are there any hands-on labs?
A: Yes! Lots of them. You’ll have plenty of opportunities to practice the techniques we discuss. The class is loaded with demonstrations you can follow along with, too!
“This course is easy to follow and provides the necessary foundation in understanding how each component interacts with the others. I find the course is clear, concise, and suggests practical approaches to implement in security environments. The labs were very easy to follow, and having the sample data available allowed me to spend less time configuring additional feeds and more time manipulating. Finally, it has simple navigation and allows you to effortlessly pick-up where you left off. Prior to the course, I only had experience with Kibana. Now, I have a full understanding of the data flow, architecture, and configuration steps!” – Joe
“ELK for Security Analysis provides a great foundation to understanding Lucene databases and ELK’s nuances for unlocking their power. It also has some useful tricks for understanding log data from a security perspective, and with 6 months of access to complete it, it’s a great value for the price!” – Mike Frost
“For those already in the security industry I would advise that if they have even the slightest interest in learning more about the ELK stack beyond the “end user” purposes to check out this course. I really liked the pipelines for Bro data. We do run Bro (among a few others) in our environment so this was very helpful in what it would take to make that happen. This was a great course overall for getting started and familiar with ELK and it’s capabilities.” – Adam