Professional Documents
Culture Documents
Elastic Siem Fundamentals Additional Resources PDF
Elastic Siem Fundamentals Additional Resources PDF
7.5.1
elastic.co/training
ELASTIC SIEM FUNDAMENTALS
Course: ELASTIC SIEM FUNDAMENTALS
Version 7.5.1
LESSON 1
ELASTIC SIEM UI
PROBLEM
NW TAP
DATA
SERVERS
> CENTRALIZE > DETECT ANOMALY
> MINE > VISUALIZE
> CORRELATE > ANALYZE
W10S DATA > ALERT
ANALYST
CONTAINERS
DATA
FIREWALL PROXY
DNS LOGS
LOGS LOGS
?!
CORRELATE
SCALABLE AGGREGATE
RELIABLE GEO SEARCH
MAINTAINABLE IP SEARCH
DISTRIBUTED SEARCH
SYSTEM ENGINE
USER
INTERFACE
INTUITIVE
ANALYZE
VISUALIZE
CONFIGURE
...
FILEBEAT PACKETBEAT WINLOGBEAT AUDITBEAT
LESSON 1
REVIEW - ELASTIC SIEM UI
SUMMARY
‣ Being able to centralize, correlate, analyze, and aggregate
security events from disparate sources is the essence of
SIEM’s purpose
LESSON 1
LAB - ELASTIC SIEM UI
Elastic SIEM Fundamentals
LESSON 2
GETTING SIEM DATA IN
SCHEMA
{
"ts":
{ "2019-12-16T02:25:02.157",
"field1": "value 1",
"ip": "10.10.250.52"
"ts":
{ "2019-12-16T02:25:02.157",
… "field1": "value 1",
"ts": "2019-12-16T02:25:02.157",
EVENTS
} {
… "field1": "value 1",
}
"time": "2019-12-16T02:25:02",
… "field 1": "value 1",
"source" :
} … {
}
"ip" : "10.10.250.52"
}
T
TRANSFORM
A B
NSM
FIREWALL
10.10.10.251 IDS 172.16.32.251
“Show me all the events with Jun 26, 2019 @ 10:18:08.839 suricata
https://github.com/elastic/ecs
IDS
NSM
FW
WINLOGBEAT FILEBEAT
AUDITBEAT PACKETBEAT
DATA
NETWORK HOST
LESSON 2
REVIEW - GETTING SIEM DATA IN
SUMMARY
‣ ECS defines a common set of fields to be used when
storing event data in Elasticsearch, such as logs and
metrics
LESSON 3
ANOMALY DETECTION
ANOMALY DETECTION
IN A NUTSHELL
How data normally tends to
Real-time data behave
baselines(normal_behavior)
DATA FEED
anomalies
Historical data
JOB
functions
What to look for fields
influencers
LESSON 3
REVIEW - ANOMALY DETECTION
SUMMARY
‣ Anomaly detection can be used to analyze time series
data by creating accurate baselines of normal behavior
and identifying anomalous patterns in your dataset
LESSON 3
LAB - ANOMALY DETECTION
QUIZ ANSWERS
QUIZ
1. The three ingest layer components of Elastic Stack that provides network and
host data integration for Elastic SIEM are Beats, Logstash and _______
a. Alerting
b. Elastic Machine Learning
c. Elastic Endpoint Security
d. Kibana