2026-04-13 10-19-02
May 25, 2026 15:02
· 7:27
· English
· Whisper Turbo
· 2 स्पीकर
इस हस्तलिपि का समय आज बीत चुका है.
स्थायी भंडारण के लिए अद्यतन करें →
सिर्फ दिखाएँ
0:06
S…
Speaker 1 (2026-04-13 10-19-02)
In this video,
0:07
S…
Speaker 2 (2026-04-13 10-19-02)
we're going to start exploring the elk stack,
0:11
S…
Speaker 2 (2026-04-13 10-19-02)
what it is and how it can be used in threat hunting.
0:15
S…
Speaker 2 (2026-04-13 10-19-02)
So first of all,
0:16
S…
Speaker 2 (2026-04-13 10-19-02)
what is elk?
0:18
S…
Speaker 2 (2026-04-13 10-19-02)
Elk consists of primarily three different
0:22
S…
Speaker 2 (2026-04-13 10-19-02)
components that are working together to make up what's known as the elk
0:26
S…
Speaker 2 (2026-04-13 10-19-02)
stack, or sometimes also called the elastic stack.
0:30
S…
Speaker 2 (2026-04-13 10-19-02)
The first component of it,
0:32
S…
Speaker 1 (2026-04-13 10-19-02)
the E,
0:32
S…
Speaker 2 (2026-04-13 10-19-02)
is elastic search.
0:34
S…
Speaker 2 (2026-04-13 10-19-02)
It is used for search and analytics to
0:39
S…
Speaker 2 (2026-04-13 10-19-02)
kind of process the information and search and analyze through log data.
0:44
S…
Speaker 2 (2026-04-13 10-19-02)
The second component is Logstash,
0:47
S…
Speaker 2 (2026-04-13 10-19-02)
the L in there.
0:48
S…
Speaker 2 (2026-04-13 10-19-02)
It is used for the data processing and transformation components
0:53
S…
Speaker 2 (2026-04-13 10-19-02)
of ELK.
0:54
S…
Speaker 2 (2026-04-13 10-19-02)
And then you have Kibana,
0:56
S…
Speaker 1 (2026-04-13 10-19-02)
the K.
0:57
S…
Speaker 2 (2026-04-13 10-19-02)
This is for the dashboards,
0:59
S…
Speaker 2 (2026-04-13 10-19-02)
the visualization,
1:00
S…
Speaker 2 (2026-04-13 10-19-02)
those components of the ELK stack.
1:04
S…
Speaker 2 (2026-04-13 10-19-02)
ELK can be a good alternative to Splunk
1:08
S…
Speaker 2 (2026-04-13 10-19-02)
because Splunk licensing can get...
1:10
S…
Speaker 2 (2026-04-13 10-19-02)
A little expensive.
1:12
S…
Speaker 2 (2026-04-13 10-19-02)
We'll kind of do a little comparison here in a second.
1:14
S…
Speaker 2 (2026-04-13 10-19-02)
Another kind of fourth component,
1:16
S…
Speaker 1 (2026-04-13 10-19-02)
if you will,
1:17
S…
Speaker 2 (2026-04-13 10-19-02)
to ELK is known as beats.
1:21
S…
Speaker 2 (2026-04-13 10-19-02)
This is kind of what's used to send
1:25
S…
Speaker 2 (2026-04-13 10-19-02)
log data to the ELK stack.
1:28
S…
Speaker 2 (2026-04-13 10-19-02)
Usually this is going to be in packages known as winlogbeat
1:32
S…
Speaker 2 (2026-04-13 10-19-02)
or filebeat.
1:34
S…
Speaker 2 (2026-04-13 10-19-02)
There's a few different ones.
1:37
S…
Speaker 1 (2026-04-13 10-19-02)
Again,
1:37
S…
Speaker 2 (2026-04-13 10-19-02)
you're going to have kind of similar use,
1:39
S…
Speaker 2 (2026-04-13 10-19-02)
similar functionality to Splunk as
1:44
S…
Speaker 2 (2026-04-13 10-19-02)
far as visualizations,
1:45
S…
Speaker 2 (2026-04-13 10-19-02)
real -time searches,
1:46
S…
Speaker 2 (2026-04-13 10-19-02)
analysis,
1:47
S…
Speaker 2 (2026-04-13 10-19-02)
things like that.
1:49
S…
Speaker 1 (2026-04-13 10-19-02)
Again,
1:49
S…
Speaker 2 (2026-04-13 10-19-02)
it can be a better alternative to Splunk because Splunk,
1:55
S…
Speaker 2 (2026-04-13 10-19-02)
again, can get expensive.
1:56
S…
Speaker 2 (2026-04-13 10-19-02)
Splunk charges,
1:57
S…
Speaker 2 (2026-04-13 10-19-02)
at least for their on -premise deployments.
1:59
S…
Speaker 2 (2026-04-13 10-19-02)
and at least as a time of this recording,
2:02
S…
Speaker 2 (2026-04-13 10-19-02)
by the amount of data you index.
2:05
S…
Speaker 2 (2026-04-13 10-19-02)
So the more data you need to index and process in Splunk,
2:08
S…
Speaker 2 (2026-04-13 10-19-02)
the more expensive it can get.
2:10
S…
Speaker 2 (2026-04-13 10-19-02)
Elk can be acquired open source and can be
2:14
S…
Speaker 2 (2026-04-13 10-19-02)
used on -premise for no charge.
2:17
S…
Speaker 2 (2026-04-13 10-19-02)
They do also have,
2:18
S…
Speaker 2 (2026-04-13 10-19-02)
you know, cloud hosted as well.
2:20
S…
Speaker 2 (2026-04-13 10-19-02)
So there are options there.
2:23
S…
Speaker 2 (2026-04-13 10-19-02)
Elk is set up in a kind of a similar but different
2:28
S…
Speaker 2 (2026-04-13 10-19-02)
way to Splunk.
2:30
S…
Speaker 2 (2026-04-13 10-19-02)
So Elk starts off with Logstash.
2:32
S…
Speaker 2 (2026-04-13 10-19-02)
That is where the log aggregation and processing
2:37
S…
Speaker 2 (2026-04-13 10-19-02)
comes in,
2:38
S…
Speaker 2 (2026-04-13 10-19-02)
where the data that's sent via all of the different
2:42
S…
Speaker 2 (2026-04-13 10-19-02)
beats, if you will,
2:43
S…
Speaker 2 (2026-04-13 10-19-02)
so your win log beat,
2:45
S…
Speaker 2 (2026-04-13 10-19-02)
your file beat,
2:46
S…
Speaker 2 (2026-04-13 10-19-02)
they send their data into Logstash.
2:50
S…
Speaker 2 (2026-04-13 10-19-02)
And those are typically going to be the win log beat and file beat,
2:54
S…
Speaker 2 (2026-04-13 10-19-02)
things like that,
2:55
S…
Speaker 2 (2026-04-13 10-19-02)
will be what's installed on the endpoints.
2:57
S…
Speaker 2 (2026-04-13 10-19-02)
So with Splunk,
2:59
S…
Speaker 2 (2026-04-13 10-19-02)
you have the forwarders.
3:00
S…
Speaker 2 (2026-04-13 10-19-02)
With the elk stack,
3:01
S…
Speaker 2 (2026-04-13 10-19-02)
you have the beats.
3:03
S…
Speaker 2 (2026-04-13 10-19-02)
And that log stash data is then fed into Elasticsearch.
3:08
S…
Speaker 2 (2026-04-13 10-19-02)
Elasticsearch is what is used for the indexing
3:12
S…
Speaker 2 (2026-04-13 10-19-02)
and the storage.
3:15
S…
Speaker 2 (2026-04-13 10-19-02)
Technically not necessarily required.
3:18
S…
Speaker 2 (2026-04-13 10-19-02)
A lot of setups might actually skip this step.
3:21
S…
Speaker 2 (2026-04-13 10-19-02)
And if so,
3:22
S…
Speaker 2 (2026-04-13 10-19-02)
then that data would then just be accessed by Kibana.
3:25
S…
Speaker 2 (2026-04-13 10-19-02)
Kibana is the...
3:27
S…
Speaker 2 (2026-04-13 10-19-02)
The part of the ELK stack that's used to search,
3:31
S…
Speaker 2 (2026-04-13 10-19-02)
that's used for the analysis,
3:33
S…
Speaker 2 (2026-04-13 10-19-02)
it's where the visualizations
3:37
S…
Speaker 2 (2026-04-13 10-19-02)
and dashboards are created based off the
3:41
S…
Speaker 2 (2026-04-13 10-19-02)
data that's in Logstash or Elasticsearch,
3:45
S…
Speaker 2 (2026-04-13 10-19-02)
depending on what the deployment looks like.
3:49
S…
Speaker 2 (2026-04-13 10-19-02)
So that's a brief...
3:50
S…
Speaker 2 (2026-04-13 10-19-02)
overview of the ELK stack,
3:52
S…
Speaker 2 (2026-04-13 10-19-02)
let's jump over to our lab environment now and take a look at the
3:56
S…
Speaker 2 (2026-04-13 10-19-02)
interface and how it's,
3:58
S…
Speaker 2 (2026-04-13 10-19-02)
you know, similar and different than Splunk.
4:00
S…
Speaker 1 (2026-04-13 10-19-02)
All right,
4:03
S…
Speaker 2 (2026-04-13 10-19-02)
so this is the first screen you are greeted to when you launch
4:07
S…
Speaker 2 (2026-04-13 10-19-02)
the ELK stack.
4:08
S…
Speaker 2 (2026-04-13 10-19-02)
The primary location we're going to be working with
4:13
S…
Speaker 2 (2026-04-13 10-19-02)
when doing just raw event searches,
4:15
S…
Speaker 2 (2026-04-13 10-19-02)
similar to what we did in Splunk,
4:18
S…
Speaker 2 (2026-04-13 10-19-02)
is the discover section here.
4:21
S…
Speaker 2 (2026-04-13 10-19-02)
So if we jump into this cover section,
4:22
S…
Speaker 2 (2026-04-13 10-19-02)
you see kind of a similar layout as we have with Splunk.
4:27
S…
Speaker 2 (2026-04-13 10-19-02)
And we do a lot of the comparison here with Splunk because that's the other system we're working with
4:31
S…
Speaker 2 (2026-04-13 10-19-02)
in this course.
4:33
S…
Speaker 2 (2026-04-13 10-19-02)
So we have the search box right here that
4:37
S…
Speaker 2 (2026-04-13 10-19-02)
shows us some autocomplete information.
4:39
S…
Speaker 2 (2026-04-13 10-19-02)
But we have the search box where we can type in our queries.
4:43
S…
Speaker 2 (2026-04-13 10-19-02)
It does use a much different language than Splunk.
4:46
S…
Speaker 2 (2026-04-13 10-19-02)
One difference here is that you do not need to specify the
4:50
S…
Speaker 2 (2026-04-13 10-19-02)
index you're in or working with or searching in.
4:53
S…
Speaker 2 (2026-04-13 10-19-02)
Instead,
4:54
S…
Speaker 2 (2026-04-13 10-19-02)
you select it using this drop -down box here,
4:58
S…
Speaker 2 (2026-04-13 10-19-02)
and as you can see,
4:59
S…
Speaker 2 (2026-04-13 10-19-02)
we have one index to select from,
5:01
S…
Speaker 2 (2026-04-13 10-19-02)
and that is the ELK index.
5:03
S…
Speaker 2 (2026-04-13 10-19-02)
We also have the time frame right here where we're
5:07
S…
Speaker 2 (2026-04-13 10-19-02)
what logs we are searching for.
5:10
S…
Speaker 2 (2026-04-13 10-19-02)
And you can change that to a relative time frame like we have here,
5:14
S…
Speaker 2 (2026-04-13 10-19-02)
or you can hit the calendar drop down and select some of the commonly
5:18
S…
Speaker 2 (2026-04-13 10-19-02)
used ones or other options here.
5:21
S…
Speaker 2 (2026-04-13 10-19-02)
We'll just select last one year for the moment.
5:24
S…
Speaker 2 (2026-04-13 10-19-02)
And we can see we have a number of logs that show up in here,
5:28
S…
Speaker 2 (2026-04-13 10-19-02)
about 46 hits in this kind of demo environment.
5:33
S…
Speaker 1 (2026-04-13 10-19-02)
The fields,
5:34
S…
Speaker 2 (2026-04-13 10-19-02)
the results are very similar to Splunk.
5:36
S…
Speaker 2 (2026-04-13 10-19-02)
So we have our available fields here,
5:38
S…
Speaker 2 (2026-04-13 10-19-02)
and these are basically just all the fields that show up in the logs.
5:41
S…
Speaker 2 (2026-04-13 10-19-02)
We can expand our options to see similar information
5:45
S…
Speaker 2 (2026-04-13 10-19-02)
as we did with Splunk as well.
5:48
S…
Speaker 2 (2026-04-13 10-19-02)
The queries are a little bit different,
5:51
S…
Speaker 2 (2026-04-13 10-19-02)
and we'll get into more details of queries in a different video here
5:55
S…
Speaker 2 (2026-04-13 10-19-02)
using the different languages.
5:57
S…
Speaker 1 (2026-04-13 10-19-02)
But if we want to,
5:58
S…
Speaker 2 (2026-04-13 10-19-02)
say, search for a specific syslog event,
6:01
S…
Speaker 2 (2026-04-13 10-19-02)
we'll search for event ID 11.
6:04
S…
Speaker 2 (2026-04-13 10-19-02)
We do event .code to spell that
6:08
S…
Speaker 2 (2026-04-13 10-19-02)
right. And in KQL,
6:11
S…
Speaker 2 (2026-04-13 10-19-02)
which is the language we're working with,
6:12
S…
Speaker 2 (2026-04-13 10-19-02)
you do a colon instead.
6:15
S…
Speaker 2 (2026-04-13 10-19-02)
And you just type 11.
6:16
S…
Speaker 2 (2026-04-13 10-19-02)
So we're searching for event code 11 right here.
6:20
S…
Speaker 2 (2026-04-13 10-19-02)
So very similar type of syntax,
6:24
S…
Speaker 2 (2026-04-13 10-19-02)
if you will,
6:25
S…
Speaker 2 (2026-04-13 10-19-02)
but we still get very similar results.
6:27
S…
Speaker 2 (2026-04-13 10-19-02)
And also you can save queries here by just hitting save queries.
6:31
S…
Speaker 2 (2026-04-13 10-19-02)
You can save these to come back to at
6:35
S…
Speaker 2 (2026-04-13 10-19-02)
a later time.
6:37
S…
Speaker 2 (2026-04-13 10-19-02)
And there's a lot of other functionality in here as well.
6:41
S…
Speaker 2 (2026-04-13 10-19-02)
We can see we've got the section on analytics,
6:43
S…
Speaker 2 (2026-04-13 10-19-02)
which is where we can do dashboards and other visualizations.
6:47
S…
Speaker 2 (2026-04-13 10-19-02)
We have other types of searches that can be done,
6:51
S…
Speaker 2 (2026-04-13 10-19-02)
more kind of specified or specific
6:55
S…
Speaker 2 (2026-04-13 10-19-02)
locations for different use cases,
6:58
S…
Speaker 2 (2026-04-13 10-19-02)
and the management of the system.
7:00
S…
Speaker 2 (2026-04-13 10-19-02)
And as you can see down here,
7:01
S…
Speaker 2 (2026-04-13 10-19-02)
there's the option to add additional integrations.
7:06
S…
Speaker 2 (2026-04-13 10-19-02)
similar to Splunk's applications.
7:08
S…
Speaker 2 (2026-04-13 10-19-02)
So a real brief overview of the ELK
7:12
S…
Speaker 2 (2026-04-13 10-19-02)
interface.
7:13
S…
Speaker 2 (2026-04-13 10-19-02)
We'll dive more into ELK and its use in threat hunting
7:17
S…
Speaker 2 (2026-04-13 10-19-02)
in some of the later videos as we progress.
ऐसा हो कि मूल ऑडियो में ग़लतियाँ हों — कठिन उपयोग के लिए मूल ऑडियो के विरुद्ध जाँच करें । एआई नीति
सारांश
इस बुक का एआई सारांश बनाने के लिए सार बनाने के लिए सार को क्लिक करें.
साझा कर रहा है...
एआई के बारे में पूछें इस ट्रांसमिशन के बारे में
इस हस्तलिपि के बारे में कुछ सवाल पूछिए — एआई को ज़रूरी भागों और जवाब मिलेगा ।