Just ze gesinn
0:06
S… Speaker 1 (2026-04-13 10-19-02)
In this video,
0:07
S… Speaker 2 (2026-04-13 10-19-02)
we're going to start exploring the elk stack,
0:11
S… Speaker 2 (2026-04-13 10-19-02)
what it is and how it can be used in threat hunting.
0:15
S… Speaker 2 (2026-04-13 10-19-02)
So first of all,
0:16
S… Speaker 2 (2026-04-13 10-19-02)
what is elk?
0:18
S… Speaker 2 (2026-04-13 10-19-02)
Elk consists of primarily three different
0:22
S… Speaker 2 (2026-04-13 10-19-02)
components that are working together to make up what's known as the elk
0:26
S… Speaker 2 (2026-04-13 10-19-02)
stack, or sometimes also called the elastic stack.
0:30
S… Speaker 2 (2026-04-13 10-19-02)
The first component of it,
0:32
S… Speaker 1 (2026-04-13 10-19-02)
the E,
0:32
S… Speaker 2 (2026-04-13 10-19-02)
is elastic search.
0:34
S… Speaker 2 (2026-04-13 10-19-02)
It is used for search and analytics to
0:39
S… Speaker 2 (2026-04-13 10-19-02)
kind of process the information and search and analyze through log data.
0:44
S… Speaker 2 (2026-04-13 10-19-02)
The second component is Logstash,
0:47
S… Speaker 2 (2026-04-13 10-19-02)
the L in there.
0:48
S… Speaker 2 (2026-04-13 10-19-02)
It is used for the data processing and transformation components
0:53
S… Speaker 2 (2026-04-13 10-19-02)
of ELK.
0:54
S… Speaker 2 (2026-04-13 10-19-02)
And then you have Kibana,
0:56
S… Speaker 1 (2026-04-13 10-19-02)
the K.
0:57
S… Speaker 2 (2026-04-13 10-19-02)
This is for the dashboards,
0:59
S… Speaker 2 (2026-04-13 10-19-02)
the visualization,
1:00
S… Speaker 2 (2026-04-13 10-19-02)
those components of the ELK stack.
1:04
S… Speaker 2 (2026-04-13 10-19-02)
ELK can be a good alternative to Splunk
1:08
S… Speaker 2 (2026-04-13 10-19-02)
because Splunk licensing can get...
1:10
S… Speaker 2 (2026-04-13 10-19-02)
A little expensive.
1:12
S… Speaker 2 (2026-04-13 10-19-02)
We'll kind of do a little comparison here in a second.
1:14
S… Speaker 2 (2026-04-13 10-19-02)
Another kind of fourth component,
1:16
S… Speaker 1 (2026-04-13 10-19-02)
if you will,
1:17
S… Speaker 2 (2026-04-13 10-19-02)
to ELK is known as beats.
1:21
S… Speaker 2 (2026-04-13 10-19-02)
This is kind of what's used to send
1:25
S… Speaker 2 (2026-04-13 10-19-02)
log data to the ELK stack.
1:28
S… Speaker 2 (2026-04-13 10-19-02)
Usually this is going to be in packages known as winlogbeat
1:32
S… Speaker 2 (2026-04-13 10-19-02)
or filebeat.
1:34
S… Speaker 2 (2026-04-13 10-19-02)
There's a few different ones.
1:37
S… Speaker 1 (2026-04-13 10-19-02)
Again,
1:37
S… Speaker 2 (2026-04-13 10-19-02)
you're going to have kind of similar use,
1:39
S… Speaker 2 (2026-04-13 10-19-02)
similar functionality to Splunk as
1:44
S… Speaker 2 (2026-04-13 10-19-02)
far as visualizations,
1:45
S… Speaker 2 (2026-04-13 10-19-02)
real -time searches,
1:46
S… Speaker 2 (2026-04-13 10-19-02)
analysis,
1:47
S… Speaker 2 (2026-04-13 10-19-02)
things like that.
1:49
S… Speaker 1 (2026-04-13 10-19-02)
Again,
1:49
S… Speaker 2 (2026-04-13 10-19-02)
it can be a better alternative to Splunk because Splunk,
1:55
S… Speaker 2 (2026-04-13 10-19-02)
again, can get expensive.
1:56
S… Speaker 2 (2026-04-13 10-19-02)
Splunk charges,
1:57
S… Speaker 2 (2026-04-13 10-19-02)
at least for their on -premise deployments.
1:59
S… Speaker 2 (2026-04-13 10-19-02)
and at least as a time of this recording,
2:02
S… Speaker 2 (2026-04-13 10-19-02)
by the amount of data you index.
2:05
S… Speaker 2 (2026-04-13 10-19-02)
So the more data you need to index and process in Splunk,
2:08
S… Speaker 2 (2026-04-13 10-19-02)
the more expensive it can get.
2:10
S… Speaker 2 (2026-04-13 10-19-02)
Elk can be acquired open source and can be
2:14
S… Speaker 2 (2026-04-13 10-19-02)
used on -premise for no charge.
2:17
S… Speaker 2 (2026-04-13 10-19-02)
They do also have,
2:18
S… Speaker 2 (2026-04-13 10-19-02)
you know, cloud hosted as well.
2:20
S… Speaker 2 (2026-04-13 10-19-02)
So there are options there.
2:23
S… Speaker 2 (2026-04-13 10-19-02)
Elk is set up in a kind of a similar but different
2:28
S… Speaker 2 (2026-04-13 10-19-02)
way to Splunk.
2:30
S… Speaker 2 (2026-04-13 10-19-02)
So Elk starts off with Logstash.
2:32
S… Speaker 2 (2026-04-13 10-19-02)
That is where the log aggregation and processing
2:37
S… Speaker 2 (2026-04-13 10-19-02)
comes in,
2:38
S… Speaker 2 (2026-04-13 10-19-02)
where the data that's sent via all of the different
2:42
S… Speaker 2 (2026-04-13 10-19-02)
beats, if you will,
2:43
S… Speaker 2 (2026-04-13 10-19-02)
so your win log beat,
2:45
S… Speaker 2 (2026-04-13 10-19-02)
your file beat,
2:46
S… Speaker 2 (2026-04-13 10-19-02)
they send their data into Logstash.
2:50
S… Speaker 2 (2026-04-13 10-19-02)
And those are typically going to be the win log beat and file beat,
2:54
S… Speaker 2 (2026-04-13 10-19-02)
things like that,
2:55
S… Speaker 2 (2026-04-13 10-19-02)
will be what's installed on the endpoints.
2:57
S… Speaker 2 (2026-04-13 10-19-02)
So with Splunk,
2:59
S… Speaker 2 (2026-04-13 10-19-02)
you have the forwarders.
3:00
S… Speaker 2 (2026-04-13 10-19-02)
With the elk stack,
3:01
S… Speaker 2 (2026-04-13 10-19-02)
you have the beats.
3:03
S… Speaker 2 (2026-04-13 10-19-02)
And that log stash data is then fed into Elasticsearch.
3:08
S… Speaker 2 (2026-04-13 10-19-02)
Elasticsearch is what is used for the indexing
3:12
S… Speaker 2 (2026-04-13 10-19-02)
and the storage.
3:15
S… Speaker 2 (2026-04-13 10-19-02)
Technically not necessarily required.
3:18
S… Speaker 2 (2026-04-13 10-19-02)
A lot of setups might actually skip this step.
3:21
S… Speaker 2 (2026-04-13 10-19-02)
And if so,
3:22
S… Speaker 2 (2026-04-13 10-19-02)
then that data would then just be accessed by Kibana.
3:25
S… Speaker 2 (2026-04-13 10-19-02)
Kibana is the...
3:27
S… Speaker 2 (2026-04-13 10-19-02)
The part of the ELK stack that's used to search,
3:31
S… Speaker 2 (2026-04-13 10-19-02)
that's used for the analysis,
3:33
S… Speaker 2 (2026-04-13 10-19-02)
it's where the visualizations
3:37
S… Speaker 2 (2026-04-13 10-19-02)
and dashboards are created based off the
3:41
S… Speaker 2 (2026-04-13 10-19-02)
data that's in Logstash or Elasticsearch,
3:45
S… Speaker 2 (2026-04-13 10-19-02)
depending on what the deployment looks like.
3:49
S… Speaker 2 (2026-04-13 10-19-02)
So that's a brief...
3:50
S… Speaker 2 (2026-04-13 10-19-02)
overview of the ELK stack,
3:52
S… Speaker 2 (2026-04-13 10-19-02)
let's jump over to our lab environment now and take a look at the
3:56
S… Speaker 2 (2026-04-13 10-19-02)
interface and how it's,
3:58
S… Speaker 2 (2026-04-13 10-19-02)
you know, similar and different than Splunk.
4:00
S… Speaker 1 (2026-04-13 10-19-02)
All right,
4:03
S… Speaker 2 (2026-04-13 10-19-02)
so this is the first screen you are greeted to when you launch
4:07
S… Speaker 2 (2026-04-13 10-19-02)
the ELK stack.
4:08
S… Speaker 2 (2026-04-13 10-19-02)
The primary location we're going to be working with
4:13
S… Speaker 2 (2026-04-13 10-19-02)
when doing just raw event searches,
4:15
S… Speaker 2 (2026-04-13 10-19-02)
similar to what we did in Splunk,
4:18
S… Speaker 2 (2026-04-13 10-19-02)
is the discover section here.
4:21
S… Speaker 2 (2026-04-13 10-19-02)
So if we jump into this cover section,
4:22
S… Speaker 2 (2026-04-13 10-19-02)
you see kind of a similar layout as we have with Splunk.
4:27
S… Speaker 2 (2026-04-13 10-19-02)
And we do a lot of the comparison here with Splunk because that's the other system we're working with
4:31
S… Speaker 2 (2026-04-13 10-19-02)
in this course.
4:33
S… Speaker 2 (2026-04-13 10-19-02)
So we have the search box right here that
4:37
S… Speaker 2 (2026-04-13 10-19-02)
shows us some autocomplete information.
4:39
S… Speaker 2 (2026-04-13 10-19-02)
But we have the search box where we can type in our queries.
4:43
S… Speaker 2 (2026-04-13 10-19-02)
It does use a much different language than Splunk.
4:46
S… Speaker 2 (2026-04-13 10-19-02)
One difference here is that you do not need to specify the
4:50
S… Speaker 2 (2026-04-13 10-19-02)
index you're in or working with or searching in.
4:53
S… Speaker 2 (2026-04-13 10-19-02)
Instead,
4:54
S… Speaker 2 (2026-04-13 10-19-02)
you select it using this drop -down box here,
4:58
S… Speaker 2 (2026-04-13 10-19-02)
and as you can see,
4:59
S… Speaker 2 (2026-04-13 10-19-02)
we have one index to select from,
5:01
S… Speaker 2 (2026-04-13 10-19-02)
and that is the ELK index.
5:03
S… Speaker 2 (2026-04-13 10-19-02)
We also have the time frame right here where we're
5:07
S… Speaker 2 (2026-04-13 10-19-02)
what logs we are searching for.
5:10
S… Speaker 2 (2026-04-13 10-19-02)
And you can change that to a relative time frame like we have here,
5:14
S… Speaker 2 (2026-04-13 10-19-02)
or you can hit the calendar drop down and select some of the commonly
5:18
S… Speaker 2 (2026-04-13 10-19-02)
used ones or other options here.
5:21
S… Speaker 2 (2026-04-13 10-19-02)
We'll just select last one year for the moment.
5:24
S… Speaker 2 (2026-04-13 10-19-02)
And we can see we have a number of logs that show up in here,
5:28
S… Speaker 2 (2026-04-13 10-19-02)
about 46 hits in this kind of demo environment.
5:33
S… Speaker 1 (2026-04-13 10-19-02)
The fields,
5:34
S… Speaker 2 (2026-04-13 10-19-02)
the results are very similar to Splunk.
5:36
S… Speaker 2 (2026-04-13 10-19-02)
So we have our available fields here,
5:38
S… Speaker 2 (2026-04-13 10-19-02)
and these are basically just all the fields that show up in the logs.
5:41
S… Speaker 2 (2026-04-13 10-19-02)
We can expand our options to see similar information
5:45
S… Speaker 2 (2026-04-13 10-19-02)
as we did with Splunk as well.
5:48
S… Speaker 2 (2026-04-13 10-19-02)
The queries are a little bit different,
5:51
S… Speaker 2 (2026-04-13 10-19-02)
and we'll get into more details of queries in a different video here
5:55
S… Speaker 2 (2026-04-13 10-19-02)
using the different languages.
5:57
S… Speaker 1 (2026-04-13 10-19-02)
But if we want to,
5:58
S… Speaker 2 (2026-04-13 10-19-02)
say, search for a specific syslog event,
6:01
S… Speaker 2 (2026-04-13 10-19-02)
we'll search for event ID 11.
6:04
S… Speaker 2 (2026-04-13 10-19-02)
We do event .code to spell that
6:08
S… Speaker 2 (2026-04-13 10-19-02)
right. And in KQL,
6:11
S… Speaker 2 (2026-04-13 10-19-02)
which is the language we're working with,
6:12
S… Speaker 2 (2026-04-13 10-19-02)
you do a colon instead.
6:15
S… Speaker 2 (2026-04-13 10-19-02)
And you just type 11.
6:16
S… Speaker 2 (2026-04-13 10-19-02)
So we're searching for event code 11 right here.
6:20
S… Speaker 2 (2026-04-13 10-19-02)
So very similar type of syntax,
6:24
S… Speaker 2 (2026-04-13 10-19-02)
if you will,
6:25
S… Speaker 2 (2026-04-13 10-19-02)
but we still get very similar results.
6:27
S… Speaker 2 (2026-04-13 10-19-02)
And also you can save queries here by just hitting save queries.
6:31
S… Speaker 2 (2026-04-13 10-19-02)
You can save these to come back to at
6:35
S… Speaker 2 (2026-04-13 10-19-02)
a later time.
6:37
S… Speaker 2 (2026-04-13 10-19-02)
And there's a lot of other functionality in here as well.
6:41
S… Speaker 2 (2026-04-13 10-19-02)
We can see we've got the section on analytics,
6:43
S… Speaker 2 (2026-04-13 10-19-02)
which is where we can do dashboards and other visualizations.
6:47
S… Speaker 2 (2026-04-13 10-19-02)
We have other types of searches that can be done,
6:51
S… Speaker 2 (2026-04-13 10-19-02)
more kind of specified or specific
6:55
S… Speaker 2 (2026-04-13 10-19-02)
locations for different use cases,
6:58
S… Speaker 2 (2026-04-13 10-19-02)
and the management of the system.
7:00
S… Speaker 2 (2026-04-13 10-19-02)
And as you can see down here,
7:01
S… Speaker 2 (2026-04-13 10-19-02)
there's the option to add additional integrations.
7:06
S… Speaker 2 (2026-04-13 10-19-02)
similar to Splunk's applications.
7:08
S… Speaker 2 (2026-04-13 10-19-02)
So a real brief overview of the ELK
7:12
S… Speaker 2 (2026-04-13 10-19-02)
interface.
7:13
S… Speaker 2 (2026-04-13 10-19-02)
We'll dive more into ELK and its use in threat hunting
7:17
S… Speaker 2 (2026-04-13 10-19-02)
in some of the later videos as we progress.

Dës Transkriptioun gouf vun AI (automatesch Sproocherkennung) generéiert. Et kann Feeler enthalen - iwwerpréift mat dem originelle Audio fir kritesch Benotzung. Politik

❤️ Love STT.ai? Erzielt et Äre Frënn!
Zesummenfassung
D'Resultat ass eng synchroniséiert Transkriptioun vun der Transkriptiouns-Iwwersetzung.
Zesummenfaassung...
D'Lëscht vun de lëtzebuergesche Transkriptiounen
Et gëtt verschidden Aarte vu Referenzen, déi et och gëtt.