Elastic (Elastic Stack)

One-liner: Open-source data analytics and SIEM platform built on Elasticsearch, Logstash, and Kibana (the ELK Stack).

🎯 What Is It?

Elastic (formerly known as ELK Stack) is a powerful, scalable platform for searching, analyzing, and visualizing large volumes of data in real-time. In cybersecurity, it's widely used as a SIEM solution for log aggregation, threat detection, and security monitoring in SOCs.

Company: Elastic (elastic.co)
License: Open Source (Apache 2.0) + Commercial features

🏽️ The ELK Stack Components

┌──────────────────────────────────┐
│       Data Sources          │
│  (Logs, Metrics, Events)   │
└────────────┬─────────────────────┘
             │
      ┌──────┴──────┐
      │   Beats /     │
      │  Logstash     │  ← Ingestion & Processing
      └──────┬──────┘
             │
      ┌──────┴──────┐
      │ Elasticsearch │  ← Storage & Search Engine
      └──────┬──────┘
             │
      ┌──────┴──────┐
      │   Kibana     │  ← Visualization & Dashboards
      └─────────────┘

1. Elasticsearch

• Role: Distributed search and analytics engine
• Function: Stores, indexes, and searches massive amounts of data in near real-time
• Technology: Built on Apache Lucene
• Cluster: Scales horizontally across multiple nodes

2. Logstash

• Role: Data processing pipeline
• Function: Ingests, transforms, and forwards data to Elasticsearch
• Capabilities:
  • Parse logs (JSON, CSV, Syslog)
  • Enrich data (GeoIP, DNS lookups)
  • Filter and normalize

3. Kibana

• Role: Visualization and UI
• Function: Dashboards, charts, and search interface
• Features:
  • Security dashboards
  • SIEM timeline
  • Custom visualizations
  • KQL (Kibana Query Language)

4. Beats (Lightweight Shippers)

• Filebeat — Log file shipper
• Metricbeat — System metrics
• Packetbeat — Network traffic
• Winlogbeat — Windows Event Logs
• Auditbeat — System audit data

🛡️ Elastic as a SIEM

Elastic Security (Formerly Elastic SIEM)

Full-fledged SIEM solution with:

• Threat detection — Prebuilt detection rules
• Alert Triage — Case management
• Incident Response — Timeline analysis
• Threat intel — IOC integration
• EDR — Elastic Agent for endpoint monitoring
• MITRE ATT&CK mapping

Key Features

1. Detection Rules

# Example: Detect suspicious PowerShell
rule:
  name: Suspicious PowerShell Execution
  query: |
    process.name: "powershell.exe" AND 
    process.command_line: (*-enc* OR *downloadstring*)
  severity: high
  mitre_attack: T1059.001

2. KQL (Kibana Query Language)

# Find failed SSH logins
event.action: "ssh_login" AND event.outcome: "failure"

# Detect process injection
process.name: "powershell.exe" AND 
process.command_line: *VirtualAllocEx*

# Network connections from suspicious process
network.direction: "outbound" AND 
process.parent.name: "winword.exe"

3. SIEM Timeline

• Visual event correlation
• Drill-down investigation
• Pivot between logs and network data

4. Prebuilt Dashboards

• Authentication monitoring
• Network traffic analysis
• Endpoint security
• Cloud security (AWS, Azure, GCP)

🎯 Common Use Cases

1. Security Operations Center (SOC)

Data Sources:
  • [[Windows Event Logs]] (via Winlogbeat)
  • Sysmon logs
  • Firewall logs
  • Zeek network logs
  • Cloud logs (AWS CloudTrail, Azure AD)

Workflow:
  1. Logs → Elasticsearch
  2. Detection rules trigger alerts
  3. SOC analysts investigate in Kibana
  4. Incident Response initiated

2. Threat Hunting

# Hunt for Lateral Movement via RDP
event.code: 4624 AND winlog.event_data.LogonType: 10

# Detect [[DNS Tunneling]]
dns.question.name: *[a-f0-9]{20,}.*

3. Compliance & Audit Logging

• Centralize logs for HIPAA, PCI-DSS, SOC 2
• Tamper-proof audit trails
• Retention policies

4. Cloud Security

• AWS CloudTrail monitoring
• Azure AD authentication logs
• GCP audit logs
• Multi-cloud visibility

📈 Elastic vs Splunk

💻 Example: Setting Up Elastic SIEM

1. Install Elasticsearch

# Docker
docker run -d --name elasticsearch \
  -p 9200:9200 \
  -e "discovery.type=single-node" \
  docker.elastic.co/elasticsearch/elasticsearch:8.11.0

2. Install Kibana

docker run -d --name kibana \
  -p 5601:5601 \
  --link elasticsearch:elasticsearch \
  docker.elastic.co/kibana/kibana:8.11.0

3. Ship Windows Logs

# winlogbeat.yml
winlogbeat.event_logs:
  - name: Security
  - name: System
  - name: Application

output.elasticsearch:
  hosts: ["localhost:9200"]

4. Create Detection Rule

Kibana → Security → Rules → Create Rule

Query:
process.name: "powershell.exe" AND 
process.command_line: *-enc*

Severity: High
MITRE ATT&CK: T1059.001

🔧 Integration with Other Tools

• [[Zeek]] — Network monitoring logs
• [[Sysmon]] — Enhanced Windows telemetry
• ElastAlert — Alerting framework
• Wazuh — Host-based intrusion detection
• Suricata — IDS/IPS logs

🎤 Interview Angles

Q: What is the ELK Stack and how is it used in cybersecurity?

• Elasticsearch (storage/search), Logstash (processing), Kibana (visualization)
• Used as SIEM for log aggregation and threat detection
• Scales horizontally for massive log volumes
• Open-source alternative to Splunk
• Supports Detection Engineering, Alert Triage, and [[Incident Response]]

Q: How would you detect [[Lateral Movement]] with Elastic?

KQL Query:

event.code: 4624 AND 
winlog.event_data.LogonType: (3 OR 10) AND 
NOT source.ip: (10.0.0.0/8 OR 192.168.0.0/16)

Detects remote logons (Type 3 = network, Type 10 = RDP) from unexpected IPs.

Q: What's the difference between Elastic and Splunk?

• Elastic: Open-source, free tier, KQL, community-driven
• Splunk: Commercial, expensive, SPL, enterprise features
• Use Elastic when: Cost-conscious, cloud-native, large data volumes
• Use Splunk when: Enterprise budget, need mature SOAR, compliance requirements

🔗 Related Concepts

• [[Elasticsearch]] — Search engine component
• [[Logstash]] — Data processing
• [[Kibana]] — Visualization UI
• SIEM — Primary use case
• Splunk — Commercial alternative
• Detection Engineering — Building rules
• [[SOC analysts]] — Primary users