π Elastic Stack (ELK): The Basics β SOC Analyst Guide
This blog serves as a beginner-friendly guide to understanding the world of cybersecurity. From defining what cybersecurity is to exploring its two major domainsβoffensive and defensive securityβit breaks down various career paths such as Security Analyst, Engineer, Penetration Tester, and more. Whether you're just curious or planning a career, this blog gives you the insight and direction to get started in the cybersecurity field.
π Elastic Stack (ELK): The Basics β SOC Analyst Guide
π Task 1: Introduction Elastic Stack (ELK) is widely used in modern Security Operations Centers (SOC) for log analysis and investigations. Although it is not a traditional SIEM, its powerful search and visualization capabilities make it function like one.
π― Learning Objectives Understand ELK components
Explore features of ELK
Learn searching & filtering
Investigate VPN logs
Create dashboards & visualizations
π Task 2: Components of ELK Elastic Stack consists of four main components:
- Elasticsearch Stores and analyzes data
Works with JSON documents
Provides fast search using REST API
- Logstash Data processing pipeline
Collects, filters, and sends data
Structure:
Input β Source of data
Filter β Normalize data
Output β Destination
- Beats Lightweight agents
Send data from endpoints
- Kibana Visualization tool
Used for dashboards and investigations
β Answers: Logstash is used to visualize data β nay
Elasticstash supports all formats except JSON β nay
π Task 3: Discover Tab (Log Analysis) The Discover Tab in Kibana is where SOC analysts spend most of their time.
π Features: Logs view
Fields panel
Search bar (KQL)
Time filter
Index pattern
β Answers: Total hits β 2861
Max connections IP β 238.163.231.224
User with max traffic β James
Emanda max source IP β 107.14.1.247
Spike IP (Jan 11) β 172.201.60.191
Connections excluding New York β 48
π Task 4: KQL (Kibana Query Language) KQL helps in searching logs efficiently.
π Types of Search:
Free Text Search Example: United States
Field-Based Search Example: Source_ip : 238.163.231.224
Operators AND
OR
NOT
β Answers: Records (US + James OR Albert) β 161
Johny Brown VPN after termination β 1
π Task 5: Visualization Kibana allows creating:
Tables
Pie charts
Bar charts
π Use Cases: Identify trends
Correlate fields
Monitor anomalies
π Task 6: Failed Login Analysis Created a visualization for failed VPN attempts.
β Answers: User with most failed attempts β Simon
Wrong attempts in January β 274
π Task 7: Dashboard & Insights Dashboards provide:
Real-time monitoring
Centralized view
Easy anomaly detection
π Task 8: Conclusion Elastic Stack (ELK) is a powerful tool for SOC analysts. It helps in:
Collecting logs
Searching data
Detecting threats
Visualizing insights
It may not be a traditional SIEM, but it is widely used as one in real-world security operations.
π Final Note This hands-on lab gave a real-world experience of:
Investigating VPN logs
Detecting anomalies
Creating dashboards