Scenario: You login to Kibana and notice there’s no new logs within the past 15 minutes, the last time you received a log was 18 hours ago. You then run… [Continue Reading]
Category: Elasticsearch
Detecting Outbound connections Pt. 1 – Sysmon
I’ve been using Sysmon for quite some time now and it has made my life much easier when hunting for unknown processes or looking for outbound connections. My use case… [Continue Reading]
Advanced Sysmon filtering using Logstash
When I initially deployed Sysmon earlier last year I was amazed by the amount of details it gathered as well as the huge amount of logs that my ELK stack… [Continue Reading]
Sending Windows Event Forwarder Server (WEF) Logs to Elasticsearch (Winlogbeat)
Now that you are sending all of your logs to your Windows Event Forwarder, it’s time to forward them to Elasticsearch so we can visualize them in Kibana and make… [Continue Reading]
Incorporating Virustotal Data to Elasticsearch
Now that we’re collecting logs from various sources including Sysmon, we have access to file hash information. A while back I came across this SANS article on incorporating Virustotal to… [Continue Reading]
Setting up Elasticsearch 5.x – Monitoring and Visualizing Logs with Kibana Part 3/3
At this point you have setup the Elasticsearch stack along with a Windows host in which you are collecting logs using Winlogbeat. Now it’s time to start visualizing and searching… [Continue Reading]
Setting up Elasticsearch 5.x – Sending Windows Logs using WinLogbeat 5.x Part 2/3
Now that you have your Elasticsearch Stack setup on multiple servers or a single server it’s time to start sending some data over. Prerequisites: Winlogbeat – Download here (64-bit) Windows… [Continue Reading]
Setting up Elasticsearch 5.x (Single VM) on CentOS 7 Minimal Part 1/3
In this series we will go ahead and setup Elasticsearch 5 to collect Windows Logs. The point of this tutorial is to setup a test environment for Elasticsearch on a… [Continue Reading]
Setting up Elasticsearch 5.x (Distributed) on CentOS 7 Minimal Part 1/3
In this series we will go ahead and setup Elasticsearch 5 to collect Windows Logs. The point of this tutorial is to have a truly distributed test Elasticsearch cluster environment which… [Continue Reading]