Elastic Stack: Used as SIEM Solution. originally used to store, search and visualize large data. Organizations use it for application monitoring, and now is used at security operations.
Contains: Elastic Search, LogStash, Beats and Kabana. Elastic Search for indexing and searching,Logstash does data processing. LogStash inputs user provided data and it filters and normalizes the data and finally outputs the data to kibaba for visualization or elastic search database
The Beats are ships that transfers data from Endpoints to elastic search, beats are data collectors only.
Beats(Collect Data such as Windows logs and Network Packers) -> LogStash collects data from beats and normalizes and stores them in value pair in the elastic search database -> Elastic Search is the database that has all the normalized data -> Kibana is a visualization tool for data in Elastic Search
Free form search:
Elastic Stack uses kibana query language (KQL)
Not Operator in Free Form Search:
Field Based Search uses colon and is not a free form search:
CREATING a failed filter to see how many ip's failed to connect:
- Apply filter:
- Click the field you want to visualize: I clicked Sourc Ip:
- Click as Table to see the data properly.
- We can just drag and drop the username to coorelate and know which user has the failed ip or which user had the failed connection, we can use the vpn_connection or whatever is in the field.
This is what we see with the details of the user and the ip.
we can also apply other visualizations like bar graph or pie chart.
To add data in the dashboard, we just click dashboard and click add from Library and we have to "SAVE IT"
