book

Threat Hunting with Elastic Stack

Name: Threat Hunting with Elastic Stack
Author: Andrew Pease
ISBN: 9781801073783

by Andrew Pease

July 2021

Intermediate to advanced

392 pages

7h 20m

English

Packt Publishing

Read now

Unlock full access

Threat Hunting with Elastic Stack
Contributors
About the author
About the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesCode in ActionDownload the color imagesConventions usedGet in touchShare Your Thoughts
Section 1: Introduction to Threat Hunting, Analytical Models, and Hunting Methodologies
Chapter 1: Introduction to Cyber Threat Intelligence, Analytical Models, and Frameworks
What is cyber threat intelligence?The Intelligence PipelineThe Lockheed Martin Cyber Kill ChainReconnaissanceWeaponizationDeliveryExploitationInstallationCommand & ControlActions on the ObjectiveMITRE's ATT&CK MatricesThe Diamond ModelAdversary (a)Infrastructure (i)Victim (v)Capabilities (c)MotivationsDirectionalityStrategic, operational, and tactical intelligenceSummaryQuestionsFurther reading
Chapter 2: Hunting Concepts, Methodologies, and Techniques
Introducing threat hunting Measuring successThe Six D'sThe Pyramid of PainHash valuesIP addressesDomain namesNetwork/host artifactsToolsTTPsProfiling dataExpected dataDetection typesMachine learningMissing dataData pattern of lifeIndicatorsThe depreciation life cycleIndicator decayShunningThe deprecation pipelineThe HIPESR modelSummaryQuestionsFurther reading
Section 2: Leveraging the Elastic Stack for Collection and Analysis
Chapter 3: Introduction to the Elastic Stack
Technical requirementsIntroducing LogstashInput pluginsFilter pluginsOutput pluginsElasticsearch, the heart of the stackBringing data into ElasticsearchBeats and AgentsFilebeatPacketbeatWinlogbeatElastic AgentViewing Elasticsearch data with KibanaUsing Kibana to view Elasticsearch dataElastic solutionsEnterprise SearchObservabilitySecuritySummaryQuestionsFurther reading
Chapter 4: Building Your Hunting Lab – Part 1
Technical requirementsYour lab architectureHypervisorBuilding an Elastic machineCreating the Elastic VMInstalling CentOSEnabling the internal network interfaceInstalling VirtualBox Guest AdditionsSummaryQuestions

Chapter 5: Building Your Hunting Lab – Part 2
Technical requirementsInstalling and configuring ElasticsearchAdding the Elastic repositoryInstalling ElasticsearchSecuring ElasticsearchInstalling Elastic AgentInstalling and configuring KibanaInstalling KibanaConnecting Kibana to ElasticsearchConnecting to Kibana from a browserEnabling the detection engine and FleetDetection engineFleetEnrolling Fleet ServerBuilding a victim machineCollecting the operating systemsCreating the virtual machineInstalling WindowsFilebeat Threat Intel moduleSummaryQuestionsFurther reading
Chapter 6: Data Collection with Beats and Elastic Agent
Technical requirementsData flowConfiguring Winlogbeat and PacketbeatInstalling BeatsConfiguring Sysmon for endpoint collectionConfiguring Elastic AgentDeploying Elastic AgentSummaryQuestionsFurther reading
Chapter 7: Using Kibana to Explore and Visualize Data
Technical requirementsThe Discover appThe spaces selectorThe search barThe filter controllerThe Index Pattern selectorThe field name search barThe field type searchAvailable fieldsThe Kibana search barThe query language selectorThe date pickerThe Action menuSupport informationThe search/refresh buttonThe timeboxThe Event viewExerciseQuery languagesLuceneKQLEQLThe Visualize appConsiderationsThe data tableBar chartsPie chartsLine chartsOthersLensExerciseThe Dashboard appSummaryQuestionsFurther reading
Chapter 8: The Elastic Security App
Technical requirementsThe Elastic Security app overviewThe detection engineManaging detection rulesCreating a detection ruleTrend timelineHostsNetworkTimelinesCasesAdministrationSummaryQuestionsFurther reading
Section 3: Operationalizing Threat Hunting
Chapter 9: Using Kibana to Pivot Through Data to Find Adversaries
Technical requirementsConnecting events with a timelineUsing observations to perform targeted huntsPivoting to find more infectionsGenerating tailored detection logicSummaryQuestionsFurther reading
Chapter 10: Leveraging Hunting to Inform Operations
Technical requirementsAn overview of incident responsePreparationDetection and analysisContainmentEvictionRecoveryLessons learnedUsing threat hunting information to assist IRPrioritizing improvements to the security postureLockheed Martin Cyber Kill ChainUsing external information to drive hunting techniquesSummaryQuestionsFurther reading
Chapter 11: Enriching Data to Make Intelligence
Technical requirementsEnhancing analysis with open source toolsMITRE ATT&CK NavigatorEnriching events with third-party toolsIPinfoAbuse.ch's ThreatFoxVirusTotalEnrichments within ElasticSummaryQuestionsFurther reading
Chapter 12: Sharing Information and Analysis
Technical requirementsThe Elastic Common SchemaDescribing data uniformlyCollecting non-ECS dataImporting and exporting Kibana saved objectsTypeTagsExportImportDeveloping and contributing detection logicSummaryQuestionsFurther reading
Assessments
Chapter 1 – Introduction to Cyber Threat Intelligence, Analytical Models, and FrameworksChapter 2 – Hunting Concepts, Methodologies, and TechniquesChapter 3 – Introduction to the Elastic StackChapter 4 – Building Your Hunting Lab – Part 1Chapter 5 – Building Your Hunting Lab – Part 2Chapter 6 – Data Collection with Beats and the Elastic AgentChapter 7 – Using Kibana to Explore and Visualize DataChapter 8 – The Elastic Security AppChapter 9 – Using Kibana to Pivot through Data to Find AdversariesChapter 10 – Leveraging Hunting to Inform OperationsChapter 11 – Enriching Data to Make IntelligenceChapter 12 – Sharing Information and Analysis
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Overview

"Threat Hunting with Elastic Stack" is your comprehensive guide to using Elastic Security tools effectively for monitoring, detection, and hunting cyber threats. With a detailed focus on configuration, methodologies, and hands-on application within the Elastic ecosystem, this book equips you to protect networks with confidence against a range of security adversaries.

What this Book will help me do

Master the setup and configuration of Elastic Stack for a robust security hunting environment.
Understand and apply advanced cyber threat intelligence models and analytical frameworks.
Leverage Elastic tools, including Kibana and Beats, for data collection and analysis.
Perform sophisticated threat analysis and hunter operations using Kibana's integrated apps.
Gain actionable knowledge to build and enhance security infrastructure using Elastic technologies.

Author(s)

None Pease is a seasoned cybersecurity expert and practitioner with years of hands-on experience in network security and defense. Specializing in utilizing Elastic Security tools for threat detection, None's teaching incorporates practical examples and industry-best approaches. None is passionate about simplifying complex security systems for professional advancement.

Who is it for?

This book is ideal for security analysts, cybersecurity professionals, and SOC team members seeking to extend their expertise with Elastic Security. If you have introductory knowledge of IT security and network systems and use tools like Kibana, this resource will help you advance skills for robust threat detection and response.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781801073783

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills