WS - 7

Building a threat hunting platform using Elastic Stack

WS - 7

Building a threat hunting platform using Elastic Stack


Workshop Objective:

It is important to keep pace with the attack vectors of today and tomorrow. So, we need a solution which helps us to hunt for a needle in a haystack. Building a solution which collates, sanitizes and stores security event information, will enable further analysis by a SOC Analyst – using a single pane of glass is need of the hour. But what tools would help me achieve this?

Elasticsearch or otherwise called as Elastic Stack (ELK-B) is appropriate engine to search petabytes of data in real time which helps you to do threat hunting in real time.

Elasticsearch is the world's most popular distributed search engine. Developers across the world built various solutions which power several interesting user experiences. Over a period of time, Elasticsearch is omnipresent and the stack use cases are ever growing.

In this workshop we will discuss more about building a threat hunting solution on top of Elasticsearch.

Course Content (ToC):

    Day 01

    • Elastic Stack Overview
      • Introduction to Elastic Stack
      • Use Cases
      • Technical Deep Dive of Elasticsearch
        • Terms
        • Distributed Nature and Scaling
        • Managing Data (CRUD), Index Lifecycle Management
        • Queries
        • Architecture & Capacity Planning
        • Lab - 01
    • Technical Deep Dive of Logstash
      • Terms
      • Important Plugins
      • Ingesting Streaming Data
      • Working with Internal Queues
      • Architecture & Capacity Planning
      • Lab –02
    • Technical Deep Dive of Beats
      • Beats Framework Overview
      • Types of Beats
      • Elastic Common Schema (ECS)
      • Configuration Files
      • Deploying Beats (Cloud, OnPrem, Containers)
      • Modules & Auto Discovery
      • Lab –03
    • Overview of Kibana
      • Kibana Overview
      • Setting up Visualizations
      • Monitoring Stack using Kibana
  • Day 02

    • Elastic SIEM Overview
      • Introduction to SIEM & Threat Hunting
      • Various Data Sources
      • Understanding SIEM UI
      • Triage and investigate host events with Elastic SIEM
      • Lab - 01
    • Analysing Host Data
      • Introduction to host Security
      • Ingesting Windows/Linux/macOS host data
      • Lab - 02
    • Analysing Network Data
      • Introduction to Network Security
      • Introduction to MITRE ATT&CK™
      • Finding host level TTPs using Kibana
      • Lab - 03
    • Making Data Insights Actionable
      • Alerting Framework
      • Running Machine Learning Jobs on Security Data
        • Anomaly Detection
        • Population Outlier Detection
        • Forecasting
      • Lab - 04


  • Laptop with Admin Privileges
  • Ability to access any URL.
  • At least 8GB of RAM, 10GB of Disk space free on the system
  • Laptop should support hardware-based virtualization
  • If your laptop can run a 64-bit virtual machine in Oracle VirtualBox it should work
  • Other virtualization software might work but we will not be able to provide support for that
  • USB Ports for copying data

What is not covered?

Elastic Stack is an ocean with a lot of features, and interesting configuration parameters which is impossible to learn in 2 days. So this is just a primer and a great to do somethingawesome.

Participants’ Requirements:

  • Basic knowledge of Distributed Systems, REST APIs
  • Experience with Linux commands/modules/OS Concepts

Who should attend:

  • Day 1: It is open to everyone, as we are exploring overall stack.
  • Day 2: Specifically for SecOps Teams, SOC Analysts, Developers working on developing Security Platforms.

Speaker Profile:

Aravind , Developer Advocate, Elastic

Aravind is passionate about evangelising technology, meeting developers and helping in solving their problems. He is a backend developer and has seven years of development experience.

Currently he works at Elastic as Developer Advocate and looks after the Developer Relation function of India & SE Asia. Previously, He worked at McAfee Antivirus as a Sr. Software Engineer in Cloud Security Domain. He has deep interest in Search, Machine Learning, Security Incident Analysis and IoT tech. In his free time, he plays around Raspi or a Arduino.

Conference Partners

  • ISRA
  • Clients
  • Clients

Platinum Sponsors

  •  Bharat Petroleum |Oil & Gas Companies
  •  GAS (India) Limited
  •  South Indian Bank
  •  R P Group
  •  Cochin Shipyard Ltd

Gold Sponsors

  •  VenSec
  •  Federal Bank
  • IT Mission
  •  National Technical Research Organisation (NTRO)

Silver Sponsors

  •  Dell
  •  State Bank of India
  •  CyberARC
  •  Palo Alto Networks
  • Ramada Resort, Kochi
  • Indian Oil Corporation
  • Petronet LNG

Bronze Sponsors

  •  CloudSEK
  •  Geogit
  •  Trend Micro
  • Vodafone
  • Aster Medicity
  •  azr


  • Fortinet
  •  Zenletics Cyber Security Solutions Pvt. Ltd


  • Cloud Security Alliance
  • ISC2 Bangalore