logstash Archives

Labeling endpoint actions with Logstash – Threat Hunting

by Pablo Delgado on May 4, 2018May 4, 2018

There’s been plenty of instances where I have to go through an investigation after a user has clicked on a phishing email and find out what happened later. After performing… [Continue Reading]

Monitoring Active Directory with ELK

by Pablo Delgado on May 3, 2018May 3, 2018

Can you tell me where this account is getting locked out from? is a frequent question that I would get often by Help Desk, or anyone in general; therefore, I… [Continue Reading]

Importing McAfee ePO Threat events to ELK

by Pablo Delgado on May 1, 2018May 1, 2018

Since I’ve struggled to get McAfee ePO to send syslogs to my ELK environment, I decided to leverage the SQL JDBC driver and logstash JDBC plug-in to pull threat records… [Continue Reading]

Triton AP-Websense SIEM Logstash Output Configuration

by Pablo Delgado on April 12, 2018April 12, 2018

The following configuration will make it easier to parse Syslog messages sent from your Websense appliance to your ELK stack. If you need assistance setting up SIEM integration with Websense… [Continue Reading]

Monitoring Domain Group Membership Changes With ELK

by Pablo Delgado on January 9, 2018January 12, 2018

Khoa previously wrote about monitoring AD Group Membership changes using his Powershell script which can be found here. In this article we will be setting up a Logstash filter that… [Continue Reading]

Collecting and sending Windows Firewall Event logs to ELK

by Pablo Delgado on October 4, 2017October 5, 2017

Monitoring Windows Host-based firewall Host-based firewalls are a great way to monitor any strange connections that might be sourcing from your system, or if there’s any unexpected internal connections within… [Continue Reading]

Troubleshooting ELK Elasticsearch & Logstash Pt 2 of 2

by Pablo Delgado on October 3, 2017October 3, 2017

Troubleshooting Logstash Logstash is our log parser and shipper that gets logs and writes them to the elasticsearch database which creates a daily or weekly index depending on your configuration…. [Continue Reading]

Detecting Outbound connections Pt. 3 – Microsoft IPs & Private IPs

by Pablo Delgado on August 31, 2017March 27, 2018

At this point you’re still excited about logging any outbound connections made by your endpoints, specially knowing exactly “what” made those connections (.exe, .dlls, .tmp, etc..) because of Sysmon. Now… [Continue Reading]

Detecting Outbound connections Pt. 2 – Logstash + Threat Intelligence

by Pablo Delgado on August 26, 2017September 3, 2017

Now that you have been collecting outbound connection logs from sysmon or your firewalls, the next step is to ask ourselves, how do we enhance that data? Geo-tagging IP addresses,… [Continue Reading]