If you get a chance you may briefly look at old articles related to this topic as I will be briefly referencing them or quickly summarizing portions of my configuration…. [Continue Reading]
Category: logstash
Tracking & Monitoring Domain Admins with Logstash
Whether your environment was compromised and someone got a hold of your Domain Admin account, or you’re just ensuring that domain admins are logging in to expected systems. It is… [Continue Reading]
Threat Hunting: Finding Persistence Mechanisms
I wanted to write about the importance of checking for new services as this is an avenue in which attackers leverage their persistence methods. While looking at newly created services… [Continue Reading]
Remote Connection Dashboards: VNC & RDP
Accountability is important, and sometimes we might need to investigate who made certain changes at a specific time, or ensure that our privileged accounts are not logging in to other… [Continue Reading]
Labeling endpoint actions with Logstash – Threat Hunting
There’s been plenty of instances where I have to go through an investigation after a user has clicked on a phishing email and find out what happened later. After performing… [Continue Reading]
Monitoring Active Directory with ELK
Can you tell me where this account is getting locked out from? is a frequent question that I would get often by Help Desk, or anyone in general; therefore, I… [Continue Reading]
Importing McAfee ePO Threat events to ELK
Since I’ve struggled to get McAfee ePO to send syslogs to my ELK environment, I decided to leverage the SQL JDBC driver and logstash JDBC plug-in to pull threat records… [Continue Reading]
Triton AP-Websense SIEM Logstash Output Configuration
The following configuration will make it easier to parse Syslog messages sent from your Websense appliance to your ELK stack. If you need assistance setting up SIEM integration with Websense… [Continue Reading]
Monitoring Domain Group Membership Changes With ELK
Khoa previously wrote about monitoring AD Group Membership changes using his Powershell script which can be found here. In this article we will be setting up a Logstash filter that… [Continue Reading]
Collecting and sending Windows Firewall Event logs to ELK
Monitoring Windows Host-based firewall Host-based firewalls are a great way to monitor any strange connections that might be sourcing from your system, or if there’s any unexpected internal connections within… [Continue Reading]