Building Security Dashboards on ELK Stack/Elasticsearch to supercharge your SIEM

This video is about building security dashboards from Windows event logs and firewall syslogs in Elasticsearch by John R. Nash of Phreedom Technologies [https://www.phreedom.com]

We walk through the steps to select a logging platform and them implement an Elasticsearch cluster, a logstash layer, Cerebro, ingest, parse data and perform initial discovery and reporting in Kibana and finally use Grafana to create more advanced graphs.

See the Table of contents below:

Overview / Agenda / Intro 1:02
The need for security monitoring 1:16
What do we have to work with? 2:07
Getting started with log analysis 3:34
What data should be collected? 5:41
Firewall and windows log data 6:18
Typical logging architecture 9:44
Selecting a logging platform 10:40
Merits of Elasticsearch/ELK 13:46
Elasticsearch deployment 17:25
Phreedom ELK topology 19:42
Cerebro intro 27:00
Logstash deployment 29:18
Configuring SysLog on your FW 32:26
Installing Winlogbeat agents 32:40
Ingesting data into Elastisearch 32:57
Elasticsearch indicies 33:22
Installing Kibana 33:47
Kibana overview 35:09
Using Kibana 35:20
Building security reports 36:56
SIEM security questions 37:12
Fortigate log types 37:42
Windows Eventlog types (Channels) 37:52
NSA whitepaper on Windows IOC 38:24
Nagios PowerShell IOC Check 39:03
Investigating your Windows Data with Kibana 39:48
Investigating your Firewall Traffic with Kibana 41:29
Kibana - Visualize 42:55
Kibana - TimeLion 43:33
Installing / Using Grafana 44:40
Building your first Grafana Graphs 45:32
Grafana - Windows Failed Logins 45:41
Grafana - Firewall Policy Heatmap 46:26
Grafana - TCP Session Count by Server 47:01
Final Security Dashboard 47:36