Enriching Elastic security logs with internal network information (IPAM), MISP threat intelligence and GeoIP location data greatly helps analysts research and classify events. But even better, the power of the Elastic Query DSL empowers us to combine these enrichments to create powerful threat hunting visualizations and executive dashboards. Learn how you can build real-time visualizations to display your most targeted assets and your most active attackers. New queries are possible to, for example, detect anomalous login network latencies based on geographical distance between source and destination. Heat maps can now visualize targeted subnets and highlight malicious insider activities.
This presentation will briefly summarize previous presentations on how to enrich security logs. It then focuses on how to use these enrichments to create new, integrative use cases on the forefront of modern threat detection.
Authors: George Boitano, Murali Venkataraman
George Boitano is a developer, inventor and entrepreneur with over 20 years of experience in data security for large enterprises. As a founder of Security Integration in 1990, he served as technical officer and authored U.S. patent US5305456: Apparatus and Method for Computer System Integrated Security. After acquisition by Rocket Software in 2004. George consulted at LogLogic, Aveksa, Verisign, Secureworks and Dell Services as a developer for SIEM and IDM products. Since 2009, George has led SEMplicity, a boutique consultancy focused today on Elastic security and observability implementations and conversions for large enterprises. George holds a bachelor’s degree in physics from Harvard University.