Enriching Elastic security logs with internal network information (IPAM), MISP threat intelligence and GeoIP location data greatly helps analysts research and classify events. But even better, the power of the Elastic Query DSL empowers us to combine these enrichments to create powerful threat hunting visualizations and executive dashboards. Learn how you can build real-time visualizations to display your most targeted assets and your most active attackers. New queries are possible to, for example, detect anomalous login network latencies based on geographical distance between source and destination. Heat maps can now visualize targeted subnets and highlight malicious insider activities.

This presentation will briefly summarize previous presentations on how to enrich security logs. It then focuses on how to use these enrichments to create new, integrative use cases on the forefront of modern threat detection.

Authors: George Boitano, Murali Venkataraman