Detecting Threats by Analyzing Windows Event Logs with the Elastic (ELK) Stack

Justin Henderson

Founder & Lead Consultant

H&A Security Solutions

Mike Paquette

Sr. Director Product Management, Security

Elastic

Your best opportunity to catch an adversary is at the point of attack, before they progress from their initial foothold in your environment. Does your organization collect the data necessary to detect and respond at the endpoint? If your SecOps team collects host logs only from critical servers—and not from your wider set of endpoints—their visibility and effectiveness will be limited.

Security analysts and incident responders can reduce the impact of cyber incidents by gleaning insights from Windows Event Logs using the Elastic Stack (formerly the ELK Stack). This same data is valuable for compliance efforts (e.g., PCI-DSS, SOX, and other key regimes and frameworks) and countless operations use cases.

Justin Henderson of H & A Security Solutions and Mike Paquette of Elastic show you how to use Windows Event Logs to detect threats targeting your infrastructure. They present a common attack scenario, showing the many steps in the cyber kill chain where Windows Event Logs can reveal an attack. 

They lead a demo showing:

• Ingestion of Windows Event Logs
• Configuration of data enrichment
• Detection of attacks with automated analytics
• Analysis and visualization of data

Related Resources 

• Get everything you need to begin monitoring Windows Event Logs by downloading Winlogbeat and reviewing Winlogbeat documentation
• Take our official Analyzing Windows Host Data on-demand training