Detecting Threats by Analyzing Windows Event Logs with the Elastic (ELK) Stack

Your best opportunity to catch an adversary is at the point of attack, before they progress from their initial foothold in your environment. Does your organization collect the data necessary to detect and respond at the endpoint? If your SecOps team collects host logs only from critical servers—and not from your wider set of endpoints—their visibility and effectiveness will be limited.

Security analysts and incident responders can reduce the impact of cyber incidents by gleaning insights from Windows Event Logs using the Elastic Stack (formerly the ELK Stack). This same data is valuable for compliance efforts (e.g., PCI-DSS, SOX, and other key regimes and frameworks) and countless operations use cases.

 Justin Henderson of H & A Security Solutions and Mike Paquette of Elastic show you how to use Windows Event Logs to detect threats targeting your infrastructure. They present a common attack scenario, showing the many steps in the cyber kill chain where Windows Event Logs can reveal an attack. 

They lead a demo showing:

  • Ingestion of Windows Event Logs
  • Configuration of data enrichment
  • Detection of attacks with automated analytics
  • Analysis and visualization of data

Related Resources 

Register to Watch

You'll also receive an email with related content

Justin Henderson

Founder & CEO, H&A Security Solutions

Justin is a SANS instructor and the SANS course author for SEC555: SIEM with Tactical Analytics and the co-author of SEC455: SIEM Design and Implementation and SEC530: Defensible Security Architecture. Justin is a passionate security researcher with over a decade of experience in consulting and is one of the co-founders of H & A Security Solutions. Justin is the 13th GSE to become both a red and blue SANS Cyber Guardian (less than 20 in the world) and holds 58 industry certifications.

Mike Paquette

Mike joined Elastic in 2016 from Prelert, where he'd been VP of Products for Prelert's machine learning technology. Mike's focus at Elastic is to help users and customers succeed with security-related applications of the Elastic Stack. Starting his career as an ASIC designer, Mike has led the development of SIEM, network IPS, DDoS Defense, and network monitoring solutions. Mike is a co-author of a patent on DDoS protection.