New Here - Question

Hey all - I learned of ELK recently while attending a SANS Institute webinar. It was mentioned in passing by the sponsor of the webcast, which was devoted to building a threat intelligence system from scratch.

So I'm investigating, but there is a lot of info, and I'm not sure where to start.

Basically our situation is that we monitor a high volume of managed firewalls. Part of that is to watch IPS, Anti-Virus, and Informational alerts that come to our team via email, all day, all night. We rotate shifts of people who are responsible for monitoring the mailbox, but also for pulling data out of those alerts when we notice patterns, trends, IoC's - things of concern. But we're currently just logging this information into a complex spreadsheet.

So that's our use case - any suggestions? Any direction on where a good place to start is?

Cheers

That's a lot to answer, but it's possible with the stack. I'd start by pushing some data into ES (via Logstash) and then making sure you can get the basics of what you want (via Kibana).

If you have specific questions I am sure we can help more.

One good point to start might be looking at what other people are doing with Logstash/ Beats/ Elasticsearch/ Kibana: https://www.elastic.co/use-cases

Another thing would be to start searching for getting started stories about Logstash/ Beats/ Elasticsearch/ Kibana. One I found one getting started post that looks decent but is already pretty dated.

Another option would be to start reading the Elasticsearch Definitive Guide

Hope this helps,
Isabel