Tools

T1654

Elastic Security

A comprehensive guide to Elastic Security (Elastic SIEM) — deployment, detection rules, Kibana visualizations, EQL queries, and how analysts use the Elastic stack for SOC operations.

View on Graph

What Elastic Security Is and Why Analysts Use It

  • Elastic Security is the SIEM module built on top of the Elastic Stack (Elasticsearch, Kibana, Logstash, Beats/Fleet). It ingests security telemetry — logs, network data, endpoint data — and provides detection, investigation, and response capabilities.
  • MITRE ATT&CK maps Elastic Security’s core function to T1654 (Log Enumeration) — the SIEM is the central platform where logs from all sources are stored, indexed, and queried.
  • Unlike proprietary SIEMs (Splunk, Sentinel), Elastic is open-source under the Elastic License or SSPL (depending on version). The free tier includes detection rules, case management, and Kibana dashboards.
  • Elastic Security integrates natively with Elastic Agent (for endpoint data), Fleet (agent management), and the Elastic Detection Rules repository (1,000+ pre-built rules mapped to MITRE ATT&CK).

Architecture — Elastic Stack for SIEM

ComponentRoleDeployment Model
ElasticsearchData store — indexes all logs and events in sharded indicesCluster (3+ nodes recommended for production)
KibanaVisualization, dashboarding, detection rule management, case managementWeb UI connected to Elasticsearch
Elastic AgentUnified agent — collects logs, metrics, endpoint data, and runs on Windows/Linux/macOSFleet-managed or standalone
Fleet ServerManages Elastic Agent policies — deploys integrations, updates configsCentral server
Detection EngineRuns detection rules against ingested data — alert generation, correlationKibana built-in
Endgame/Elastic DefendEDR module — endpoint detection and preventionElastic Agent integration

Minimum SIEM Deployment

# Docker Compose — single-node Elastic SIEM stack
# elasticsearch.yml
cluster.name: "wyzsec-siem"
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

# Start Elasticsearch and Kibana
docker compose up -d elasticsearch kibana

# Enroll an Elastic Agent from a Windows endpoint
# (download agent from Kibana → Fleet → Add Agent)
elastic-agent.exe enroll --url=https://siem.example.com:8220 \
    --enrollment-token=TOKEN_FROM_FLEET
elastic-agent.exe run

Detection Rules — The Built-In Library

Elastic Security ships with 1,000+ pre-built detection rules mapped to MITRE ATT&CK tactic, technique, and sub-technique.

Rule Types

Rule TypeDescriptionPerformanceExample
QueryMatches a single event field against a query conditionFastestevent.code: 4625 (failed login)
ThresholdFires when a field value exceeds a count thresholdFastevent.code: 4625 with threshold 10 (brute force)
EQL (Event Query Language)Sequence-based — matches a pattern of eventsModerateSequence of process creation + network connection
Machine LearningAnomaly detection using ML jobsResource intensiveUnusual process execution patterns
Indicator MatchMatches events against threat intelligence indicatorsModerateFile hash match against threat feed
CorrelationMatches multiple rules firing within a time windowComplexProcess injection rule + lateral movement rule

Key Pre-Built Rule Families

Rule CategoryMITRE TacticsWhat It Detects
Initial AccessTA0001Phishing, exploitation, external service access
ExecutionTA0002PowerShell abuse, script execution, LOLBins
PersistenceTA0003Registry Run keys, scheduled tasks, services
Privilege EscalationTA0004UAC bypass, token manipulation, sudo abuse
Defense EvasionTA0005Process injection, disable security tools, obfuscation
Credential AccessTA0006LSASS access, Kerberos attacks, credential dumping (see Mimikatz)
DiscoveryTA0007Account enumeration, network scanning, process listing
Lateral MovementTA0008RDP, PsExec, WMI, SMB abuse
Command & ControlTA0011Beaconing, DNS tunneling, non-standard ports
ExfiltrationTA0010Large data transfers, archive creation
ImpactTA0040Ransomware, data destruction, service stop

EQL — Event Query Language

EQL is Elastic’s sequence-based query language — it finds patterns across events rather than matching individual events.

Core EQL Patterns

PatternEQL QueryWhat It Detects
Sequencesequence by process.pid [process where event.type == "start"] [network where event.type == "connection"]Process creation followed by network connection
Joinprocess where event.type == "start" and process.name == "powershell.exe" and process.command_line : "* -enc *"PowerShell with encoded command
Pipelinefile where event.type == "creation" and file.path : "*\\Users\\*\\AppData\\Local\\Temp\\*.exe"File creation in Temp directory
Time-basedsequence with maxspan=5m [process where process.name == "winword.exe"] [network where event.type == "connection" and network.protocol == "dns"]Network connection within 5 min of Word opening

Example — Detect Process Injection via EQL (Sysmon provides the underlying events)

// Detection: Remote thread creation (Sysmon Event 8)
// from an unexpected source process
sequence with maxspan=10s
  [process where event.type == "start" and
   process.name : ("winword.exe", "excel.exe", "powerpnt.exe",
                  "wmiprvse.exe", "rundll32.exe")]
  [process where event.type == "info" and
   event.code == "8"] // Sysmon Event 8 — CreateRemoteThread

Example — Detect Lateral Movement via EQL

// Detection: Lateral movement via PsExec
// Event 4688 (process creation) + Event 5140 (SMB share access)
sequence with maxspan=1m
  [file where event.type == "creation" and
   file.path : "\\\\*\\ADMIN$\\*" and
   file.name : ("PSEXESVC.exe", "psexec.exe")]
  [process where event.type == "start" and
   process.name == "PSEXESVC.exe"]

Kibana Visualization — Building SOC Dashboards

Essential Dashboards for SOC

DashboardWhat It ShowsKey Visualizations
Authentication SummaryLogin success/failure by source IP, user, locationLine chart (time breakdown), pie chart (logon type), table (top failure sources)
Network ActivityTop talkers, allowed vs blocked traffic, protocol distributionData table (top connections), gauge (bandwidth), heatmap (protocol x source)
Endpoint ActivityProcess creation trends, alert volume per host, unusual parentsTreemap (parent-child), bar chart (top executables), table (new executables)
Threat DetectionAlert volume by rule, severity, MITRE tacticBar chart (alerts by rule), pie chart (severity), stacked bar (tactic trends)
Hunting — AnomaliesUnusual process starts, logon times, data transfersSingle metric (total anomalies), table (details per anomaly)

Creating a Custom Lens (Example — Top Failed Logins)

Index: logs-endpoint-events-*
Metric: count
Breakdown by: source.ip
Filter: event.code: 4625
Time range: Last 24 hours
Sort: Count descending
Limit: 10

Agent Management with Fleet

Fleet is the centralized management console for all Elastic Agents.

Fleet FeatureWhat It DoesHow Analysts Use It
Agent policyDefines what data the agent collectsConfigure log collection, enable/disable integrations
IntegrationPre-built data collectors (Windows, Network, AWS, etc.)One-click enable data sources
UpgradeRemotely upgrade Elastic Agent versionsKeep agents current without manual intervention
UnenrollRemove an agent from managementRetire old endpoints, replace agents
DiagnosticsCollect agent status and health dataTroubleshoot missing data, agent errors

Sample Detection Rule — Custom Rule

{
  "author": ["WYZSec"],
  "description": "Detect WMIPrvSE spawning a suspicious child process (LOLBins / lateral movement)",
  "false_positives": ["Legitimate WMI queries for system administration"],
  "from": "now-360m",
  "index": ["logs-endpoint.events.process-*"],
  "language": "kuery",
  "name": "Suspicious WMI Process Child",
  "query": "event.category:process and event.type:start and process.parent.name:WmiPrvSE.exe and (process.name:(powershell.exe or cmd.exe or wscript.exe or cscript.exe or mshta.exe or regsvr32.exe) or process.args:("*-enc*" or "DownloadString"))",
  "risk_score": 73,
  "rule_id": "WYZ-0001",
  "severity": "high",
  "tags": ["T1047", "lateral_movement"],
  "type": "query",
  "version": 1
}

Sources