SOC Analyst Journey In Thirty-Days
MyDfir 30 days challenge for any aspiring SOC Analyst professional or Newbie. I find this challenge interesting with the content outlines which i applied with “SOC” on there YouTube channel to participate in it.
Are you excited to go along with me about the SOC Analyst journey in thirty days. C’mon let’s start the day two challenge and i believe you’ll learn a lot in this journey.
Day 2
Yeah, I hope you enjoyed the previous day one challenge blog of MyDFIR. if you haven’t please read it before you proceed with this blog.
We are starting the day with a series of terms used in SOC environment. Think about buying a brand new electric kettle there will be a note inside the box from the manufacturers for users to read.
This is what we are going to talk about today, in our previous blog we mentioned about six servers that we’ll used throughout our deployment.
But we need to understand it before we start the wiring/configuration of our servers.
Let’s talk about the ELK-Stack (Elasticsearch, Logstach and Kibana).
ELK-Stack
To make this familiar to you: Imagine that all the devices and electrical appliances in your house are connected to the internet (IoT). You want to monitor everything in your house seamlessly, no matter where you are, but you need a tool to help you achieve this.
What’s the tools name: ELK-stack created by Shay Banon in 2010 of the first version released.
And also the stack in “ELK-stack means: this is a collection of products or item that are meant to work together. and it’s a powerful set of tools used for managing and analyzing large amounts of log data.
We’ll need to break things down by explaining every products in the stack.
E (Elasticsearch) -ELK:
It’s a search and analytics engine that helps you quickly search, analyze, and visualize data stored in a central location. It also a database used to store logs such as Windows event logs, Syslog, Firewall logs and just about anything that we need to import the logs.
It assist you to search across your data which the Elasticsearch use a query language called ESQL (Elasticsearch Query Language). If you are familiar with KQL (Kusto Query Language) is a data analysis tool used on Microsoft’s cloud platform particularly in Azure. Originally developed for Azure Data Explorer, this language has been widely used across various services such as Azure Monitor, Azure Security Center, and Azure Application Insights over time.
Also in Splunk we have SPL (Search Processing Language): The SPL is a set of commands that you use to search your data.
Back to home; Elasticsearch uses Restful API and JSON meaning we can use a various application to interact with your Elasticsearch data programmable way to retrieve information.
Parsing field in Elasticsearch: When we talk about “parsing fields” in Elasticsearch, we’re essentially talking about breaking down raw data into understandable parts, or “fields,” that can be more easily searched and analyzed.
L (Logstash) -ELK:
This is the data processing pipeline that takes in data from various sources, transforms it, and then sends it to a “stash,” like Elasticsearch.
If you’re familiar with other SIEM (Security Information and Event Management) platform like Splunk, Wazuh IBMQradar…. everyone of this SIEM have there own transporter / forwarder.
In Splunk we have Heavy Forwarder which is equivalent to our logstash. it help to forward logs on different endpoints.
I will not proceed without mentioning about Beats: are lightweight data shippers that collect and send data to Logstash or Elasticsearch.
Type of Beats
Filebeat: Monitors log files and forwards log events. It’s commonly used for collecting logs from various files like application logs, system logs, and access logs.
Metricbeat: Collects metrics from systems and services, such as CPU usage, memory usage, disk I/O, and network traffic. It can also monitor metrics from various services like Apache, MySQL, and Docker.
Packetbeat: Captures network traffic and provides real-time analytics on network protocols like HTTP, DNS, and MySQL. It helps in monitoring the performance and security of your network.
Winlogbeat: Specifically designed for Windows environments, it collects and ships Windows Event Logs. It’s useful for monitoring security, system, and application events on Windows machines.
Auditbeat: Focuses on Linux audit framework data and can also collect file integrity data. It’s useful for monitoring security-related events and changes on Linux systems.
Heartbeat: Monitors the availability of services by periodically pinging them and reporting the results. It’s great for uptime monitoring and alerting.
Last but not least.
K (Kibana) -ELK:
This is the visualization layer that lets you create charts, graphs, and dashboards from the data stored in Elasticsearch. It’s the interface where you can interact with and make sense of your data.
When you’re working on a SIEM platform, it’s almost certain that you’ll appreciate a dashboard with various graph metrics. I advise you to learn more about how a SIEM interface looks and then create your own visual display. You might just fall in love with dashboards.
You’ll have web GUI of kibana in Splunk. I have in-depth understanding of this tool will help you to understand other SIEM tools.
If the foundation is solid, you can build anything you like.
Benefit of ELK
Centralized Logging
Flexibility (Customized Ingestion)
Visualizations
Scalability
Ecosystem
Open-Source and Extensible
YES!!!!, We did it….
Clap for yourself you just understand the basics of ELK-Stash. This is very lucrative and it really worth it to know as SOC Analyst.
Just master this skills, I have been designing such for myself, SME and folks that want to fast track there SOC skills.
Thank you so much MyDFIR i appreciate this challenge and i will try my possible best to document every step for other folks.
What next?.
Stay tuned and relax.
