This Elastic Security for SIEM training equips security analysts and engineers to use the Elastic Stack as a modern SIEM: event collection with Elastic Agent and Fleet, ECS normalization, data exploration and correlation, and dashboard building.
It covers the full Security App: Detection Engine, Alerts, Timelines, Cases, AI Assistant and Attack Discovery — down to the EQL and ES|QL query languages.
Learning objectives
- Describe the Elastic Stack architecture for security use cases.
- Configure Fleet, deploy Elastic Agents and their integrations.
- Discuss the role of the Elastic Common Schema (ECS) and normalization.
- Access data with Discover (Data Views, KQL, Lucene).
- Build aggregation-based and Lens visualizations.
- Design dashboards and pivot between Kibana apps.
- Operate the Security App: Explore, Detection Engine, Alerts, Timelines, Cases, AI Assistant, Attack Discovery.
Course outline
Module 1 — Elastic Stack overview
- Components: Elasticsearch, Logstash, Beats (Filebeat, Metricbeat, Packetbeat, Winlogbeat, Auditbeat, Heartbeat), Elastic Agent, Kibana.
- Elasticsearch Data Journey: Source → Ingest → Store → Analyze.
- Fleet and Elastic Agent: architecture, Fleet Server, Package & Artifact Registry, air-gapped environments.
- Agent management, integrations and agent policies; deploying an agent.
- Labs 1.1 & 1.2: Elastic Agent configuration, policies and integrations.
Module 2 — Elastic Common Schema (ECS)
- Normalizing heterogeneous sources (e.g.
host.address/src_ip→source.ip). - Benefits for detection and correlation; ECS ingestion via Agent, Beats, Logstash.
- Elasticsearch structure: index, documents, fields, values; types Date, Numbers, Strings, IPs.
- ECS fields: Core, Extended, Custom.
Module 3 — Discover
- Index Patterns and Data Views (e.g.
ecs-*,ecs-suricata-*,ecs-zeek-*). - Discover fundamentals: time filter, histogram, doc table, query bar, fields list.
- Querying: text vs keyword fields, full-text and exact-match, booleans, wildcards, IP/CIDR, ranges, regex, fuzzy, proximity.
- Demos: Discover Components, Lucene and KQL.
- Labs 3.0 & 3.1: flags
acquisitionandpursue.
Module 4 — Aggregation-based visualizations
- Metrics aggregations: avg, sum, min, max, unique count, percentiles.
- Bucket aggregations and sub-buckets (pivot table analogy).
- Types: Area, Data table, Gauge, Heat map, Line, Metric, Pie, Tag cloud, Timelion, Vertical/Horizontal bar.
- Demo: Aggregation Based Visualization.
- Lab 4.1: Data Table — flag
access.
Module 5 — Lens
- Components and advanced features; drag & drop, suggestions, quick edit.
- Visual settings, legends, axes, metrics (Quick function / Formula).
- Layers: combining chart types and independent index patterns.
- Converting an aggregation-based visualization to Lens.
- Labs 5.1 to 5.3 (Visualization, Data Table,
Multi-layer Date Histogram) — flag
ancestor.
Module 6 — Dashboards
- Dashboard = visualizations + saved searches
(Zeek
conn.log,http.logexamples). - Filters: pin across all apps, exclude, disable, delete; pin to pivot across Discover, Visualize Library and Dashboards.
- Time range and the impact of granularity on histograms.
- Demo: Dashboards.
- Labs 6.1 & 6.2: creation and analysis —
flag
arrangement.
Module 7 — Security App
- Components: Detection Engine, Timelines, Cases, Manage; Explore pages (Host, Network, Users).
- Elastic AI Assistant for Security: alert investigation, system & quick prompts, ES|QL knowledge base, triage and reporting.
- Attack Discovery: LLM analysis of alerts, MITRE ATT&CK mapping, attack chain, Timeline / Cases integration.
- Query languages: EQL (event-based,
sequence) and ES|QL (piped syntax: FROM, WHERE, KEEP, STATS ... BY, SORT, LIMIT). - Detection Engine: 1000+ prebuilt rules; six rule types (Custom Query, Machine Learning, Threshold, Event Correlation/EQL, Indicator Match, New Terms, ES|QL); tuning via Exceptions and Value Lists; monitoring.
- Alerts: Summary, Trend, Treemap, severities, Event Visual Analyzer (Endpoint / Sysmon).
- Timeline & Cases: investigation workspace, connectors (ServiceNow, Jira, IBM Resilient, Swimlane), NDJSON import/export.
- Demos: Security App, Explore, EQL, ES|QL, Detection Engine, Alerts, Timeline and Cases.
- Labs 7.1 to 7.6 — flags
analysis,engine,signal,history.
The Training Instructor
With over 110 training sessions conducted on Elastic technologies, your instructor is engaged in production work for 50% of the time, serving as an Elk and Elastic Stack consultant . You have an instructor who also possesses hands-on production experience.
3 to 5 days.
I can modulate the duration for your company.
WITH QUOTE
Rates are defined for you, in inter or intra company.
Custom
Go back to me. I will adapt duration, location and course content.
Who should attend
SOC analysts (L1, L2, L3) and threat hunters, detection and security engineers, SIEM administrators.
Prerequisites
General cybersecurity knowledge (logs, MITRE ATT&CK, IOCs) and familiarity with network protocols and operating systems.
Method
Progression concept → instructor demo → CTFd lab → summary. Each lab ends with a flag to capture, plus an end-of-lesson quiz.
Training materials
You will get PDF training materials for all of my courses and code for Hands-on labs.
