Elastic SIEM / Security training

Use the Elastic Stack as a modern SIEM: detection, investigation and response.

This Elastic Security for SIEM training equips security analysts and engineers to use the Elastic Stack as a modern SIEM: event collection with Elastic Agent and Fleet, ECS normalization, data exploration and correlation, and dashboard building.

It covers the full Security App: Detection Engine, Alerts, Timelines, Cases, AI Assistant and Attack Discovery — down to the EQL and ES|QL query languages.

Learning objectives

  • Describe the Elastic Stack architecture for security use cases.
  • Configure Fleet, deploy Elastic Agents and their integrations.
  • Discuss the role of the Elastic Common Schema (ECS) and normalization.
  • Access data with Discover (Data Views, KQL, Lucene).
  • Build aggregation-based and Lens visualizations.
  • Design dashboards and pivot between Kibana apps.
  • Operate the Security App: Explore, Detection Engine, Alerts, Timelines, Cases, AI Assistant, Attack Discovery.

Course outline

Module 1 — Elastic Stack overview

  • Components: Elasticsearch, Logstash, Beats (Filebeat, Metricbeat, Packetbeat, Winlogbeat, Auditbeat, Heartbeat), Elastic Agent, Kibana.
  • Elasticsearch Data Journey: Source → Ingest → Store → Analyze.
  • Fleet and Elastic Agent: architecture, Fleet Server, Package & Artifact Registry, air-gapped environments.
  • Agent management, integrations and agent policies; deploying an agent.
  • Labs 1.1 & 1.2: Elastic Agent configuration, policies and integrations.

Module 2 — Elastic Common Schema (ECS)

  • Normalizing heterogeneous sources (e.g. host.address / src_ipsource.ip).
  • Benefits for detection and correlation; ECS ingestion via Agent, Beats, Logstash.
  • Elasticsearch structure: index, documents, fields, values; types Date, Numbers, Strings, IPs.
  • ECS fields: Core, Extended, Custom.

Module 3 — Discover

  • Index Patterns and Data Views (e.g. ecs-*, ecs-suricata-*, ecs-zeek-*).
  • Discover fundamentals: time filter, histogram, doc table, query bar, fields list.
  • Querying: text vs keyword fields, full-text and exact-match, booleans, wildcards, IP/CIDR, ranges, regex, fuzzy, proximity.
  • Demos: Discover Components, Lucene and KQL.
  • Labs 3.0 & 3.1: flags acquisition and pursue.

Module 4 — Aggregation-based visualizations

  • Metrics aggregations: avg, sum, min, max, unique count, percentiles.
  • Bucket aggregations and sub-buckets (pivot table analogy).
  • Types: Area, Data table, Gauge, Heat map, Line, Metric, Pie, Tag cloud, Timelion, Vertical/Horizontal bar.
  • Demo: Aggregation Based Visualization.
  • Lab 4.1: Data Table — flag access.

Module 5 — Lens

  • Components and advanced features; drag & drop, suggestions, quick edit.
  • Visual settings, legends, axes, metrics (Quick function / Formula).
  • Layers: combining chart types and independent index patterns.
  • Converting an aggregation-based visualization to Lens.
  • Labs 5.1 to 5.3 (Visualization, Data Table, Multi-layer Date Histogram) — flag ancestor.

Module 6 — Dashboards

  • Dashboard = visualizations + saved searches (Zeek conn.log, http.log examples).
  • Filters: pin across all apps, exclude, disable, delete; pin to pivot across Discover, Visualize Library and Dashboards.
  • Time range and the impact of granularity on histograms.
  • Demo: Dashboards.
  • Labs 6.1 & 6.2: creation and analysis — flag arrangement.

Module 7 — Security App

  • Components: Detection Engine, Timelines, Cases, Manage; Explore pages (Host, Network, Users).
  • Elastic AI Assistant for Security: alert investigation, system & quick prompts, ES|QL knowledge base, triage and reporting.
  • Attack Discovery: LLM analysis of alerts, MITRE ATT&CK mapping, attack chain, Timeline / Cases integration.
  • Query languages: EQL (event-based, sequence) and ES|QL (piped syntax: FROM, WHERE, KEEP, STATS ... BY, SORT, LIMIT).
  • Detection Engine: 1000+ prebuilt rules; six rule types (Custom Query, Machine Learning, Threshold, Event Correlation/EQL, Indicator Match, New Terms, ES|QL); tuning via Exceptions and Value Lists; monitoring.
  • Alerts: Summary, Trend, Treemap, severities, Event Visual Analyzer (Endpoint / Sysmon).
  • Timeline & Cases: investigation workspace, connectors (ServiceNow, Jira, IBM Resilient, Swimlane), NDJSON import/export.
  • Demos: Security App, Explore, EQL, ES|QL, Detection Engine, Alerts, Timeline and Cases.
  • Labs 7.1 to 7.6 — flags analysis, engine, signal, history.

The Training Instructor

With over 110 training sessions conducted on Elastic technologies, your instructor is engaged in production work for 50% of the time, serving as an Elk and Elastic Stack consultant . You have an instructor who also possesses hands-on production experience.

Learn more about your instructor.

Duration

3 to 5 days.

I can modulate the duration for your company.

Rates

WITH QUOTE

Rates are defined for you, in inter or intra company.

GET A QUOTE

Custom

Go back to me. I will adapt duration, location and course content.

Who should attend

SOC analysts (L1, L2, L3) and threat hunters, detection and security engineers, SIEM administrators.

Prerequisites

General cybersecurity knowledge (logs, MITRE ATT&CK, IOCs) and familiarity with network protocols and operating systems.

Method

Progression concept → instructor demo → CTFd lab → summary. Each lab ends with a flag to capture, plus an end-of-lesson quiz.

Training materials

You will get PDF training materials for all of my courses and code for Hands-on labs.