Join James Spiteri, PMM Director for Elastic Security, as he walks through an entire incident response scenario using several features of the Elastic Search platform including Security features such as SIEM, Endpoint Security, osquery, correlation and case management. Observability features such as logging and APM are also covered as part of this investigative workflow.

0:00 - Intro

1:17 - Context and Elastic Agent Policy Config

4:20 - Endpoint Security Integration Overview

5:23 - Detection and Response Dashboard and Incident kickoff

6:19 - Cases and Case content

7:32 - Alert investigation + Alert Table Tips

10:06 - Example of Machine Learning based rules

12:04 - Individual Rule details page

13:59 - Session Viewer

15:29 - osquery: saved queries + searching for log4j classes

17:42 - ECS mapping for osquery

18:29 - Visualising osquery results in Lens

21:24 - Pivoting to Observability

22:18 - Investigating Java transactions to look for suspicious activity

25:41 - Case updates and JIRA Synchronisation

28:21 - Using the event renderer

29:44 - Investigating Linux Malware detections

31:25 - Elastic Security Labs

33:20 - Using session viewer to investigate Dirty Pipe

34:34 - Example of custom correlation rules with EQL

37:11 - Endpoint Security Behaviour Prevention rules in Session Viewer

37:59 - Checking for persisted connections with osquery

41:01 - Examining prevented ransomware with behavioural rules

42:49 - Recap and Case update

45:54 - Investigating alerts with Event Analyser

46:49 - Investigating AWS alerts

48:36 - Filtering for events in Timeline

51:14 - Adding timelines to a case

53:28- Getting additional IP details from nslookup

54:52 - Using cross cluster search with EQL

56:49 - Using timeline to search all archived data with searchable snapshots

60:04 - Wrapping up the investigation

If you would like to watch some other introductory videos to Elastic Security first, please visit the following links:
- https://www.elastic.co/virtual-events/intro-to-elastic-security
- https://www.elastic.co/elasticon/archive/2021/global/democratizing-security-arming-every-analyst

Additional References:

• Elastic Cloud Trial: https://ela.st/siem
• - Elastic Detection Rules Repo: https://github.com/elastic/detection-rules
• - Elastic Security Labs: https://www.elastic.co/security-labs/
• - Elastic Discuss Forum: https://discuss.elastic.co/
• - Elastic Community Slack: https://ela.st/slack
• - Open Sandbox to try EQL: https://eqlplayground.io/
• - Elastic Security Documentation: https://www.elastic.co/guide/en/security/current/es-overview.html