THBS - Threat Hunting with BELK stack and Sigma rules

This is a 3 days full hands-on workshop on how to build a complete Threat Hunting platform and automate security alert using the BELK stack.


3 days full hands-on workshop on how to attack and defend a complete recreated company IT landscape. During this workshop the attendees will learn how to use a Threat Hunting platform based on BELK stack, how to detect typical Red Team and adversaries’ attacks based on MITRE ATT&CK, create automatic alerts and quickly react to contain and eradicate the threats. The Threat Hunting platform will be provided as open source project.

Complete Abstract

Being part of Blue Teams means being continuously looking for suspicious activities that could lead in harmful data breach but being able to react fast after an alert is triggered in not always enough to prevent damage. In this training we want to switch the threat hunter role from reactive to proactive, being able to identify suspicious behaviour and take actions before the systems get fully compromised. To do so we provide a full hands-on training where the attendees, presented with a complete IT landscape that simulates a Red Team exercise or a real attack, will learn how to build and operate a Threat Hunting platform built on top of the (B)ELK stack. Students will deploy Beats and custom script in provided machines to collect and enrich information, will normalize the information using Logstash, present valuable info in a Kibana dashboard and translate Sigma rules to ElastAlert alerts that will be sent over a Slack channel. To understand the different attacks carried out by the platform, each machine will have few scenario that will replicate the MITRE ATT&CK use cases.

Some of the scenarios we will go through

  • Spear phishing attacks and malicious attachments
  • Malware and C2 server detection
  • Privilege escalation
  • Lateral movement
  • Data exfiltration detection using canaries
  • Registry manipulation and task creation for persistence
  • Web application vulnerability exploitation
  • DDoS attacks
Each student will conduct 5 to 8 labs a day. The ELK stack will be provided as open-source project, together with some of the Sigma rules that will be used during the course.

What will you learn

  • How to setup a threat hunting platform using the BELK stack
  • How to collect security and network events from different hosts in the network
  • How to analyze them using Kibana
  • How to create automatic rules on security incidents based on the MITRE ATT&CK framework
  • How to alert and get more insights on the detected issues
  • How to react and contain the damage

What will you need

  • Docker (docker-compose) with 4GB of RAM
  • A Slack account
  • A Windows VM (we suggest Windows 10). During the course a complete simulated environment will be provided. This is needed only for self-study

Why should people attend this course

This course will teach how to create and operate a 100% free Threat Hunting platform based on the ELK stack, getting familiar with the MITRE ATT&CK and some of the techniques using by attackers to get access to companies’ assets. Small and Medium companies could use this knowledge to enhance their security defense, building a complete Threat Hunting platform without spending a fortune.


[1] Threat Hunting
The TH process
Alerting vs Proactivity
Use cases development (MITRE ATT&CK)
Information Gathering
Tooling (not only a SIEM)
Red vs Blue Team
[2] BELK Stack
BELK stack introduction
Beats: Packetbeat, WinlogBeat, AuditBeat, FileBeat
[3] SIEM and security rules
SIEM and Blue Team
Sigma rules
MITRE ATT&CK and Sigma rules
From Sigma to Elasticsearch: ElastAlert
Alerting on Slack
[4] Use cases
Attacker patterns and behaviors
Hypothesis and IOC
Post-infection investigation through SIEM timeline and Kibana: Event IDs
[5] Network detection
Identify C2 servers
Identify bots and automated activities
Identify data exfiltration using canary
Identify possible phishing domains
[6] Host threat detection
Identify irregular processes
Identify registry manipulation
Identify privilege escalation techniques
Identify malware and ransomware
Identify abnormal user behavior
[7] Web Application Threats
Collect web server logs
Identify exploited vulnerabilities (SQL injection, XXE, RCE, LFI, RFI etc)
Phishing domain detection
DDoS attacks
Download the setup and try out a few of our labs!!

Interested? Contact us at [email protected]