THBS - Threat Hunting with BELK stack and Sigma rules

This is a 3 days full hands-on workshop on how to build a complete Threat Hunting platform and automate security alert using the BELK stack.


3 days full hands-on workshop on how to attack and defend a complete recreated company IT landscape. During this workshop the attendees will learn how to use a Threat Hunting platform based on BELK stack, how to detect typical Red Team and adversaries’ attacks based on MITRE ATT&CK, create automatic alerts and quickly react to contain and eradicate the threats. The Threat Hunting platform will be provided as open source project.

Complete Abstract

Being part of Blue Teams means being continuously looking for suspicious activities that could lead in harmful data breach but being able to react fast after an alert is triggered in not always enough to prevent damage. In this training we want to switch the threat hunter role from reactive to proactive, being able to identify suspicious behaviour and take actions before the systems get fully compromised. To do so we provide a full hands-on training where the attendees, presented with a complete IT landscape that simulates a Red Team exercise or a real attack, will learn how to build and operate a Threat Hunting platform built on top of the (B)ELK stack. Students will deploy Beats and custom script in provided machines to collect and enrich information, will normalize the information using Logstash, present valuable info in a Kibana dashboard and translate Sigma rules to ElastAlert alerts that will be sent over a Slack channel. To understand the different attacks carried out by the platform, each machine will have few scenario that will replicate the MITRE ATT&CK use cases.

Some of the scenarios we will go through

  • Spear phishing attacks and malicious attachments

  • Malware and C2 server detection

  • Privilege escalation

  • Lateral movement

  • Data exfiltration detection using canaries

  • Registry manipulation and task creation for persistence

  • Web application vulnerability exploitation

  • DDoS attacks

Each student will conduct 5 to 8 labs a day. The ELK stack will be provided as open-source project, together with some of the Sigma rules that will be used during the course.

What will you learn

  • How to setup a threat hunting platform using the BELK stack

  • How to collect security and network events from different hosts in the network

  • How to analyze them using Kibana

  • How to create automatic rules on security incidents based on the MITRE ATT&CK framework

  • How to alert and get more insights on the detected issues

  • How to react and contain the damage

What will you need

  • Docker (docker-compose) with 4GB of RAM

  • A Slack account

  • A Windows VM (we suggest Windows 10). During the course a complete simulated environment will be provided. This is needed only for self-study

Why should people attend this course

This course will teach how to create and operate a 100% free Threat Hunting platform based on the ELK stack, getting familiar with the MITRE ATT&CK and some of the techniques using by attackers to get access to companies’ assets. Small and Medium companies could use this knowledge to enhance their security defense, building a complete Threat Hunting platform without spending a fortune.





[1] Threat Hunting

The TH process

Alerting vs Proactivity

Use cases development (MITRE ATT&CK)

Information Gathering

Tooling (not only a SIEM)

Red vs Blue Team

[2] BELK Stack

BELK stack introduction




Beats: Packetbeat, WinlogBeat, AuditBeat, FileBeat


[3] SIEM and security rules

SIEM and Blue Team

Sigma rules

MITRE ATT&CK and Sigma rules

From Sigma to Elasticsearch: ElastAlert

Alerting on Slack

[4] Use cases

Attacker patterns and behaviors

Hypothesis and IOC

Post-infection investigation through SIEM timeline and Kibana: Event IDs

[5] Network detection

Identify C2 servers

Identify bots and automated activities

Identify data exfiltration using canary

Identify possible phishing domains

[6] Host threat detection

Identify irregular processes

Identify registry manipulation

Identify privilege escalation techniques

Identify malware and ransomware

Identify abnormal user behavior

[7] Web Application Threats

Collect web server logs

Identify exploited vulnerabilities (SQL injection, XXE, RCE, LFI, RFI etc)


Phishing domain detection

DDoS attacks

Download the setup and try out a few of our labs!!

Interested? Contact us at

Last updated