Thiago Teixeira
EN | PT

ELK Stack

Elastic

Elasticsearch + Logstash + Kibana — popular open-source log pipeline and analytics.

Logging & SIEM Freemium Platform / Suite Learning Cross-platform
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

The ELK Stack (now branded "Elastic Stack") is the most popular open-source log pipeline:

  • Elasticsearch — distributed search/storage engine.
  • Logstash — log shipping/parsing pipeline.
  • Kibana — visualisation, search and SIEM UI.
  • Beats (Filebeat, Winlogbeat, Packetbeat) — lightweight shippers.
  • Elastic SIEM — detection rules, timeline, cases.

For a CySA+ analyst it is the budget alternative to Splunk and the core of many SOAR-friendly open SOC stacks (Wazuh, Security Onion).

Use cases

  • Self-hosted SIEM for organisations avoiding commercial licences
  • Long-term cold storage for log retention compliance
  • Detection-as-code via Elastic prebuilt rules

Example

event.module: "winlogbeat" AND winlog.event_id: 4625 AND winlog.event_data.SubStatus: "0xC0000064"