►
From YouTube: Building a SecOps Platform on Kubernetes
Description
Kubernetes Community Days Bengaluru'21
Knowing what is going on in your environment is an essential part of staying on top of security issues. But how do you capture relevant metrics and visualize them? One widely-used tool for that job is the Elastic Stack, formerly known as the ELK stack. This workshop shows how to ingest relevant metrics from your network and hosts and visualize them to find suspicious patterns and behaviors quickly.
We'll be building the Kubernetes platform to ingest various security sources.
Slides: https://drive.google.com/file/d/1oYuL1IXhpV954o2CmhsT6TOXo8TM3ZnB/view?usp=sharing
A
So
so
let
us
start
sharing
the.
A
So
welcome
to
building
secops
platform
on
elasticstack
using
kubernetes
talk,
I'm
irwin
and
we
have
aaron
today
here
we
will
not
waste
a
lot
of
time,
because
this
there
is
only
two
hours
and
I
guess
you
will
be
able
to
accomplish
everything.
A
I
would
say
this
is
not
a
full-fledged
workshop
to
be
honest,
because
any
security
workshop
will
take
at
least
four
hours
or
like
more,
but
in
the
virtual
scenario
I
guess
like
we
will
not
be
able
to
spend
a
lot
of
time
on
the
computer
continuously
and
doing
various
tasks
we
have
more
trainings
and
all
that
you
could
take
out
later,
like
you
know,
free
trainings
as
well,
so
that
you
could
simulate
things
etc.
A
But
we
will
get
started,
initiate
you
into
this
process
and
then
like.
We
will
give
you
some
information.
We
will
give
you
the
lab
details
and
then,
like
you,
could
get
started
so
yeah.
I
told
about
that
and
then
the
important
thing
we'll
be
learning
is
like:
how
do
you
build
this
particular
platform
onto
a
kubernetes,
elastic
search
and
then
on
top
of
it
or
the
security
solution?
A
So
we
will
be
seeing
four
different
labs
today,
so
so,
and
then
each
lab,
we
will
be
covering
something
different
and
there
will
be
end
goal
like
you
know,
building
a
cluster
and
then,
like
you,
know,
building
walking
through
the
kibana
security
and
then
ingesting
data
and
then
like
using
using
security,
even
data
and
then
using
security
analysis.
We'll
also,
at
the
end,
see
what
we
have
learned
today
and
what
else
you
could
learn
going
forward
and
what
are
the
use
cases
you
could
build,
etc.
A
So
I
want
to
specifically
say
that
we
are
not
talking
about
container
security
or
kubernetes
security
itself,
like
we
are
not
talking
that
we
are
just
talking
security
in
general
and
from
any
any
upm
or
any
laptop
or
any
os
bundle,
etc.
So
we
are
not
specifically
looking
at
kubernetes
per
se,
but
we
are
building
this
on
kubernetes
as
a
platform,
so
running
this
on
a
kubernetes
platform.
So
that's
what
we
are
our
goal
is
so
this
is
the
lab
environment
thanks
harun
for
creating
it.
A
A
Hesitate
so
you
could
yeah.
Thank
you.
You
could
go
to
the
workshop.
I
will
also
go
into
the
workshop.
A
So
you
this
is,
this
is
the
environment
that
we
are
using
called
strigo.
So
what
basically
is
it
will
spin
up
the
information?
It
will
spin
up
the
the
environment
for
you
and
then
you
could
practice
build
your
labs
there
simply
that's
it,
nothing,
nothing
more
than
that.
Okay.
So
so
it
is
a
simple
thing,
but
we
needed
that
token,
like.
I
think
you
missed
putting
that
okay
yeah.
A
If
you
could
put
the
token
in
the
classroom,
that
would
be
good,
so
you
will
each
each
of
us
will
get
a
token
and
one
single
token
and
then,
like
you,
could
join.
The
only
thing
you
need
to
have
is
like
you
know,
you
need
to
have
the
what
you
call
the
okay.
The
token
is
here:
you
need
to
have
the
account
into
the
into
this
particular
thing.
Okay,
windows
is
ready.
A
So
everyone,
when
you
join
this
strikeout.com,
the
lab
environment,
you
click
on
the
lab,
my
lab
on
the
left
side.
You
will
see
my
lab.
Don't
click
on
the
presenter
screen
presenter
screen
will
be
there
that
you
forget,
don't
don't
worry
about
it,
but
click
on
the
mylab.
That
is
where
your
machines
will
be
there.
You
have
kubernetes
machine.
You
have
a
centos,
centos
machine
running.
You
also
will
have
a
windows
machine
picking
up
okay.
A
So
for
now
you
just
click
on
the
lab
and
wait
for
the
workstation
and
let
it
boot
up
and
by
the
time
we
will
come
to
the
labs.
We'll
do
some
theory
and
we'll
come
to
the
labs
and
then
then
you
will
be
able
to
like
you
know,
get
to
know
about
all
of
the
stuff.
I
hope
you
are
all
with
me
and
you're
all
able
to
understand
what
I'm
trying
to
explain.
A
C
Yeah
I
mean
so
I
just
wanted
to
add
like
please,
please
try
to
access
the
workshop
environment
with
the
passcode.
Let
us
know
if
you
have
any
errors,
give
it
a
time
for
it
to
get
prepared.
Click
as
srv
said,
click
on
my
lab
and
give
it
a
time
and
then
also
you
have
the
lab
content.
The
deck
which
aren't
showing
is
already
available
for
you.
So
try
to
access
that
and
let
us
know
if
it
is
not
accessible
yeah.
A
So
folks,
one
thing
that
I
want
to
tell
you
specifically
is
like
because
of
the
virtual
nature
of
the
workshop.
We
will
have
problems
if
you,
if
you
have
any
concerns
or
like
anything,
you
can
unmute
yourself
and
talk.
That's
why
the
smaller
group,
you
could
also
write
in
the
chat
you
could
you
need
to
tell
us
or
raise
hand
if
that
is
possibility,
I
guess
so
yeah.
So
please
let
us
know
so
that
otherwise
we
will
not
be
able
to
know
what
what
is
happening
in
that
lab.
A
C
Great,
so,
and
and
just
talking
about
the
lab
right,
so
I
mean,
if
you
wanted
to
drop
down
that
kubernetes
thing.
If
you
see
we
have
just
to
give
you
about
the
agenda,
no,
the
the
strigo
inside
this
trigger.
If
you
wanted
to
drop
down
that
kubernetes
setting,
I
mean
this
one
is.
A
C
No,
no,
the
the
the
missions,
vm
missions,
okay,
the
drop
down
arrow
yeah.
So
what
we
did
is
we
have
created
a
kubernetes
mission
where
you
would
be
installing
the
docker,
the
the
cube
kubernetes
and
as
well
as
the
elasticsearch
in
kibana,
and
then
to
give
some
data
to
those
elastic
search
instance.
We
have
a
centos
machine
and
a
windows
machine.
So
what
we
are
going
to
do
is
we
are
going
to
install
some
data
ingestion
techniques
in
elastic.
C
Like
beats,
audit
beat
inside
centos
machine
and
then
in
windows
machine.
That's
where
we
are
going
to
play
around
right
like
we
are
going
to
install
sysmon.
We
are
going
to
install
wind
lock
bit
that
automatically
collects
all
the
windows
even
sysmon
events
and
then
streams
to
the
elastic
search
environment
which
you
built
inside
the
kubernetes.
So
that's
the
whole
overview
of
the
environment.
Once
the
data
is
getting
streamed
inside
the
elasticsearch
which
you
built,
so
everybody
will
have
their
own
accessed.
C
I
mean
own
built
elasticsearch
right,
so
you'll
have
your
own
elasticsearch
and
kibana
to
understand
the
mission
configuration
you
can
click
on
that
settings
button
and
then
you
will
get
all
the
machine
infos
right.
So
so
this,
if,
if
possible,
save
it
right
like
the
public,
ip
dns,
so
save
these
things.
This
is
what
you.
This
is
what
you
will
be
configuring
inside
your
beats
configuration
like
centos
and
windows.
Everything
is
documented.
We
are
going
to
go
through
one
by
one.
Slowly,
so
do
not
worry,
I'm
just
giving
you
an
overview.
C
Once
the
data
gets
streamed.
We
are
going
to
detonate
some
mock
malwares.
We
are
going
to
detonate
an
apt-34
mock
malware,
which
will
do
some
kind
of
suspicious
things
using
powershell,
and
then
we
are
going
to
hunt
and
investigate
that
inside
elastic
security.
So
we
are
going
to
have
a
complete
security
operations
and
if
needed,
we
can
also
have
some
case
management,
workflows
and
other
things.
A
Thank
you.
So
please,
please,
let
us
know,
keep
chatting
to
us
to
yourself
and
like
talk
to
us.
That
would
really
help
us.
You
know
stuff
so,
like
karen
said
like
we,
I
have
installed
kubernetes
as
well,
and
docker
and
everything
you
just
need
to
kick
start
stuff
and
install
the
stuff,
so
we
are
making
it
as
low
as
benchmark
so
that
you
will
learn
here
and
then
take
back
to
your
work
and
do
more
there.
Actually,
so
that's
the
goal,
so,
okay,
so
basically
yeah.
A
I
think
kaharan
told
about
all
of
this.
I
showed
you
so
okay.
So
basically
I
guess
like
a
lot,
many
people
might
know
about
elasticsearch
it
being
a
search
engine
or
if
you
are
coming
from
ops
world,
you
might
be
knowing
about
elastic
such
as
a
log
analytical
engine,
observability
metrics,
traces
like
this
and
all,
but
elasticsearch
also
has
other
components
which
you
also
know
like
wikibon,
which
is
a
visualizer
log
stash,
which
does
extract,
transform
and
load.
All
of
these
are
free
and
open
tools.
A
That
means
you
could
download
it
and
run
it
without
paying
anybody,
and
there
is
no
nothing
like
you
know,
a
bar
that
we
or
we
don't
even
collect
emails
of
people
who
are
downloading
the
sub.
So
next
to
that,
you
have
beats
and
which
is
like
a
data
shipper
which
does
multiple
stuff
there's
new
things
coming
up
here,
we'll
discuss
at
the
end
of
the
session.
How
beats
is
going
to
change
how
data
injection
is
going
to
change
and
but
then,
but
then
also
like.
A
We
also
have
the
the
code
racing
stuff
like
you.
If
you
have
like
application
tracing
solution
which
is
like
kpm,
so
we're
gonna
talk
about
not
talking
about
logstash
and
apm.
Today,
we're
gonna
more
focus
on
these
three
areas:
elasticsearch
kibana
and
beats
we're
gonna
also
like
give
some
information
about
the
overall
direction
of
how
it
is
going
and
how
it
is
getting
to
change
now,
over
a
period
of
time,
the
same
stack
is
nurtured
or
like
moved
into
multiple
different
apps
in
in
product
language.
A
If
I
say
it
is
solution,
so
so
that
like,
if
you
go
to
like
observability,
there
is
logs
metrics
and
it's
like
an
app
that
you
could
use
internally
and,
like
you
know,
detect
investigate
and
look
at
stuff.
If
you
are
an
sre
is
something
so
like
this
will
help,
and
then
you,
if
you
are
a
security
person,
then
you
you
can
you
can
get
into
the
security
related
functionality?
Similarly,
as
a
search
engine,
you
could
create
search,
manage
search,
relevance,
etc.
So
elastic
security
is
not
relatively
new.
A
It's
been
there
for
quite
some
time,
but
we
have.
I
guess
we
have
actually
have
got
this
company
called
endgame.
Several
I
mean
like
one
and
a
half
or
two
years
back
and
then
and
then
like
we
joined
forces
with
them
and
then
they
started
building.
They
exist
on
top
of
the
existing
sim
as
a
tech,
ops
platform,
and
actually
it
is
more
than
secops.
We
are
trying
to
bring
in
everything
we
you
also
see
app
sector.
A
Abstract
workflows
also
come
into
display,
which
we'll
see
in
the
detection
rules
in
a
minute,
so
that,
if
you
have
applications
running
in
kubernetes
kind
of
environment,
you'll
be
still
be
able
to
detect,
find
out
and
enable
these
four
was
kind
of
rules
to
help,
hunt,
threats,
etc.
So
all
of
this
is
there.
A
So
that's
what
we
are
trying
to
do
so
so
I
guess
I'm
gonna
do
some
basics
for
people
who
are
completely
not
knowing,
like
you
know
like
like
not
knowing
elasticsearch,
but
then,
if
you
have
any
questions
at
this
point
of
time,
please
let
me
know.
I
guess
I
see
two
questions
already.
Okay,
so
I'll
take
one
by
one
so
because
we
because
I
think
I
I
want
to-
I
don't-
want
to
keep
keep
it
unanswered
unless
unless
we
are
covering
that
in
the
upcoming
slides.
A
So
so
I'll
just
talk
about
that
question.
So
if
you
have
questions
please
post
and
we
will
stop
and
take
the
questions
soon
so
that
you
don't
get
bored
so
saying
like
I
noticed
in
some
projects
and
blogs
others
used
pnd,
instead
of
which
is
the
reason
for
that.
What
is
the
advantages
disadvantages
so
basically
beats
is
a
data
shifter
and
and
fluency
is
also
a
data
shifter,
but
fluency
is
not
owned
by
elastic
and
fluently
is
a
cncf
project
and
the
fluency
also
is
a
general
purpose.
A
Data
aggregator
and
data
shipper
it
lending
is
a
data
aggregator,
just
like
a
bit
of
like
lobster,
but
now
also
you
have
fluent
bit
etc
to
do
much,
something
which
is
very
similar
to
bits.
Now.
A
That's
why
I'm
telling
there's
a
overall
going
to
be
a
change
in
how
entire
thing
is
looking
like
and
how
you
need
to
configure
how
you
need
to
do
stuff
with
with
something
called
elastic,
agented,
cleat
server,
but
other
than
that,
but
but
but
if
I
have
to
tell
you
that
why
people
use
fluendy,
they
think
that
it
gives
you
better
performance,
etc.
A
A
But
if
I
have
to
tell
you
like
one
specific
thing
using
beats,
you
will
be
able
to
do
a
lot
of
things
that
that
the
apps
can
understand
in
the
kibana
and
elasticsearch
that
helps
you
to
do
whatever
haran
is
telling
the
threat,
hunting
and
correlations
and
a
lot
of
these
very
easily.
So
I
won't
say
it
won't
scale.
You
just
need
to
tune
some
stuff,
and
then
it
will.
It
will
scale.
We
have
people
who
are
using
more
than
a
lack
of
beats
in
their
infrastructure
and
it
received
so
yeah.
A
That
is
one
question
I
hope
I
have
answered.
If
not
I'm
happy
to
like
know,
we
are
happy
to
share
our
socials
and
then,
like
you
know,
you
can
dm
us
and
we
we
could
answer
there
as
well.
Apart
from
that,
nikon
has
one
more
question.
Like
you
know,
what's
the
difference
between
elasticsearch
and
elastic
elastic
enterprise
search
enterprise
search
is
not
a
paid
or
like
something
like
that.
It's
also
a
pre-product.
A
It
contains
these
three
things
as
well,
so
enterprise
search
is
primarily
for
people
who
are
building
search
solutions
and
on
top
of
elasticity.
Elasticsearch.
Is
this
big
beast
right?
It's
a
big!
You
know
clay
that
you
put
mould
into
different
shapes,
so
some
people
use
it
as
security
solutions.
Some
people
use
it
as
a
observability
solution.
Log
analytics
engine
everyone
uses
a
different
way
so
for
search
people.
So
now
there
are
moulded
search
engines
like
I
guess
you
could.
A
You
should
definitely
go
and
look
at
app,
search
or
site
search
which
gives
you
much
better
idea
actually.
So
I
hope
I
answered
that.
So
I
just
want
to
ask
this
question
to
others
like
if
you
like
how
many
of
you
are
new
to
elasticsearch.
A
Like
you
could
just
say,
plus
one
or
something
like
that
like
like
this
plus
one,
you
could
try
it.
How
many
of
you
are
new
to
elasticsearch.
A
Okay,
okay,
great,
I
think
at
around
40
of
the
people.
How
many
of
you
like
have
experience
like
you
know:
yeah,
okay,
fine,
okay,
both
know
some
theory,
so
I'm
gonna
cover
a
bit
of
theory,
not
so
much.
I
haven't
worked
on
it
for
a
long
time.
Yes,
obviously,
yes,
yes,
definitely
so
so,
basically,
I'm
going
to
cover
some
theory
and
then
thereby
like
we
will
be
able
to
go
and
look
at
two
things,
so
you
will
understand
what
what's
happening.
A
So
we
are
definitely
gonna
run
everything
on
kubernetes
and,
like
you
know,
and
share
shift
data
so
that
you
will
have
an
idea
of
how
to
build
this.
This
platform
on
properties,
so
basically
elasticsearch,
is
a
distributed
system.
A
You
have
multiple
nodes,
so
nodes
can
be
containers
pms
or
you
know
bare
metal
machines
in
your
data
center,
whatever
it
might
be
so
nodes
communicate
with
each
other
and
form
this
cluster,
so
say
for
example,
but
each
node
runs
elasticsearch
instance
and
instance
of
elasticsearch,
and
then
you
could
you
and
then
and
then
in
under
the
same
subnet.
It
forms
a
networking
actually.
So
if
you
are
building
by
your
own
in
your
laptop,
you
just
need
to
give
give
different.
A
Like
you
know
what
you
call
the
different
data
directories
and
then,
under
the
same
laptop
you
can
have
multiple,
no
multi-node,
elastic,
search
cluster.
You
can
do
that
using
the
using
the
command
line,
three
command
line,
instances
in
cloud
or
somewhere
else.
You
could
use
containers.
You
could
use
gk
kind
of
platforms.
You
could
use
easy
to.
You
could
use
anything
people
can
people
do
multiple
varieties
of
things.
A
So
how
does
this
data
go
into
elasticsearch
in
a
high
level
way?
You
have
log
events,
you
have
audit
events,
you
have
content
from
different
stuff.
All
of
these
goes
into
something
called
indexes
indices
like
index.
Actually,
that's
a
primary
thing
just
like
table
in
your
sql
stuff.
You
have
index
and
then
and
then,
like
your
index,
is
spread
across
multiple
nodes
like
the
nodes
that
we
show.
A
If
you
have
only
one
node,
it
will
reside
here,
but
if
you
have
nodes
it
is
spread
across
and
index
also
contain,
charts
and
etc
that
we
are
not
going
to
discuss
today
but
then,
but
then
these
indexes
will
be
responsible
for
giving
you
results.
Actually,
when
you
ask
queries
these
indexes
from
these
indexes,
you
will
get
just
like
your
table
or
a
collection
in
mongodb
or
any
other
non-sql
concept
indexes
will
do
it
because
elasticsearch
is
a
search
engine.
It
has
index
action.
So
I
guess
you
you.
You
are
clear
with
it.
A
If
you
have
any
questions
on
my
slides
again,
please
ask
like
yeah:
each
index
will
have
shards
and
shards
are
like
the
physical
units,
but
these
are
like
buckets.
So
if
I
have
to
tell
you
say,
if
you
have
one
gb
of
data
and
then
and
then
like
you,
go
ahead
and
and
then
like
you,
you
go
ahead
and
create
an
instance
an
index,
and
then
the
shards
can
be
okay.
I
need
some
biggest
so
so,
basically
so
so,
basically,
what
happens?
Is
you
you
put?
A
The
shards
will
split
the
data
into
four
chunks
based
on
your
configuration
and
it
will
move
to
multiple
nodes.
Like
you
know
this,
this,
this
block
can
be
here.
This
block
can
be
here,
this
block
can
be
here,
etc,
etc,
etc,
so
so
yeah,
so
so
that
is
the
that
is
the
overall
stuff
actually
here
so
by
elastic
for
security.
A
Specifically,
so,
as
I
said,
elastic
is
a
search
engine,
primarily
so
security
professionals
or,
if
you
are
want
to
become
a
security,
professional
I'll,
tell
you
the
popular
thing,
because
I
came
from
security
world.
I
I
worked
at
mc
previously
and
there
is
a
huge
pile
of
data,
and
if
you
want
to
run
a
query,
what
happens
is
you
have
to
go
for
a
coffee
and
come
back
or
like
and
and
and
because
the
system
is
systems?
A
Are,
I
don't
say
archaic,
but
they
are
a
bit
bold
and
they
they
haven't
seen
the
new
latest
generation
techniques
and
tools.
That's
where
the
attackers
are
getting
more
and
more
like.
You
know,
intelligent
and
they're
able
to
with
her
attacks
and
go
into
this
very
compromising
into
very
systems.
A
There
are
security
companies
whose
infrastructure
is
affected
by
ransomware,
and
then
you
could
imagine
like
how
attackers
are
so
intelligent,
so
search
engines
help
you
to
look
into
this
data
much
easily
and
and
help
you
to
like
kind
of
detect
the
threats
easily
and
then
like,
because
elasticsearch
is
programmable
in
nature.
You
could
interact
with
multiple
threads
select,
intelligence
feeds,
set,
intelligence
feeds
like,
and
you
could
also
like
run
it
on
any
cloud
like
someone
was
asking
like
which
csi
provider
do
you
provide
prefer
for
elastic
on
kubernetes?
A
I
guess
you
are
asking
about
cloud
service
provider.
If
I'm
not
wrong,
please
correct
me
shashank,
so
basically
you
could
use
any
cloud,
we
don't
have
any
cloud
preference
etc.
You
could
use
aws,
you
could
use
gke
or
like
on
google
cloud
or
you
could
use
azure.
A
There
is
no
difference,
so
so:
okay,
container,
storage,
yeah,
I'm,
let's
see
I'll,
tell
you
that
I'll
tell
you
that
differently.
So
you
could
use
different
clouds
and,
regarding
storage,
we
recommend
you
to
use
any
any
place,
but
we
recommend
use
persistent
ssds.
Actually.
So
if
you
are
using
ssds,
that
would
be
better.
So
there
are
different
types
of
storage
classes
in
each
cloud.
A
Service
provider
like
azure,
says
something
premiums,
premium,
storage,
gcp
has
a
different
type
of
ssd
disk
and
obviously
aws
has
ebs
and
a
lot
of
stuff
so
always
choose
the
the
that
particular
stuff,
and
then
that
would
be.
That
would
be
like
helpful
to
do
stuff,
but
make
sure
that
you
do
that.
Otherwise,
otherwise,
like
you
know,
you
might
have
when
you're
scaling
the
cluster.
A
That
would
be
a
problem
for
you,
okay,
so
so
yeah,
persistent
storage
and,
like
you
know,
obviously
ssds
so
so
data
injection
you
could
obviously
like,
like
I
said,
beats
or
elastic
agent
to
ship
it
from
multiple
different
different
systems.
In
fact,
actually
the
laptop
that
I
am
currently
running
runs
an
elastic
agent
and
elastic
endpoint
through
which
we,
my
laptop,
is
protected
and
the
data
is
being
harvested
from
my
laptop.
A
A
Okay
yeah.
I
have
that
in
the
diagram
like
this,
so
in
a
in
a
nutshell,
what
I
have
whatever
I
have
told
is
this
thing:
you
have
a
cluster,
you
will
have
indexes
indices,
have
shards
shards.
Have
your
documents?
Okay,
your
security
events,
are
your
information
stuff.
So
there
is
one
logical
flaw
in
whatever
I
explained
till
now
is,
like
you
know
this
in
this
diagram.
Actually,
so
if
you
see
that
I
told
that
this
is
reside
here.
No,
but
actually
both
the
indices
are
spread
across
the
instances.
A
Actually
so
so
it
is
not
just
this
instance.
It's
all
spread
across.
So
that's
the
thing
now.
Let
us
quickly
get
on
to
the
lab
one
enough
of
talking
and
then
I'll
show
you
I'll
show
you
the
stuff,
and
then
we
we
will
all
we
will
all
get
to
the
lab
stuck,
so
we
will
create
a
kubernetes
cluster.
On
the
on
the
I
mean
we
will
create
a
elastic
sub,
elastic
cloud
and
kubernetes
cluster
on
kubernetes,
and
then
we
will
kick
start
things
actually.
A
So
I
would
recommend
you
to
like
go
to
the
lab
and
come
to
this
particular
slide,
which
is
the
slide
number
20
and
if
you
are,
if
you
are
following,
and
you
could
also
copy
the
information
and
then
yeah
and
then
like
get
started,
so
I
am
already
installing.
I
have
already
installed
k3s,
so
you
could
do
cube
ctl
cluster
info,
which
will
throw
me
an
error
if
I'm
not
wrong.
A
So
if
I
do
that
says,
like
permission
deny
so
because
the
user
that
I
am
running,
I
didn't
have
permissions
to
run
this
particular
it's
not
able
to
read
the
cube
config.
So
so,
basically
you
you
could
you
could
kind
of
like
you
could
kind
of,
like
you
know,
give
permissions
to
it.
So,
let's
let
us
give
it
sudo,
chmod,
okay,
chmod
and
then
yeah,
obviously
644
I
gave,
but
you
could
also
give
because
it's
a
learning
environment.
A
You
could
also
give
like
say
triple
seven
but
make
sure
that
you
do
it
for
production.
This
is
not
for
production.
I
want
to
tell
you
again.
This
is
definitely
not
for
production.
You
you're
just
learning
here.
You
need
to
do
more,
some
more
settings
to
get
into
a
proper
production
cluster,
but
this
is
where
you
could
learn
and
like
and
subscribe.
A
A
So
elasticsearch
is
a
distributed
system
and
then
you
have
you
have
say,
like
you
know,
like
a
lot
of
moving
parts
and
a
lot,
many
people
to
run
it
on
docker
or
without
any
orchestration.
It's
a
bit
difficult
to
run
back.
So
that's
why
kubernetes
also
has
an
operator
sdk
through
which
you
can
use
that
to
run
general
purpose,
applications
like
elasticsearch,
mongodb,
radius,
kafka,
etc.
So
all
these
are
general
purpose,
applications
that
that
you
run
right
in
your
infrastructure.
A
So
so,
basically
you
have
this
operator
which
helps
you
to
do
which
helps
you
to
run
this
like
elastic
such
easily.
So
it
installs,
a
bunch
of
you
know,
controllers
you.
It
includes
a
bunch
of
like
resources
so
that
the
elasticsearch
becomes
native
to
kubernetes.
So
that
means
like
you
just
how
you
do
cube
ctl
get
nodes,
cube,
ct,
I
mean
cube,
ctl,
get
parts,
ctl,
get
services,
deployments,
etc.
A
Similar
way
you
do
that
same
thing,
so
end
of
the
day
for
your
user,
it
is
still
an
elastic
search
for
the
for
the
operator
for
the
for
the
person
who
is
running
this
stuff.
It's
just
elasticsearch
is
running
on
a
kubernetes.
I'm
just
gonna
install
this,
so
you
might
see
some
warnings
here,
but
that
is
because,
like
we
are
running
an
advanced
version
of
cluster,
if
you
are
running
one
point,
one
six
in
between
one
point,
one,
six
kubernetes
or
one
point
one
zero.
A
You
wouldn't
see
this
warning,
but
these
are
like
the
beta
apis
that
got
into
ga
and
1.12
so
yeah.
So
you
just
installed
the
the
operator
here
and
you
are
ready
to
deploy
elasticsearch
okay.
How
to
deploy
kubernetes.
Can
you
provide
the
commands?
So
there
are
multiple
ways
and
yeah
exactly
I'm
using
k3s.
Only
so
there
are.
There
are
multiple,
multiple
ways
and
there
are
multiple
distros.
There
is
mini
cube
for.
For
this
thing
there
is
keda.
There
is
a
k3s
and
there
is
the
real
cube
admin.
A
You
could
go
and
install
the
plane,
many
lap
kubernetes
and
there
are
like
the
gk's
aks
you
could.
You
could
use
the
manage
service
as
well
yeah.
You
could
also
try
micro
creatures
yeah
exactly
so.
We
could
do
that
as
well,
so
here
I'm
just
trying
to
reduce
the
bar
so
that
you
don't
need
to,
like
you
know,
like
you
know,
install
kubernetes.
That
itself
is
like
a
big
thing
for
a
lot
of
people,
and
I
don't
want
to
do
that.
A
Give
that
trouble
to
you
so
so
we're
going
to
look
at
the
operator
logs
here
so
see
that
how
the
how
the
operator
installed
are
doing
so
like,
as
you
see,
that
it
is
talking
to
elastic.
So
it's
talking
to
the
kubernetes
apis.
It
has
registered
a
lot
of
stuff
and
so
far
I
don't
see
any
major
errors,
all
our
info
and
so
far
everything
is
good.
So
that
means
like
it
is
ready
to
deploy.
So
what
it,
what
it
is
doing.
Is
it
installed
some
code
think
like
this?
A
It
installed
a
plugin
on
top
of
kubernetes
and
which
would
understand
like
say:
elasticsearch
is
a
native
resource
like
just
like
how
you
see
cube
ctl,
like
you
know,
get
parts
etc
similar
way.
You
could
do
that,
so
I
will
just
increase
my
font
size
also,
so
that
you
will
be
able
to
see
this.
I
hope
you
are
able
to
see
that
if
you,
if
you
are
not
able
to
see
my
screen,
please
let
me
know
so.
If
you
click
on
cube,
ctrl
get
parts,
nothing
is
working.
A
I
guess
all
the
all.
The
no
resources
are
running.
So
let
us
quickly
deploy
elasticsearch
here
and
then
we
will
go
ahead
from
there.
Okay.
So
this
is
the
same
thing
that,
like
you
know,
karen
has
given
as
a
log,
if
you,
if
you
are
not
following
me,
and
if
you
are
going
on
your
own,
so
this
is
just
there
yeah.
So
in
this
lab,
you
don't
need
to
install
kubernetes
it's
already
installed.
I
have.
A
We
have
spun
up
a
kubernetes
machine
for
you
and,
if
you
want
to
install
by
yourself
go
to
k3
is
k3s
dot,
io,
it's
it's
from
rancher
and
it's
pretty
easy
to
like
you
know,
get
started,
but
in
this
lab
you
don't
need
to
do
that.
So
please
don't
do
that.
Okay,
so
it's
it's
not
indeed,
kubernetes
are
already
there.
You
are
running
building
a
platform,
a
second
platform
on
top
of
kubernetes.
That
is
the
objective
of
this
lab
or
or
the
or
the
or
or
the
stuff.
A
So
if
you
are
not
working
just
just
see,
I'm
happy
to
help
like
once
I
create
elastic
search
instance,
I'm
happy
to
help
debug
your
issue
as
well,
so
I'm
just
going
to
create
the
elasticsearch
instance
here
and
and
also
explain
you
in
the
main,
like
yeah,
so
elasticsearch
instance
has
been
created.
It
looks
so
simple,
but
actually
under
the
hood
it
is
pulling
the
container
it
is.
It
is
creating
this
elastic
such
instance
count
one.
It
is
also
creating
a
load
balancer
before
it
so
that
it
gets
an
external
id
okay.
A
Okay,
so
you
see
that
we
are
not
doing
cube
cdl
get
parts,
we
are
seeing
cube,
ctl
get
elastic
search.
So
that
is
the
difference
that
you
see
like
you
know
why
why?
It
is
why
elasticsearch
is
becoming
a
native
thing
to
kubernetes
and
why
it
is
not
just
like
any
other
pod
or
any
other
application.
Okay,
so
so
that
is
the
difference.
A
Actually,
so
you
could,
you
could
insert
you
installed
elastics
and
you
kind
of
like
create
an
elastic
such
and
you
could
query
that,
like
cubes,
you
can
get
elastic,
get
a
get
api.
I
mean
like
get
apm
get
kibana.
You
could
do
all
that.
So,
as
you
see
that
the
pod
is
ready
and
you
could
go
back
and
check
cube,
cdl
get
parts.
Now,
I'm
just
looking
at
the
parts.
A
A
No,
no,
no
names,
no
different
deployments.
You
could
you
could
look
into
that.
You
could
see
all
the
resources
you
could
type
ctl
get
hyphen
knife
and
als.
So
I
want
you
to
do
this.
One
and
let
me
know-
and
meanwhile
like
I'll,
come
back
I'll
clear
if
you
have
any
questions,
actually
yeah,
exactly
that's
what
that's
why
we
executed
the
chmod
right
here,
so
you
just
need
to
pseudo
chmod
into
the
stuff
right,
the
first
command
you,
you
missed
that
command.
C
Yeah
that
was
great
irving,
so
yeah
like
if
you,
if
you
are
following
aravind
you
could
you
can
kind
of
install
along
with
him
or
we
have
documented
all
these
commands
and
everything.
So
let
us
know
if
you
have
any
questions,
feel
free
to
unmute
or
put
it
in
the
chat
we
can.
We
can
go
through
another
demo
as
well,
so
in
this
lab
one
we
have
two
parts:
one
is
installing
elasticsearch
inside
the
kubernetes.
So
that's
what
I
haven't
showed
once
this
is
finished.
C
We
are
also
going
to
install
and
configure
kibana
instance
that
will
automatically
connect
to
the
internet,
so
that
kibana
is
nothing
but
the
ui
layer
of
the
elastic
stack
where
you
would
be
analyzing
the
data.
You
would
be
working
on
security
analytics
and
all
those
stuffs.
So
that's
what
we
are
going
to
do
as
a
second
part
of
the
lab
one.
A
Yeah,
if
everyone
has
deployed
this
thing,
please
give
me
a
plus
one.
I
would
I
would
go
ahead
and
show
you,
okay,
yeah.
C
So,
oh
sorry,
sorry
for
the
overlapping!
Please
go
ahead.
A
No
nothing,
I
think
quite
a
few
people
have,
but
please,
let
me
know
by
14
people
like
we
should
see
more
plus
ones.
If
you
have
troubles,
ask
me
and
we
are
happy
to
help
okay,
I
think
you
asked
what
is
the
difference
between
elastic
stack
and
elastic
load.
Elastic
cloud
is
a
managed
service
offering
of
the
same
elastic
stack.
So
you
it
is
like
running
in
the
cloud
or
any
cloud
that
you
could
choose
and
then
you
could
deploy
the
same
stuff
here.
We
are
using
kubernetes
there.
A
Yeah,
it
seems
I
I
didn't
understand
nikon.
I
I
couldn't
understand
actually.
D
E
Actually,
I
don't
see
that,
like
the
best
best
cli,
it's
it's
just
showing
the
this
white
cursor
bling
cursor,
only
but
the
so,
which
is
bit.
C
Okay,
let
me
let
me
check
that
nikon
yeah.
A
So
we
we
could
also
see
as
as
a
as
a
attendee,
I
think
like.
We
could
also
see
what
you're
doing
so
through
the
lab
environment.
If
you
get
stuck
probably
we
could
see
and
help
you
so
through
the
strygo
environment.
So
don't
worry
if
you
have
problems,
we
could
also
restart
your
machines
and
you
could
also
restart,
but
please
don't
do
that,
but
you
could
also
do
all
of
that
by
yourself.
Actually,
okay,
so
nicod
will
help
you.
So
don't
worry
about.
It
sure
sure,
thank
you.
A
I
mean
we'll
get
to
the
next
part
in
a
minute,
but
please
other
people.
If
you
have
any
questions
or
you're
stuck
or
have
doubts,
please
ask
we
can
spend
time
and
getting
things
done.
But
if
you
don't
understand
and
we
go
quickly
and
installing
stuff
you
will
be
lagged
and
like
you
will
not
learn
anything
okay,
so
joshua
you
have.
You
said
like
I'm
new,
to
giving
this
operator
why
we
are
installing
operator
again
and
creating
the
instance
in
the
next
command.
A
So
basically,
like
I
said
operator,
is
just
a
set,
a
code
plugin
to
let
kubernetes
understand
that,
like
like
kubernetes,
these
are
like
repositories
that
you
create
in
your
ubuntu
machine
or
something
like
you,
you,
you
install
the
you
add
the
repository
to
the
to
the
whole
kernel.
Like
you
know
the
base
repository
whenever
you
are
pulling
the
a
specific
package
you,
the
deposit,
the
linux,
will
go
and
check
in
that
repository
as
well,
and
if
it
finds
that
repository,
it
will
bring
an
install
right,
similar
way.
A
Kubernetes
gets
to
know
through
operator.
What
are
the
various
things
I
need
to
do
to
run
elastic
say,
for
example,
I
need
to
connect
if
I
run
these
containers
of
the
same
type
called
elasticsearch
like
I
showed
here
here.
Is
this
one
see
if
you
see
a
kind
elastic
search,
and
I
I
and
then
like
name
is
quick
start
and
version
is
like
7.1.13.2
and
all
of
this.
If
this
is
particular
thing,
how
do
I
buy
it
to
two
containers?
A
So
I
could
also
increase
the
count
to
three
and
make
a
three
three
node
container:
zero
elasticsearch
cluster
in
kubernetes
running
in
a
pod,
or
I
could
also
set
node
affinity
rules
and
like
spread
it
across
multiple
parts,
etc,
etc.
I
could
do
all
of
that,
but
we
are
doing
something
very
basic
and
simple
and
then
like
we
are
yes,
we
are
building
elastic
such
instance
on
top
of
like
this
thing,
but
the
operator
is
the
base
that
helps
you
to
do
all
of
this
thing.
A
Like
you
know
it,
it
does
the
tls
encryption,
it
does
get
the
password
as
well.
So
that's
what
we
are
going
to
do,
I,
if
you
stick
around
and
you
will,
you
will
definitely
understand
like
what
we
are
trying
to
exactly
do
so.
You
will
also
see
that
a
cube,
ctl
get
elasticset
will
give
you
this
thing,
but
ideally
you
don't
do
get
elastic
search
for
any
other
thing
right.
You
don't
do
this,
you
you
get
parts
but
because
we
installed
operator
this
particular
thing
is
happening.
A
Okay.
Now
what
operator
also
helps
you
do
is
like
it
will
get
you
the
like?
It
will
help
you
to
kind
of
like
get
the
password.
You
can
create
an
automatically
password.
So
let
me
go
and
get
that
password
thing
for
you
actually
yeah.
So
this
is
yeah
okay,
so
we
have.
We
have
watched
the
changes.
It
is
green.
Now
let
us
go
and
quickly
get
the
password,
so
the
operator
helps
you
to
create
this,
like
you
know
the
the
security
between
the
nodes
and
also
everything.
A
So
if
you,
if
you,
we
are
getting
that
into
an
environment
variable
so
that
you
could
be
able
to
do
it,
I'm
going
very
slow,
but
don't
worry.
We
are
happy
to
help
you.
So
this
is
the
password
that
elasticsearch
has
and
then
I'll
kind
of
like
see.
If
I
could
log
into
my
elasticsearch
machine
using
that
password,
okay,
so
I'll
do
this
thing,
control,
c
and
open
new
tab,
https,
slash.
A
And
before
I
hit
enter,
I
need
to
copy
this.
Otherwise
people
to
enter
says
yes,
because
we
didn't
give
certificate,
you
could
also
create
a
self
self
sales
and
certificates
as
well.
That
is
also
a
possibility
and
I'm
giving
elastic
is
the
basic
user
that
it
will
create
and
then
sign
in.
You
should
be
able
to
see
this
okay.
Now
that
you
have
a
single
node,
elasticsearch
cluster
running
on
your
on
your
laptop
and
it
is
publicly
accessible,
of
course,
secure.
A
Okay,
I
hope
you,
you
all,
would
do
this
anyone,
anyone
have
doubts
or
anyone
have
problems.
Please.
Let
me
know.
A
If
you
are,
if
you
are,
if
you
are
ahead
of
this,
please
let
me
know
like
so
that,
like
you
know,
we
could
move
ahead
and
do
the
next
stuff.
So
this
is
what
we
have
done
right
now.
Yeah
again,
let
us
create
a
kibana
instance
and
connect
it
and
show
it
everything
so
similar
fashion.
A
You
see,
unlike
previous
previous
one,
you
have
elasticsearch
in
the
kind.
Now
we
are
having
kibana
and
you
pull
the
relevant
version,
and
then
you
also
attach
a
load
balancer
just
in
case
just
because
we
want
to
kind
of
like
what
you
call
add
an
ip
etc.
So
yeah
can
you
share
the
link
to
slides.
I
think
you
missed
the
thing.
A
A
C
A
Yeah
we're
good
with
lab
one.
So
the
the
just
one
is
like
you
know:
yeah,
yes,
you
could
access.
That's
that's
the
next
thing
that
we
wanna
show
so
now
that
kibana
and
elasticsearch
is
ready.
So
just
do
cube,
ctl
get
kibana
or
sorry
get
svc
to
see
the.
What
are
the
services
that
are
running
and
okay.
Sorry,
I
typed
strong
and
then
you'll
be
able
to
see
the
external
ip
and
everything
etc
like
load.
Balancer
has
provisioned
everything.
A
Just
click
on
the
lab
settings
go
to
the
machine
info
in
the
same
way,
just
similar
manner
of
what
you
have
done
for
the
same
thing.
If
you
are
using
the
same
dns,
it's
okay,
just
use
5601
and
click
enter,
but
you
need
to
give
the
username
and
password
so
by
the
time
it
loads.
We
will
try
to
give
that.
C
Yeah,
these
kind
of
unsafe,
unsafe
command
is
because
we
have
not
configured
the
certificate
for
the
sake
of
this
lab,
usually
in
production,
you
would
be
configuring
with
ssl
certificate,
but
for
this
lab
that's
going
to
be
kind
of
an
additional
overhead
right
so
to
keep
it
simple.
So
the
main
motto
of
this
particular
lab
is
to
get
familiarized
with
elastic
and
especially
the
security
analytics
with
elastic
where
we
are
installing
inside
kubernetes.
A
Yeah,
so
don't
worry,
this
environment
will
also
be
there
for
more
hours.
Even
after
the
lab
session,
we
can
extend
it
for
you
and
then
you
could
practice
it
or
you
could
try
stuff,
actually
learning
things
you
could
deploy,
etc,
etc.
So
don't
worry
about
it.
So
so
we
are
also
giving
this
thing
and
that
that's
that's
how
that's
no
problem.
A
I
have
difficulties
accessing
public.
What
have
come
up
so,
okay,
good,
I
think
haran,
can
you
help?
Can
you
help
like
sorry?
I
will
see
what
they
is
doing.
A
So
if
everyone
is
done,
like
you
know,
you
will
see
the
screen
when
you
log
in
yeah,
so
you
might
face
problems
if
you
are
popping
the
wrong
stuff
or
if
you
have
stuff
that
is
there
just
cube
ct
will
get
svc.
Echo
password,
keep
it
ready.
Okay,
just
try
it
again.
Sorry
and
your
show
everyone,
but
just
try
this
one,
because
I
faced
problems
as
well.
A
If
you,
you
might
have
missed
something
actually,
so
you
could
you
copy
the
public
dns
right
copy,
the
public
dns
like
you
could
copy
and
then
close
it
open
open
it
and,
like
you
know,
with
nine
two
double
zero
port.
You
need
to
give
the
port
as
well.
So
that
is
important
thing.
C
Yeah,
so
basically,
once
you
copy
the
public
dns
you
have
to
put
https,
I
think
many
people
are
might
be
missing
that
right,
like
that
makes
sense.
So
you
have
to
provide
https
colon,
slash,
slash
the
dns
name,
colon
5601,
so
that
should
take
you
to
the
kibana
ui.
A
Yeah,
so
you
you
might
either
you
might
be
just
hitting
the
dns,
that's
it,
but
you
need
to
hit
the
port.
That's
that's
where
you
will
get
five
four
zero.
Four!
If
I
remove
this
yeah,
you
might
be
history,
that's
that's
the
thing
yeah!
So
so
yeah!
Sorry,
please
see
if
you
also
have
what
result
so
so,
like
I
said
kibana
you
have
this.
You
will
get
to
this
ui
and
you
could
click
on
explore,
explore
explore
on
my
own
okay
joshua.
I
guess
you
will
also.
You
are
also
good.
A
I
guess
that's
what
username
is
elastic
password
is
echo
password.
You
find
you
will
get
it.
Okay,
that's
the
default
user.
You
could
create
additional
users
later.
I
am
clicking
on
explore
my
own
in
kibana,
so
it
will
take
me
to
this
place.
Okay,
this
is
where
the
lab
one
ends
and
if
you
have
any
question,
etc,
etc.
Yeah
you
could
find.
C
So
nikon
for
the
dns
once
again,
aravind
will
be
showing
go
to
the
settings
bar
click
mission
info
there.
You
will
get
the
public
dns,
so
you
could
access
your
ui
with
this
public
dignity.
Https
public
dns,
along
with
port
5601
5601,
is
the
default
port
for
kibana.
So
that's
automatically
gets
configured
yeah.
H
A
A
Yeah
so
yeah
lab
lab2
is
also
like
kind
of
exploring
kibana
and
playing
with
kibana
only,
but,
but
I
I
just
want
you
like-
please
let
me
know
if
you
have
any
questions
or
like
doubts
or
you're
stuck
or
you
have
things
that
you
want
to
ask
more
happy
to
help.
So
we
are
just
giving
five
two
or
three
minutes
for
you
to
like
kind
of
get
started.
Yeah.
A
We
are
doing
okay
on
time,
yeah
yeah.
We
are
good.
A
Great,
but
if
you
have
any
questions
I
keep
asking
because
because
if
you
are
stuck
please
let
me
know
virtual
is
really
hard
and-
and
I
don't
really
like,
like
you,
know,
putting
you
in
trouble
and
you
know
that's
why
we
have.
We
have
done
most
of
the
configuration
actually.
C
So
perfect,
thank
you
so
much
erwin
that
was
great
to
get
installed
with
elasticsearch
and
kibana.
So
hope.
All
of
all
of
us
are
in
the
same
page.
We
have
installed
elasticsearch,
we
have
installed
kibana
in
the
kubernetes
and
we
talked
about
all
the
possible
options
of
queue,
kubernetes
containers
and
everything.
C
So
the
next
step
is
to
understand
elastic
search,
and
I
mean
the
the
features
of
elasticsearch
and
then
followed
by
ingesting
data
and
playing
around
security
use
cases
as
part
of
lab2.
You
could
see
explore
kibana
right,
so
we
don't
have
much
of
a
step
by
step
for
laptop.
It's
just
going
to
be
like
a
demo
where
I'm
going
to
show
you
you
can
do
this
lab
2
will
give
like
5
10
minutes
once
I
demoed
it
or
you
can
do
it
anytime.
C
As
raven
said,
the
lab
will
be
available
even
after
this
session.
So
talking
about
laptop
first,
let's
access
kibana.
As
we
mentioned,
you
can
access
using
https,
dns
name
and
then
5601
port.
Once
it
is
accessed
you
can.
The
default
username
is
elastic,
which
is
the
administrative
credential.
Elastic
also
has
various
role-based
access
control.
You
can
create
more
users,
restrict
the
restrict
the
access
attribute,
based
access
controls
and
everything.
So
that's
the
next
step.
First,
let's
access
with
default
credentials
elastic
and
what
about
the
password?
C
So
if
you
go
to
kubernetes
mission,
so
you
could
see
after
showcasing
the
password
if
we
do
echo
password,
maybe
let
me
zoom
in
a
bit
so
hope
it
is
visible.
Now,
if
you
do
echo
password,
each
of
us
will
be
getting
our
unique
password
where
we
deployed
elasticsearch.
C
So
this
is
the
password
you
could
copy
it
store
it
and
then
kind
of
access,
the
kibana
using
the
username
and
password.
So
let's
login,
so
you
you
you'll,
get
a
home
page
talking
about
either
to
explore
on
your
own
or
add
data.
What
did
this
mean
by
add
data?
Is
we
have
some
sample
data
available
within
elasticsearch?
C
So
if
you
see
like
add
data
right,
so
if
you
go
to
the
sample
data,
you
have
like,
you
could
add
data
like
sample
e-commerce
data
sample
flight
data
sample
web
logs
and
something
like
that
right.
So
that's
something
possible!
You
could
do
that
in
our
case.
You
can
do
this
or
you
can
explore
on
our
own,
so
let's
first
explore
kibana.
C
So
what
is
kibana
kibana
is
nothing
but
the
ui
layer
of
the
stack
like
there
are
few
methods
to
ingest
data
like
beats
log
star.
Someone
also
mentioned
about
flue
and
deep,
so
fluent
is
another
available
tool
that
can
ingest
data.
There
are
various
tools
right.
Even
you
can
ingest
data
using
your
python
scripts
or
something
like
that.
Elasticsearch
is
rich
in
api,
so
utilizing
those
you
can
ingest
data
in
every
way.
C
So
in
this
lab,
we'll
use
the
inbuilt
elasticsearch
solution
like
beats
and
logstash,
so
we'll
be
leveraging
that
and
then,
once
the
data
is
ingested,
it
will
get
stored
inside
your
elasticsearch
mission.
Right
elasticsearch
is
like
a
data
store,
and
then
this
kibana
is
the
ui
layer
of
the
stack
that
will
pull
and
query
the
data
that
is
available
inside
your
stack
right.
So
that's
the
main
purpose
of
kibana.
C
Once
if
you
see
we
have
various
inbuilt
features
built
on
top
of
kibana
like
discovering
your
data
right,
so
in
your
environment,
you
might
not,
you
might
have
the
sample
data.
If
you
have
added
or
in
the
lab
3,
we
will
be
doing
wind
lock,
beat
installation.
So
once
you
install
this
wind
lock
bit,
you
will
have
so
many
data
scrolling
up.
You
can
search
across
this
data,
for
example,
process
dot
name,
so
it
automatically
helps
you
with
auto
completion
and
auto
suggestion
right
so
process.
Dot
name
is
powershell.txt.
C
So
if
you
click
on
update
in
couple
of
seconds,
it
should
crawl
across
all
your
data
and
it
is
giving
you
151
hits
that
relates
to
process.
Dot.
Name
is
powersteel.exe.
In
this
way
you
can
search
across
your
data.
So
if
you
expand
this,
you
have
all
your
particular
document
particular
event:
details,
host
details,
process,
details,
network
details
and
everything.
C
C
Oops
process,
dot,
name
yeah,
so
you
can
add
this.
You
can
put
it
in
various
way.
Something
elastic
search
is
very
rich
is
visualization
right,
so
visualize
the
data,
so
it
automatically
take
you
to
something
called
visualization
library.
So
now,
let's
remove
this
filter
click
update
so
that
it
will
pull
all
your
process
right,
not
just
powershell,
so
it
automatically
creates
visualization
for
you
in
a
fraction
of
seconds
right,
not
just
single
visualization.
C
It
provides
you
some
suggestions
like
you,
can
keep
it
in
the
pie.
Chart
you
can
keep
it
in
the
stack
bars
or
something
like
that
right
and
then
you
can
increase
your
things
like
even
dot
module,
something
like
even
dot
module
right.
You
can
drag
and
drop
just
in
the
drag
and
drop
it's
going
to
provide
you
a
different
visualization
base.
Right,
like
it's
going
to
give
you
all
the
meaningful
informations.
C
Process
across
events,
even
modules
right,
you
can
automatically
add
it
to
a
dashboard
or
create
a
new
dashboard
or
don't
do
anything
right,
just
create
a
visualization
library.
So
you
can
have
all
sorts
of
thing.
You
can
create
a
tag
for
your
visualizations
like
easy
case.
Sim
is
what
I'm
going
to
create
as
a
tag
so
yeah
you
can
create
a
new
dashboard.
So
if
you
click
on
save
and
go
to
dashboard,
it
will
automatically
take
you
to
the
dashboard
and
it
will
pull
up
your
visualization
here.
C
So
can
I,
you
can
add
multiple
visualization
into
a
dashboard.
Let's
save
this
dashboard
like
eck,
sim,
dashboard
right.
So
I'll
put
the
same
tag.
If
I
want-
or
I
can
have
obvious
descriptions
and
everything
so
once
it
is
saved,
then
this
dashboards
can
be
scheduled
into
reports
and
various
things
right
like
you
can
have
like
you
can
create
into
apis.
You
can
create
into
reports,
pdf
reports
and
all
sorts
of
things,
so
you
can
have
add
multiple
visualization
to
a
single
dashboard
and
then
populate
inside
your
screen.
C
You
can
keep
it
in
full
screen
mode.
You
can
do
all
sorts
of
things,
so
everything
if
you
see
I
did
it
in
fraction
of
seconds.
There
is
no
a
big
data.
Scientist
team
needs
to
be
involved.
So
if
you
see
we
have
a
dedicated,
visualization
library,
dashboard
elasticsearch
automatically
helps
you
to
operate
across
your
data
sets
right.
You
found
you
find
something
you
found
something
as
a
data.
You
wanted
to
visualize
it
you
created
visualization
directly
and
then
from
that
visualization.
You
created
a
dashboard.
C
All
the
things
is
available,
so
even
elasticsearch
provides
pre-built
dashboards
for
you
right.
I
injected
windows
data
from
windows,
machine
which
we
are
going
to
do
it
in
lab3.
Once
you
do
this
lab3
once
you
do
windlock
beat
setup,
it
will
automatically
create
all
these
index
patterns,
dashboards
and
everything.
So,
let's
say
wind
lock
bit
overview
right.
This
is
a
pre-built
dashboard
automatically
elastic
search
creates
for
me.
So
that's
cool
right,
so
I
can
start
from
here.
I
can
increase
my
investigations.
C
I
can
do
all
sorts
of
things
if
you
see
put
it
in
edit
mode.
Add
from
library
we
did
something
like
process
right.
We
created
something
like
process
across
event,
modules
that
visualization
can
be
added
here
to
my
pre-built
dashboard
or
I
can
create
my
own
dashboard.
So
you
have
the
ability
to
play
around
the
data.
Skies
are
the
limit,
so
you
can
do
all
sorts
of
things.
C
So
this
is
fine
playing
around
the
data.
Creating
visualization
soft
dashboards
and
everything
is
fine.
You
have
inbuilt
machine
learning,
geospatial
analysis
and
all
sorts
of
things.
So
that's
the
next
use
case.
How
about
playing
around
security
elasticsearch
has
an
inbuilt
security
tab
inside
kibana.
That
starts
with
overview
tab
right
so,
let's
say
last
24
hours
or
so
so
elasticsearch
provides
an
overview
tab.
That
starts
with
kind
of
talks
about
your
elastic
security
detections.
C
If
you
have
external
alerts,
kind
of
events,
recent
case
management,
recent
timeline-
and
importantly,
it
also
updates
security
news
to
you
as
an
analyst
when
I'm
working
on
a
tool,
it
is
important
to
keep
myself
up
to
date
on
the
tool
which
I
am
working,
so
it
provides
all
the
security
news
for
you,
like
recent
blogs,
webinars
feature
releases
related
to
elastic
security
right,
so
I
can
understand
there
is
some
new
blog
written,
like
problem
child,
detecting
living
off
the
land
attack
using
elastic
machine
learning.
So
I
can
understand
what
this
new
feature
is.
C
What
this
new
blog
is.
I
can
put
it
in
my
system,
all
sorts
of
thing,
and
then
it
has
a
detection
page
that
talks
about
all
your
detection
alerts
and
then
host
tab.
It's
a
pre-built
host
app
talks
about
your
host
that
you
are
integrating
with
elastic
stack
right
that
the
data
which
you
are
ingesting
so
in
in
our
case,
we
have
one
host.
You
have
all
these
details
right.
What
is
the
operating
system?
Everything
is
pre-built
for
you,
it
automatically
providing
you
all
the
details.
C
If
you
see
our
lab,
this
particular
stego
lab
is
running
in
aws
environment,
so
you
it
automatically
pulls
what
cloud
provider
it
is.
What
is
the
region
and
everything?
Right
importantly,
it
automatically
pulls
uncommon
process
for
you.
So
I
could
understand
there
is
some
uncommon
process
running
in
my
environment.
So
let's
say
I
have
like
powershell.exe
that
has
like
bypass
argument.
So
that
is
something
suspicious.
Why
should
my
environment
have
powershell.txt?
C
This
is
what
we
are
going
to
do
in
lab
2
I
mean
lab3
just
drag
and
drop
in
the
bottom
called
timeline.
We
have
something
called
timeline,
that's
very
cool
right.
I
just
dragged
and
dropped
inside
a
inside
this
timeline
and
if
you
click
on
this,
it's
going
to
pull
all
my
data
related
to
powershell.exe.
C
C
C
You
have
all
these
field
here
right
so,
let's
say
process
dot,
name
right.
I
can
click
on
this
or
process
dot
arc.
I
can
click
on
this,
something
like
that
right
process,
dot,
parent,
all
all
sorts
of
things
right.
I
can.
I
can
add
these
things
here
to
understand
more.
What
you
can
do
is
click
on
this
view
details
it
will
give
you
all
the
details
about
this
particular
event.
What
are
the
agent
details?
C
What
are
the
cloud
details
host
details,
process
details,
file
details
if
it
is
a
network
related
event,
it
will
give
you
more
network,
related
details
and
everything
right.
So
let's
say
I
wanted
to.
I
also
add
trust
parent
process
details.
Click
on
this.
It
automatically
adds
your
tabular
column
right.
So
that's
something
cool,
add
parent
process
name,
so
you
can
do
all
sorts
of
thing.
If
you
want
you
can
keep
it
in
json
view.
C
If,
if
that
helps
you
so
there
are
people
who
understand
json
more
than
the
tablet
column,
so
you
can
have
json
view.
We
can
start
investigating
further
right.
So
if
I
want,
I
can
put
it
in
unconditional
or
condition
just
drag
and
drop.
I
can
increase
my
investigations
to
have
a
complete
stock
workflow.
What
you
can
do
is,
you
can
add,
investigation
notes
to
it.
So
that's
cool
right
this.
This
suspicious
oops.
C
Definitely
not
auspicious
it's
a
suspicious
powershell
event,
so
I
can
add
all
sorts
of
links
gifs
or
whatever.
It
is
right.
It
supports
markdown
language,
so
I
can
add
investigation,
notes
and
then
save
this
investigation.
However,
I
want
right,
like
demo
investigation,
so
once
I
save
this
investigation,
I
can
have
more
shock
operational
workflow.
What
I
mean
is,
you
can
attach
it
to
inbuilt
case
management
workflow.
So
that's
the
secops
we
are
talking,
so
you
started
with
discovering
your
data
ingesting
the
data
searching
the
data.
C
C
Once
you
find
something
suspicious,
you
can
add
notes
about
your
investigation
and
then
to
give
you
a
complete
security,
operational
workflow.
It
has
an
inbuilt
case
management,
workflow
right
case
management,
feature
inbuilt,
so
you
can
add
case
right
case:
zero,
zero,
one
malicious
oops,
sorry
case:
zero,
zero,
one,
malicious
event.
C
A
A
So
if
you
are
building
a
secops
platform
or
devsecops
platform,
or
if
you
want
to
do
a
lot
of
abstract
work
as
well
or
looking
forward
to
build
your
career
in
this
area,
in
fact,
a
lot
many
people
work
full
time
on
cases
like
like
they
go,
go
to
the
office
and,
like
you
know,
you
kind
of
like
start
working
on
only
cases
which
is
also
the
same
with
a
lot
of
sre
job
rules
as
well,
so
basically
yeah.
A
So
that's
why
this
is
very
important,
even
though
it
looks
like
trivial,
but
but
it's
kind
of
like
very
important,
because
the
next
step
next
step
we
are
going
to
show,
we
will
install
some
agents
and,
like
you
know,
push
data,
it
looks
easy,
but
then
like
what
to
do,
how
do
you?
How
do
you
navigate
it?
How
do
you
add
stuff?
So
those
are
the
things
that
are
important.
Yeah
and
yes,
I
mean
right.
C
Yep
yep,
so
that's
what
right
like
as
harvin
said
this
might
be
looking
like
a
demo
same
thing,
which
you
are
going
to
do
in
lab
3
and
lab
4..
We
are
going
to
ingest
data.
We
are
going
to
play
around
these
things,
so,
as
lab
2,
I
just
showed
you
how
to
explore
things
right
so
once
with
proper
licensing
setup,
what
I
mean
is
like
we
have
like
platinum,
license
and
other
things
with
that
you
could
connect
your
have
some
external
connection
like
servicenow
and
other
things.
C
So
that's
that's
not
with
this
particular
lab
intention.
So
let's
not
go
to
this
licensing
stuff.
Let's
keep
to
a
community
way
and
then
like
similar
to
host.
You
have
pre-built
network
tab
talking
about
it
starts
with
maps
right.
If
you
have
enabled
geospatial
analysis
which
we
can
do,
that's
the
that's,
but
that's
not
the
part
of
this
lab
connect
with
me
and
irvine.
C
We
can
help
you
in
geospatial
analysis,
so
it
provides
you
which
source
to
which
destination
you
have
all
those
connections
and
everything,
and
then
it
automatically
shows
you
all
the
top
talkers
right.
What
are
the
source,
ips
and
top
source
ips
in
last
24
hours?
You
can
go
back
and
forth
with
the
time
like
last
seven
days
or
whatever.
It
is
right.
It's
going
to
pull
you
all
these
details
like
what
are
the
different
dns
data
connected
to
you,
so
I
have
something
like
with
your
face.com
connecting
to
138
queries
of
dns
connection.
C
That
is
something
suspicious.
So
what
I
can
do
is
create
a
new
timeline
for
my
investigation,
close
it
just
drag
and
drop.
So
that's
going
to
give
me
all
the
details
about
my
that
particular
dns
domain
right.
So
that's
something
cool
you.
We
have
various
pre-built
things
to
kick
start
your
investigation,
so
these
are
always
like
proactive
investigation
for
retrospective
detections,
like
you
have
an
inbuilt
detection.
Engine
elastic,
provides
pre-built
detection
rule
right
like
let's
load
this
like
once
you
go
to
this
detections
tab
and
then
create
manage
detection
rules.
C
Elastic
provides
like
500
plus
out
of
the
box
detection
rules,
like
let's
click
on
this,
so
in
a
fraction
of
a
second,
it
will
automatically
load
from
the
elastic
side
and
it
will
put
it
into
your
cluster
and
it
will
load
like
500
plus
out
of
the
box
rules
shipped
for
you.
So
that's
very
cool
right.
You
can
immediately
kick
start
with
your
detections,
so
in
lab
before
lab
3,
what
we
are
going
to
do
is
we
are
going
to
load.
This
rule
click
on
powershell.
C
This
might
not
be
in
your
lab
deck.
So
please
look
into
this.
This
might
not
be
in
your
step-by-step
procedure,
so
this
is
an
additional
procedure.
I
wanted
you
to
do
once
you
do
lab
two
in
the
lab
three,
I
mean
the
lab
four.
What
you're
going
to
do
is
load
this
pre-ability
detection.
Rule
click
on
powershell
click
enter,
so
there
are
various
powershell
rules
available
for
you.
What
we
are
going
to
do
is
we
are
going
to
enable
this
windows
script
executing
powershell.
C
We
are
going
to
enable
this
just
enable
this
rule
right.
So
after
enabling
this
rule,
we
are
going
to
detonate
a
mock
malware
and
so
that
your
detections
can
automatically
detect
and
trigger
an
alert.
So
that's
what
we
are
going
to
do
so
yeah
so
I'll
stop
it
here
play
around
this.
There
are
so
many
features
beyond
what
I
have
explained.
So,
let's.
A
Proceed
with
lab3
yeah.
I
just
want
you
to
show
also
this
thing,
because
I
think
a
lot
of
people
are
either
coming
from
the
ops
world
or
also
like
our
developers
interested
to
learn
security.
I
guess
so.
The
profile
is
like
that.
I
don't
know
before
the
workshop,
but
I
guess
so
so
if
you
could
remove
no,
no
just
go
to
the
same.
F
A
C
A
Yeah,
so
I
am
not
sure
yeah
so
so
so
there
are
some
rules
which
are
abstract
specific.
I'm
not
sure
why
it
is
not
loading,
but
you
also
find
application
security,
specific
close
suppose
if
you
are
monitoring
your
application
and
then
like
you,
want
to
do
some
ois
specific
detection,
http
code
detection,
someone
is
trying
to
bomb
your
apis.
Do
a
lot
of
these
things
right,
so
you
could
do
all
of
that.
If
you
are
on
some
cloud,
I
guess
aaron.
You
could
also
show
that
aws
rules.
A
So
if
you
are
on
cloud
and
one
is
doing
aws
related
stuff,
like
you
know
some
some
problem
like
you-
have
aws
sc
bucket
getting
deleted
without
you,
your
action,
so
some
some
stuff
like
which
is
which
is
more
falling
into
the
asset,
tracking,
continuous
monitoring
and
visibility
and
a
lot
of
this
cloud
stuff
there
are,
I
think,
more
than
70
aws
stuff
itself.
So
so
you
could
go
and
look
at
all
of
that
as
well.
So
this
is
a
useful
stuff
to
use
in
your
daily
work.
A
You
will
see
a
lot
things.
I
have
seen
a
lot
of
things
that
I
don't
know
that
okay,
this
is
happening
in
my
environment,
okay,
so
so
that
is
interesting.
So
I
want
we
want
you
to
like
kind
of
explore
this,
take
a
look
at
this.
What
and
all
is
there-
and
also
I
see
there-
is
something
called
credential
access
as
well.
Okay,
haran
is
saying
something:
okay,.
C
Yeah,
what
what
I
want
to
do
is,
apart
from
this
500
plus
rules
right,
we
are
also
having
a
lab
where
you
will
be
creating
your
new
own
rule,
so
that
is
also
important
right.
Every
environment
has
their
own
environmental,
specific
rules,
exceptions,
you
can
add
false
positive
examples,
exceptions
and
everything.
C
So
if
you
see
we
have
mapping
with
proper
what
is
ttp
means
technic
and
tactic
procedures,
so
we
are
mapping
with
proper
technique
and
tactic
procedures.
Beyond
this,
you
can
also
create
your
own
rule,
and
this
own
rule
can
also
be
mapped
with
a
technic
and
tactic
procedures
right.
So
let's
say
I
investigated
something
so
import
query
from
your
saved
timeline
right.
C
I
investigated
something
I
saved
into
my
timeline,
so
I
wanted
to
put
that
into
a
rule
right,
so
I
can
investigate
that
so
I
can
assign
as
in
severity,
I
can
assign
a
risk
score
for
my
rule,
so
I
can
do
all
sorts
of
things
in
the
advanced
setting.
I
can
add
false
positive
example.
Reference
url
for
this
rule.
Importantly,
I
can
add
my
tier
more
than
one
or
more
than
one
might
be
a
technical
tactic
procedures
so
that
I
can
take
my
cyber
security
to
a
much
more
mature
curve
right.
C
I
can
understand
this
level
of
this
particular
alert
is
related
to
such
attack
technique.
Such
attack
tactic
so
that
my
analyst
will
understand
what
how
to
interpret
that
log
how
to
investigate
further.
What
are
the
informations
right
so
everything
you
can
add
some
investigation
guides
for
your
analyst.
You
can
provide
your
rule,
names
and
everything
right
and
then
importantly,
you
can
schedule
it
and
then
the
coolest
part
is
you
can
have
various
inbuilt
notification.
You
can
have
email
notification
ibm
resilient
or
you
can
connect
with
slack
webhook
apis
or
whatever.
C
It
is
right,
so
you
can
have
all
these
things
available
for
you
cool.
So
that's
pretty
much
about
exploring
kibana.
There
are
more
things
you
can
explore
on
your
own.
I
think
we
are
running
out
of
time.
So,
let's
proceed
with
the
lab
3
lab
2.
You
can
play
around
at
any
time.
So
where
do
I
have
my
lab?
3
yep,
so
lab
2
is
exploring
kibana.
So
even
after
this
session
you
can
play
around
your
kibana.
Then
let's
go
for
lab
three
ingesting
data.
A
Yeah
any
questions
till
now.
Anyone
so
please,
please,
let
us
know
we
are
happy
to
help.
A
A
I
will
do
that
yeah.
Some
people
have
problems
with
the
yeah.
Some
people
have
a
problem:
how
to
access
the
keyboard
unable
to
get
so
just
see
you
might
be
accessing
without
five
six
zero
one.
Just
just
add
your
port
and
then
and
then
like
you,
will
be
able
to
get
the
dns
colon
port
enter
elastic,
is
the
username
and
password
is
echo
password
that
you
get
okay
joshua.
You
have
a
question
like
how
kibana
is
different
from
grafana,
whether
it
is
similar
to
grafana
or
both
serves
different
purpose.
A
So
grafana
is
also
a
visualizer
like
kibana,
but
grafana
has,
like
you
know,
can
can
talk
to
multiple
data
stores
and
that's
not
a
bug.
That's
a
feature
and
kibana
is
talks
to
elasticsearch
and
kibana
is
also
like
maturing
to
become
more
of
like
an
ui
on
top
of
elasticsearch,
which
can
do
a
lot
of
stuff.
We
have
an
active
partnership
with
grafana.
A
There
is
an
elasticsearch
plugin
being
built
by
grafana,
I
mean
grafana
and
elastic
devs,
and
we
look
forward
to
like
you
know,
do
more
on
grafana
as
well.
So
that
is
something
that
we
are
looking
to
do
things
as
well.
H
A
So
so
in
in
a
nutshell,
like
you
know,
both
are
ui
engines.
Both
does
same
stuff.
Both
are
equally
capable,
not
something
no
shayshank.
I
guess.
If
you
have
problems
like
you
know,
it
is
not
that
one.
So
let
me
share
my
screen
and
show
you
that,
okay,
let
me
just.
G
A
A
Okay,
I'm
just
I'm
just
refreshing
my
screen
so
that
I
get
instructor
permission
so
that
I
could
help
you
all
okay,
so
you
should
go
you
all
should
go.
If
you
have
problems,
don't
go
to
the
ip
board
with
the
machine
info
public
dns
colon,
this
colon
5601
is
the
one
and
you
have
to
give
https
https
colon,
slash,
slash
your
public
dns
colon
5601
is
your
place
where
your
kibana
can
work.
A
C
Perfect
so
yeah,
let's
start
in
just
let's
start
ingesting
some
data.
C
So
what
we
are
going
to
do
is
we
are
going
to
skip
these
two
slides
like
setting
up
audibit
incentives,
because
we
are
running
out
of
time,
so
we'll
focus
on
setting
up
bin
log
beat
in
windows
because
that's
where
we
are
going
to
detonate
malware
play
around
those
security
analytics
and
everything
you
can
come
back
to
this
27
and
28
slide
later
you
have
access
and
then
you
can
install
audit
beat
and
see
how
the
logs
look
like
audit
data
file,
integrity,
create
visualization
and
everything
so
27
and
28
is
for
self
play
so
play
around
those
centos
mission.
C
Now,
let's
proceed
with
slide
29
if
possible,
follow
with
me,
but
no
worries.
If,
if,
if
you
feel
following
up
is
little
kind
of
an
hectic
for
me,
please
observe
and
then
we
will
stop.
We
will
have
some
time
for
everybody
to
be
on
same
page,
so
what
we
are
going
to
do
is
we
have
a
windows,
vm
and
I
have
already
put
up
a
system
setup
script
inside
elastic
folder.
So
if
you
go
to
that
folder,
we
are
going
to
install
the
system
setup.
C
What
this
script
will
do
is
it
will
install
all
the
necessary
applications
for
us
for
this
particular
workshop,
so
it
will
install
the
windlock
beat
it
will
install
sysmon.
It
will
install
notepad
plus
plus
for
it
for
us
to
kind
of
edit
the
configuration
file
and
everything.
So
let's
do
that
go
to
strigo.
C
C
Powershell,
so
it
will
automatically
open
you
in
users
administrator
column.
Now,
let's
do
cd
elastic
right
once
you
oops
sorry,
cd,
el
elastic
right.
So
once
you
put
cd
space
e
capital
e
small
l
tab,
it
will
provide
you
elastic
or
copy
paste
from
the
document
copy
paste
from
the
deck.
So
we
are
going
inside
the
elastic
folder
and
there
you
could
see
a
setup
script
right.
So
if
you
do
yes
system
setup
right,
sis
tablet
column.
So
you
will
provide
this
particular
thing.
So
please
proceed
with.
C
I
have
already
installed
this
script,
so
I
am
not
going
to
click
enter,
but
this
is
what
you
are
going
to
do:
go
to
elastic,
folder
and
run
this
system
setup
script.
If
you
want,
you
can
go
to
this
particular
thing.
Just
copy
paste,
this
cd
and
the
second
command
is
just
copy
paste
this
and
it
will
run
it
will
take
couple
of
minutes
and
it
will
run
everything
and
it's
going
to
set
up
for
you
once
it
once
that
is
run.
C
You
can
go
to
this
folder
right,
go
to
windows,
column,
users,
administrator
and
inside
administrator.
You
will
have
this
folder
called
elastic
once
you
run
this
setup
script,
it
will
install
all
these
things
like
win
lock
bit
and
it
will
automatically
unzip
for
you.
It
will
install
your
system
on
installation
and
it
will
install
notepad
plus
plus,
and
it
will
install
your
mock
script
and
everything.
So
this
is
what
we
are
going
to
do
like
a
system
setup.
C
So
let
me
pass
here
for
two
minutes
and
you
can
proceed
with
that
system
setup
and
let
me
know
if
you
have
any.
C
Okay,
okay,
so
what
it
does
is,
once
you
run
this
system
setup
script.
If
you
go
to
windows
users
administrator,
I
mean
the
c
colon
users
administrator
inside
that
you
will
have
a
folder
called
elastic.
That's
where
we
ran
this
system
setup
script
once
you
run
the
script
once
it
is
successful
you
it
will
download
windlockbeat,
sysmon,
notepad
and
my
mock
script.
It
will
do
all
these
things
and
it
will
also
unzip
for
you
unzip
your
wind,
lock
bit.
For
you
I
mean
this
is
nothing
related
to
elastic.
C
Perfect,
so
we
have
a
question
like
in
your
experience.
Does
analyzing
security
where
elastic
require
a
dedicated
person
on
the
team?
For
example,
our
team
is
small,
less
than
10
people,
I
mean
in
my
experience.
10
people
is
really
a
one
of
the
big
team.
In
many
security
places
there
are
teams
with
four
people:
five
people,
three
people,
so
10
people
is
really
a
very
good
team.
C
One
of
the
important
features
within
elastic
or
one
of
the
important
pillars
we
talked
at
talk
track
with
elastic,
is
enabling
every
security
analyst.
So
that's
what
we
wanted
to
give
all
these
pre-built
things
right.
It
automatically
gives
you
pre-built
dashboards,
detection
rules,
uncommon
processes,
network
view
host
view
and
everything
that
reduces
mtd
of
your
security
analyst.
What
I
mean
is
mean
time
to
detect
of
your
security
analyst
right.
So
that's
why
even
a
smaller
team
can
quickly
get
start
with
doing
security
analytics
with
elastic.
C
C
Okay,
bear
with
my
capital
h,
so
what
we
are
going
to
do
is
we
are
going
to
go
to
this
elastic
integrations
page.
We
have
a
dedicated
page
called
integration
that
has
all
the
modules
available
for
you
today.
It's
a
continuous
growing
library
right,
even
you
can
start
with
your
kubernetes
monitoring
your
kubernetes
containers.
Right,
like
you,
can
monitor
your
fluency.
You
can
monitor
your
kubernetes
metrics
logs
control
managers
and
everything
right.
C
So
we
have
a
dedicated
integration
page
that
talks
about
what
are
the
out
of
the
box
data
shippers,
log
shippers,
metric
shippers
available,
not
just
from
security
perspective
from
an
infrastructure
even
for
your
cloud
and
everything
right.
So
we
have
various
things.
I
think
that
that
answers
your
question.
C
Okay,
so
with
the
interest
of
time,
let's
get
to
the
next
step
once
you
do
this
system
setup
hope
everybody
are
in
the
same
page
and
you
have
all
these
things
getting
installed.
Hope
the
script
works.
Good
next
thing
is:
let's
do
sysmon
installation
just
do
this
thing
right?
What
do
I
have
as
a
next
step?
Yep
just
copy
paste,
this
install
the
sysmon.
C
It
will
just
get
installed
in
couple
of
seconds
nothing
to
do
from
our
side.
It
automatically
gets
installed
and
configured.
So
I
have
it
scripted
everything
this
is
outside
elastic
right.
So
that's
why
I
have
scripted
so
for
people
who
don't
know
what
sysmon
is
sysmond
is
another
open
source
tool
created
by
a
project
called
sysinternal
from
microsoft.
C
So
it's
an
open
source
tool
that
provides.
You
provides
you
additional
event:
logging
capability
it.
It
automatically
monitors
your
process,
networks,
registries,
security
events
and
all
sorts
of
things.
So
it's
an
additional
unit.
Additional
agent
open
source
agent
available
from
microsoft
itself.
I
mean
it
was
originally
created
by
a
project
called
sysinternal.
Then
microsoft
acquired
it.
So
it's
a
very
old
project,
but
it's
a
very
famous
project
from
security
side.
C
So
we
have
some
question
from
girish,
so
girish
I'll
come
back
to
you
that
question
meanwhile,
laraveen
will
look
into
that
question
with
the
interest
of
time.
Let's
get
started
with
this
workshop,
and
definitely
we
will
speak
about
that
particular
pods
question
just
give
me
a
sec
okay.
So
let's
go
back
to
this
trigger,
let's
install
this
sysmon,
so
once
you
click
on
this
script,
everything
will
be
getting
installed
after
sysmon.
We
are
going
to
install
notepad.
C
I
know
these
are
additional
steps
apart
from
this
elastic,
why
we
need
notepad
is
to
edit
easily
edit
a
windlock
beat
configurational
file
right.
So
that's
why
I
wanted
to
give
you
this
notepad
so
go
to
the
next
step
as
well.
Click
on
this
particular
exe
file
from
notepad,
plus
plus
installer.
It
will
open
an
ui
for
you,
click
next
next
next
and
start
installing
the
notepad.
That's
all!
E
F
C
What
do
you
mean
like
after
running
the
setup
script?
You
don't
find
any
details
there.
E
C
C
Perfect
so
you'll
get
a
ui
just
click
on
next
next,
so
it
will
install
notepad.
So
that's
fine!
Now
we
have
data
system
setup.
We
we
have
bin
log
bit
installed,
I
mean
not
installed
just
download
it.
Now
we
are
coming
to
the
elastic
part
of
thing.
We
are
going
to
install
wind
lock
bit.
So
that's
what
this
third
step
is.
So
if
you
could
see
my
screen,
this
third
step
is
go
to
cd.
Bin
lock
beat
this
folder.
So
let
me
go
to
my
stigo.
C
So
if
you
see
we
have
this
folder
right
so
inside
this
powershell
we
are
going
to
go
to
cd,
pin
lock
bit.
Folder
click
enter,
we
are
going
to
go
to
this
folder
and
then
bin
log
bit
will
have
its
own
installation
script.
We
are
just
going
to
run
this
script.
That's
all
this
is
from
elastic.
So
once
it
is,
this
is
how
you
install
bin
log,
beat
so
yeah
install
the
wind,
lock,
beat.
C
Once
the
winstar
wind
lock
bit
is
installed,
it
will
be
automatically
in
the
stopped
state.
So
let
it
be
there.
What
we
are
going
to
do
is
we
are
going
to
navigate
to
that
particular
bin
log
beat
folder
click
on
this
bin
log
bt,
yaml
file,
right
click
edit
with
notepad
plus
plus
right,
so
that
we
can
easily
edit
it.
So
that's
why
I
wanted
you
to
install
notepad
plus.
So
first
thing
we
are
going
to
do.
Is
we
are
going
to
do
the
setup
dot
kibana?
So
you
will
have
something
like
this.
C
You
will
have
something
like
host
localhost,
something
what
you
are
going
to
do
is
you
are
going
to
uncomment
it
put
your
domain
name,
which
is
already
inside
your
kibana
right.
So
this
one,
you
are
going
to
put
this
up
to
this.
We
are
going
to
put
this
inside
this
kibana
host
and
then
you
also
need
to
add
this
particular
ssl
verification
mode
and
none
under
it
because
in
production
you
might
not
need
it
here.
C
We
need
it
because,
as
I
said
before,
we
are
not
configuring
configuring
ssl
certificate
so
for
this
particular
host
to
connect
with
kibana
without
certificate.
You
need
to
bypass
that.
That's
all
one.
One
thing
I
wanted
to
provide
you
is:
please
observe
in
this
particular
strigo
mission.
You
can
leverage
this
particular
clipboard,
keep
it
open.
So
let's
say
I
wanted
to
copy
from
my
browser
right.
So
this
one
copy
from
your
browser
go
to
stigo
and
put
it
in
clipboard,
keep
it
open.
C
C
All
right,
so
I
have
also
put
this
I'll
also
put
this
particular
thing
in
the
chat.
If
you
want
it's
already
available
in
the
document,
but
still
you
can.
A
C
Yep,
so
this
one
after
setting
up
the
kibana
scroll
little
bit
down
here
is
what
we
are
going
to
configure
the
elastic
search
output.
So
you
have,
if
you
go
to
this
kubernetes
mission,
go
to
this
machine
info.
You
have
the
dns
name,
you
have
the
public
ap
and
everything
right.
Take
this
public
ap
copy
paste
it
go
to
this
win
machine,
use
the
clipboard
and
then
put
it
in
the
host
right.
The
9200
will
be
automatically
available.
C
If
you
want,
you
can
put
that
it
will
be
automatically
available
and
then
uncomment
this
protocol,
because
by.
B
We
are
matching
that
state
now,
if
one
part
dies
what
happens
now.
My
count
is
now
matching
right
now,
in
both
the
states
desired
is
three
currencies
they're,
not
matching,
which
means
I
need
to
create
one
more
pod,
and
that
way
I
would
get
my
designer
consists
in
a
matching
state,
and
that
is
what
replica
set
would
be
doing
it
for
you
continuously.
I
D
C
Automatically
streamed
to
your
elastic
before
that.
Sorry,
before
that,
we
need
to
set
up
the
wind
log
b
to
create
automatic
index
pattern
dashboards
for
you
right.
That's
what
this
pre-built
thing
is.
So
if
you
go
to
this
thing,
if
you
go
to
the
next
deck,
I
have.
C
C
Fidlockbit.Exe
setup:
that's
all
this
will.
What
it
will
do
is
it
will
connect
to
your
kibana.
It
will
connect
your
elastic
search
automatically.
It
doesn't
necessarily
need
your
service
to
start
a
stop,
nothing
to
do
with
your
service.
You
can
do
after
or
before
no
problem.
Once
you
run
this
setup,
it
will
automatically
load
your
index
load,
your
dashboards,
and
if
you
have
platinum
license,
it
will
also
load
your
machine
learning
jobs.
We
also
have
pre-built
machine
learning
jobs
created
for
you
to
load
your
index,
lifecycle
policy
and
everything.
C
So
I
mean,
I
think,
recording
is
stopped
or
restarted.
Yeah,
I
think
record
is
recording,
is
resumed.
C
Okay,
so
hope
everybody
are
in
the
same
page
after
installing
wind
lock
beat
edit
the
file
edit,
the
kibana
settings
and
elasticsearch
setting
and
then
run
this
winlockbit.exe
setup.
This
setup
command
will
help
you
to
automatically
create
your
index
pattern,
dashboards
and
everything
everything
can
be
done
manually
also,
but
why
should
we
do
manual
when
there
is
a
command
like
this
yeah
after
that
go
to
services
and
start
your
wind
lock
beat
once
you
start
it?
The
data
should
get
streamed
to
your
elastic
cluster.
C
C
C
A
I
I
guess
he
is
talking
about
the
kibana
thing.
Did
we
also
configure
the
kibana
host
no.
C
C
Yeah
make
sense,
I
think
his
error
is.
He
has
given
http
yeah.
E
E
I'm
able
to
see
perfect,
perfect,
okay.
C
C
A
So
please
don't
use
the
other
ip.
Why
are
you
using
public
ip?
Please
use
the
dns
itself.
If
you
are
using
dns,
I
guess
it
resolves
well
with
the
lab
environment.
A
F
A
Something
that
is
not
dns,
so
what
are
you
using
haran.
C
No
in
in
elasticsearch,
I
am
using
public
ip
that
works
for
me
and
as
well
as
for
many
people,
so
I
think
that
should
be
fine,
but
his
error
is
like
the
elastic
search
is
not
responding.
I
think
the
kubernetes
mission
is
either
it's
not
running
or
something
like
that
yeah.
We
have
to
check
that
because
in
that
machine
only
elasticsearch
is
installed
and
it
needs
to
respond.
A
I'm
seeing
your
lab
just
give
me
a
moment.
Yeah
is
right.
C
And
sari
also
has
same
error
as
nikon's
okay,
so
meanwhile,
arvind
will
be
working
on
these
two
errors.
I
think
some
other
people
have
also
have
already
configured
so
anybody
else
please
provide
plus
one
if,
if
you
are
seeing
the
data
getting
streamed.
C
Thanks
shashi
everything
is
cool.
Okay,
so
you
can
play
around
those
data
right.
You
can
see
the
data
there
are
default,
config
default
dashboards
and
everything.
So
that's
that's
what
we
ingested
data
next
thing.
What
we
are
going
to
do
is
we
are
now
we
are
going
to
the
interesting
topic
like
security
analytics
with
the
data
which
we
are
streaming
so
just
to
give
you
a
background
about
this
particular
script,
or
this
particular
malware
is
that
in
the
real
campaign
the
there
was
a
apt
group
called
helix
right.
They
called
apt34.
C
The
payload
was
delivered
to
victims
by
a
phishing
email
and
once
you
that
phishing
email
will
have
a
word
document
once
you
click
this
word
document
that
word
document
will
have
an
inbuilt
macro
attached
to
it.
So
once
you
click
that
word
document,
the
macro
will
automatically
get
triggered
and
that
will
connect
to
a
malicious
domain
connection
cnc
connections,
and
it
will
do
all
the
kind
of
trouble
to
your
host
right.
So
that's
what
it
does
so
in
this
lab.
What
we
did
is
we
wanted
to
mock
that
particular
apt-34.
C
C
So
it's
a
simulation
of
macro
activity
so
inside
your
elastic
folder,
so
come
out.
Go
to
your
elastic
folder.
You
have
this.
Apt-34.Ps1
script
just
run
the
script.
That's
all
it
will
do
all
the
kind
of
mock
macro
activity
and
then
we
can
start
analyzing
inside
our
kibana.
We
can
do
detection
rules
and
everything.
So
one
thing
before
that,
let's
enable
the
pre-built
detection
rule
and
enable
the
powershell
detection
rule
so
go
to
elastic
security.
Detections.
A
C
A
Yeah
for
harsh,
I
guess
please
see
the
time
period
like
what
happened
if
you
could
go
to
the
discover
and
he
selected
the
time
period
right
so
just
see
if
you
could
see
the
time
period
which
what
is
last
7
days
or
24
hours
or
what
it
is.
A
That
is
one
thing
and
if
no
errors
are
just
see,
if
there
is
any
error
on
your
on
your
console,
whatever
you
are
trying
to
do
so
that
is
there
and
and
for
and
for
nikon,
I
guess
you
are
seeing
a
different
public
id
for
centos
machine.
I
guess
you
are
seeing.
Let
me
find
out
for
you,
because
I
could
also
see
your
lab
and
see
what
is
the
machine
why
it
is
showing.
H
E
I
think
I
think
I
got
it
like.
The
problem
was
because
I
was
checking
the
public
ip
from
the
from
the
wind
machine
and
not
from
there
correct
yeah.
C
So,
basically
now
it
works
okay,
okay,
perfect!
So,
basically,
you
understand
the
concept
right
windows
mission,
wind,
lock,
beat,
is
trying
to
connect
to
the
elastic
search
that
is
installed
inside
your
kubernetes
mission.
So
you
need
to
provide
the
public
ap
of
your
kubernetes
and
then
for
harsha
unable
to
get
the
data
in
kibana.
So
if
you
run
bid
lock
bit
setup
if
it
didn't
show
any
error,
if
it
was
successful,
please
check
if
you
have
enabled
your
bin
log
bit
services
by
default.
It
will
not
start.
You
need
to
start
your
services.
I
C
No,
like
you
can
go,
you
can
go
to
the
services
search
for
winlock
beat
just
start
the
service.
That's
all!
Okay,.
A
C
Yeah
yeah
many
people
might
miss
this
after
setting
a
setup
command.
If
you
didn't
show
error,
your
everything
is
good.
You
can
go
to
this
bin
log
beat
and
start
the
service,
and
there
are
few
test
commands.
Also
apart
from
this
workshop,
I
just
wanted
to
tell
you
so
in
every
bit
right.
There
is
a
test
config
command
like
test
config.
It
will
take
your
default
configuration
which
you
did
and
it
will
tell
whether
it's
a
there
are
any
error
or
not.
It
will
even
tell
on
which
line.
C
C
E
That
I
think
I
missed
what
kind
of
service
we
need
to
start
win
lock,
bet
right.
B
C
Sorry
about
that,
if
you
feel
we
are
rushing
through,
so
let
me
know
if
you
have
any
questions,
if
you
need
any
assistance,
we
can
definitely
get
through
it.
Yeah.
C
A
A
C
Yeah,
I
think
there
might
be
a
problem
with
your
elasticsearch
connection.
Can
you
provide,
I
mean
aravind?
Can
you
see
his
file?
I
continue.
A
His
mistake
see
I
am
telling
you
everyone,
I
think
haran.
Can
you
please
kind
of
like
click
on
the
settings
bar?
Okay?
Okay,
this
is
the
important
thing.
So
you
have
one
kubernetes
machine
where
elasticsearch
is
running.
That
type
is
the
ip
and
the
other
one
is
centos
machine
and
and
yeah
and
other
one
is
centos
mission.
Other
one
is
windows
machine
right.
You
have
to
connect
stream,
your
data
to
kubernetes
machine,
so
kubernetes
machine
ip
is
the
iep
that
you
need
to
use
in
all
your
configuration.
J
A
So
you
are
using
wrong
ip,
like
you
know,
joshua
just
see
just
just
give
the
right
id.
A
C
A
C
A
H
A
So
folks,
I
guess
you
are
you,
are
you
are
seeing
the
details?
I
mean
information
in
the
kibana,
please
keep
plus
one.
If
so,
so
we
could
go
ahead
and
talk
about
the
next
stuff
again.
H
A
Yeah,
I
guess
still
some
more
people
to
do
that.
Yeah,
we'll
wait
for
a
minute
or
so
just
keep
that
please.
As
soon
as
you
are
done,
please
put
less
one
in
the
chat:
okay,
yes
harshi!
I
think
next
is
running
apt.
C
Yeah
so
harsha
before
running
the
apt-34
to
see
the
detections
right
like
we
have
an
inbuilt
rule,
go
to
security,
detections
click
on
manage
detection
rules
and
then
load
the
all
the
pre-built
rules.
So
if
you
see
in
my
demo,
I
initially
loaded
my
pre-built
rules
right,
so
click
on
load,
elastic,
pre-built
to
rules
and
timeline,
click
on
that
it
will
load,
500,
plus
rules
for
you.
What
I
wanted
to
do
is
we
wanted
to
enable
this
rule,
so
this
this
will
automatically
trigger
alerts
for
our
malicious
script.
C
C
Or
you
can
click
on
this
rule
and
then
activate
here
you
can
do
all
sorts
of
you
can
understand
what
this
rule
is,
what
query
it
is
taking
which
index
it
is
taking
how
how
far
it
is
scheduled
and
everything.
What
is
the
mighty
attack
mapping
all
sorts
of
things
right?
You
can
understand
about
this
rule.
If
you
want,
you
can
duplicate
the
rule
clone
it
edit
it.
You
can
do
everything
in
your
production.
E
So
so
basically
so
this.
F
E
We
are
like
looking
into
the
power
shell,
like
more
of
this
detection
is
correct.
C
Right,
like
elastic,
has
various
pre-built
rules
like
like
network
host,
powershells,
aws,
gcp,
all
sorts
of
related
detection
rules.
In
this
lab.
We
are
going
to
look
into
one
of
the
powershell.
A
A
Take
time
but
add
everything,
so
I'm
gonna
ping
that
again
in
the
in
the
chat
so
take
time
carefully.
Add
one
more
stuff,
because
we
are
missing
some
interest:
important
details,
actually:
okay,
ssl
verification
mode,
okay,.
A
C
F
F
A
C
A
C
Yeah
yeah,
so,
as
I
said
before,
once
again,
repeating
like
you
can
go
to
security,
detections
click
on
manage
detection
rules
and
enable
the
load,
the
pre-built
rules.
Once
you
load
this
pre-built
rules
right
go
to
detections
click
on
manage
detection
rules,
load
the
pre-built
rules.
Once
once
you
load,
you
will
have
500,
plus
elastic
rules,
search
for
windows,
script
or
powershell
or
whatever
it
is,
and
especially
just
enable
this
rule,
which
I
am
putting
it
in
the
zoom
chat.
C
After
that,
now
let's
go
to
the
powershell
come
come
outside
because
our
apt-2834
script
is
inside
the
elastic
folder.
So
what
we
are
going
to
do
is
we
are
just
going
to
run
apt34.ps1
script.
That's
all
just
run
it
oops.
What's
wrong
with
that.
Oh
I
already.
I
have
run
run
it
before.
Just
give
me
a
sec
I'll,
delete
that
see.
C
And
then
you
have
all
the
steps
in
say
in
in
the
document
to
start
analyzing
it.
So,
as
I
showed
in
the
demo,
go
to
the
host
uncommon
processes.
Try
to
follow
the
document.
You
will
find
all
these
powershell.exe
in
the
first
page
or
second
page,
drag
and
drop
inside
the
timeline
and
start
investigating
right.
So
it's
completely
your
playground
to
start
investigating,
create
a
timeline,
investigation,
notes
and
everything.
So
this
documentation
step
is
just
a
guide,
but
your
imagination
and
limitation-
I
mean
skies-
are
the
limit
you
can
play
around
those.
C
A
A
So
just
just
try
and
let
us
know
if
you
have
any
questions
or
like
you
know
any
anything
so
so
yeah.
E
Drag
drop
so,
like
we
selected
the
power
cell.
H
B
E
At
bottom
it
shows
green
bar,
which
says,
and
there
I'm
dropping
it,
and
then
it's
like
it's
gone.
So
can
you
show
it
one
again
that
how
you
drag
drop
that.
C
C
C
C
A
Yeah,
so
so
a
lot
of
this
is
depends
on
the
the
kubernetes
nodes
as
well,
so
the
kubernetes
nodes
are
some
generation.
So
some
of
these
you
need
to
you
need
to
bring
in
the
right
side
of
right
right
right
type
of
hardware,
based
on
what
you
want
to
run
on
kubernetes
general
purpose
applications.
It's
fine,
but
data
applications.
If
you
want
to
run,
then
you
need
to
bring
in
n2s
or
in
gcp
or
then
you
need
to
bring
in
i3s
in
in
i3
series
in
in
aws
or
azure.
A
A
E
Is
seems
like
some
issue
with
the
ui:
it's
it's
even
after
adding
to
the
timeline
investigation,
it's
it
says
edit
powershell,
executor,
timeline
and
then
nothing.
C
H
E
Process
right
and
here
and
this
right.
C
That
or
try
to
drag
and
drop
because
that
is
little
slow
in
this
particular
version.
Okay,
so
you
you,
I
you
have
already.
You
have
various
things
added.
So
that's
the
problem.
J
C
Button
yeah
now
drag
and
drop.
It.
H
A
Yeah,
this
is
a
new
tool
for
a
lot
of
analysts
as
well,
so
a
lot.
Many
people
are
also
amazed
about
how
quickly
it
is
finding
stuff,
but
also
like
it's
a
new
learning
curve
in
traditional
sims
or
traditional
secops
platforms,
which
are
quite
old.
I
have
worked
on
some
you
could
you
could
not
imagine
it
is
not
for
cloud
world,
so
it
is
very
different,
not
able
to
see
any
hosts
in
elasticsearch
so
hosting
elasticsearch.
I'm
not
understanding.
What
do
you
mean
if
you
are
looking
for
your
lab
environment?
H
J
A
So
you
just
click
it
automatically
reads
from
in
log
beats,
so
whatever
the
data
that
you
have,
you
don't
need
to
select
anything
if
you're
not
seeing
any
data
in
that
place.
I
think
that
that
is
a
that
is
a
problem
that
needs
to
be
solved.
We'll
see
it
will
come
to
your
screen
as
well,
so
we'll
see
that
yeah
hoes
uncommon
processes.
A
C
Yeah,
so
what
I
mean
is
so
you
could
see
that
in
the
overview
tab,
as
the
name
suggests,
it's
just
the
overview
telling
that
what
are
the
logs
you
are
collecting
like
from
audit
beat
wind
lock
beat
what
are
the
different
modules
available
inside
file
beat
and
all
sorts
of
things,
if
you
want
to
understand
like
you,
want
to
only
for
wind
lock
bit
right.
So
let's
say
I
am
investigating
host
or
even
you
can
go
to
timeline,
create
a
new
timeline
here.
C
You
can
just
tell
that
even
dot
module
is
something
like
that.
E1
dot
module
is
just
sysmon
right.
You
are
going
to
pull
only
the
sysmond
related
events,
something
like
that
right.
So
you
can
search
across
the
data.
What
I
mean
by
security
app
is
searching
across.
All
data
is,
if
you
click
on
this
all
data
source,
you
could
see
it
is
searching
across
all
your
data
and
as
well
as
detection
alerts.
You
have
you
can
customize
it
right.
So
you
can.
You
can
customize
it
like.
You
can
only
put
the
events.
C
I
don't
want
to
pull
the
alerts
or
even
inside
the
events
I
can.
If
I
have
multiple
data
source,
I
will
have
multiple
things
right.
I
can
pull
across
multiple
things,
all
sorts
of
things
right,
so
I
can
do
everything.
So
this
is
what
mean
like
a
security.
App
will
help
you
to
pull
data
across
all
the
data
sets
and
you
have
the
ability
to
narrow
down
it.
So
let's
say
you
want
to
see
only
the
winlock
beat
right.
C
G
A
Audible
aaron
is
saying
that
he
is
not
able
to
see
any
data
in
the
wind
lock
beat
when
he
comes
under.
Can
you
please
share
the
screen?
Okay,
we'll
see
what
is
wrong.
I
guess
karthik.
Also
something
is
wrong
in
your
setup.
Probably
it
is
when
log
bit
is
not
running
or
something
wrong.
Probably
just
just
let
us
see.
A
Just
go
to
the
services
in
the
windows
and
see
if
the
service
is
running
or
not
in
the
windows
you
go
to
service
and
see.
If
it
is
running
yeah.
Okay,
you
can,
can
you
share?
Is
it?
Is
it
positive?
I'm
just
sharing
I'm
just
sharing.
E
G
J
C
I
don't
know
why
you
are
not
seeing
any
host.
Can
you
can
you
change
the
time
from
today
to
last
24
hours
or
15
minutes
or
something
like
that.
G
C
F
A
C
C
Okay,
okay,
setup,
okay
setup,
enabling
is
finished!
Okay,
now,
let's,
let's
go
to
services,
I
mean
click
on
the
windows
icon
in
the
bottom,
in
the
bottom,
click.
C
Services
yeah,
so
click
click
and
search
for
winlockbit.
C
Okay,
go
down.
Go
down,
little
go
down.
Yeah,
you
will
find
wind,
lock,
beat
yeah
yeah
click
on
wind,
lock
beat
yeah,
you
need
to
start
the
service
yeah.
The
window
beat.
G
C
G
C
A
C
Yeah
couple
of
seconds
go
to
discover,
I
mean
in
the
left,
yeah
go
to
discover,
let's
see
if
the
data
is
getting
streamed
in
yeah.
Let's
wait
for
a
couple
of
minutes.
I
mean
couple
of
seconds
sure
yeah.
Now
we
should
it
should
get
automatically
configured
in
your
security.
App
okay,
yeah
go
to
overview
scroll
down.
F
C
Yaml
file
just
tells
you
which
elastic
search
to
collect
nothing
to
do
with
your
security.
App
security
app
is
something
inbuilt
inside
the
kibana
only.
But
this
is
little
weird
so
sorry
about
this.
I
need
to
check
on
this,
like
I'm
seeing
this
for
first
time,
yeah.
E
A
J
No,
even
I
don't
have
this
available
now
here,
I
think
myself
and
we
both
have
the
issue
right.
A
C
Yeah
like
we
are,
we
are
pretty
much
at
the
end
of
the
things
I
think
we
are
running
over
time.
So
the
next
thing
is
like
creating
your
security
rules.
So
just
to
give
you
a
more
feature
things.
What
I
added
is
I
added
a
lab
where
you
could
create
your
own
rule,
so
everything
is
self-explanatory.
I
mean
everything
is
documented,
so
go
to
this
detection
engine,
manage
detection
rules,
create
new
rule
and
then
follow
these
steps,
so
you
could
create
a
rule.
Other
things
are
optional
settings.
C
You
can
leave
it
or
you
can
edit
it
and
then,
once
you
create
this
rule,
go
to
this
windows,
vm,
open,
powershell
and
run
this
command
right.
What
what
we
did
is.
First,
we
created
a
rule
for
whenever
an
event
log
inside
my
mission
is
cleared
trigger
me
an
alert
right.
That's
what
my
rule
is:
it's
a
very
simple
rule,
so
to
detonate
that
we
are
just
going
to
use
this
process,
w
evt
util
process
to
clear
the
application,
log
system,
log
and
security
log.
C
A
H
A
C
Yeah,
maybe
maybe
it's
just
taking
time
taking
time-
that's
all!
Maybe
the
kubernetes
machine
is
very
low
memory
right
for
this
lab,
so
it's
taking
a
little
time.
We.
A
Are
running
everything
there,
so
let
us
see,
I
mean
it
should
be
fine.
I
have
given,
I
think,
maybe
one
gig
or
something,
but
let
us
see
a
kibana
but
should
be
fine.
I
guess
you
are,
you
will
be
able
to
see
once
you
load
detections
and
all
you
will
be
able
to
be
able
to
see.
I
am
heading
over
to
dashank.
You
have
the
same
problem
right.
Okay,
he's
saying:
he'll
join
back
in
a
minute.
J
Can
see
the
hosts
but
data.
A
D
A
G
Back
under
hosts,
there
are
no
hosts
itself,
showing
is
at
least
that
that
should
begin
showing
right
before
I
can
start
seeing
the
events.
A
A
Me
share
my
screen:
can
you
stop
sharing
your
screen?
Yeah?
Okay,
so
this
is
shashank's
kibana.
Even
I
think
yours
is
your
kibana
and
then,
if
you
see
here,
we
see
some.
We
saw
some
events
here
at
some
point
in
time,
but
later
nothing,
but
I
see
some
wind
log
beat
data.
Okay.
A
I
also
see
one
host
here.
Let
us
let
us
always
put
it
like
last
15
minutes
so
that
you
will
see
what
is
happening.
Okay
and
click
on
the
host,
and
you
will
see
details
okay.
So
something
is
wrong
where
it
is
saying
you,
you
should
also
see
what
you
call.
I
could
see
your
windows
machine
wherein
the
services
should
be
running
that
will
lock,
wait
yeah,
it's
running,
so
you
should
see
some
more
data.
I
don't
know
why
it's
not
coming,
but
you
should
see
some
data.
A
I
think
something
should
be
done,
so
I
I
believe
that
for
shashank
I
think
your
data
is
coming.
You'll
also
see
okay,
discover.
A
A
So
the
reason
why
you
might
be
seeing
you
know
what
you
call
like
nothing
showing
here
kind
of
a
thing
is
because
maybe
it
might
be
the
reason
that
you
didn't
enable
the
detections.
You
need
to
click
on,
manage
detection
rules
and,
like
you
know,
like
you,
do
all
of
that.
That
might
help
you
or
if
you
enable
the
detections.
Maybe
something
will
show
up.
C
A
No,
it
is
there,
I
think,
just
go
to
host
some
people
post
this
showing
zero.
I'm
not
sure
if
you
are
selecting
last
10
minutes
make
sure
you
you
do
last
15
minutes
for
one
hour
and
then
see
your
data
and
stuff.
It
should
work.
I
think,
right
in
in
udays
host,
I'm
just
saying
you
are
host,
see
last
15
minutes
again,
I'm
seeing
this
data.
G
Okay,
okay,
okay,
I
I
don't
know
why.
On
my
end,
I
don't
know
if
I
should
reload
the
browser
itself,
because
I'm
not.
E
C
A
Yeah
yeah,
so
I'm
doing
from
your
own
lab,
actually,
okay,
sure,
okay,
okay
and
we
can
go
ahead.
I
guess.
C
Yeah,
we
are
in
the
final
step
like
what
I
did
is
like,
as,
as
I
explained,
create
this
rule,
it
should
be
very
straightforward.
I
just
created
this
rule
and
then
to
detonate
that
rule
that
rule
basically
what
it
does
is
it
triggers
alert
when
an
event
log
is
cleared
in
the
windows
mission.
So
this
is
this
happens.
Many
cases
right
like
there
are
some
malwares
that
will
try
to
do
some
different
salvation
right.
C
They
try
to
delete
their
footprints,
so
they
try
to
clear
their
event,
logs
application,
logs
or
installation
logs,
or
something
like
that.
So
in
that
case
it
is
good
to
have
those
alerts.
So
what
just?
For
the
sake
of
this
lab,
you
can
manually
delete
this
application
system
and
security
events
using
this
command
in
the
powershell
after
creating
the
rule,
if
you
do
this,
it
will
trigger
an
a
related
query
related
event
and,
as
per
the
rule,
the
rule
will
run
by
default
every
five
minutes
right.
C
So
once
this
rules
runs
every
five
minutes,
you
are
going
to
get
an
alert.
So
this
is
how
the
alert
looks
like
so
once
the
alert
get
triggered.
You
will
have
this
right
inside
your
detections
page.
You
will
have
like
that
is
one
rule
that
got
triggered,
so
you
will
see
all
these
details.
So
if
you
click
on
this
view
details
you
will
have
all
the
related
details
about
this
particular
alert.
What
is
this
alert
detail?
C
Severity
risk
score,
which
force
which
user
and
everything
if
it
is
a
threat
until
related
alert,
you
will
have
all
the
threatened
related
informations,
and
then
you
have
all
the
details
about
this
sim
rule
like
host.
What
is
the
sim?
I
mean
signals
means
we,
we
call
alert
like
signals.
So
what
is
the
signal
origin?
What
is
the
signal
parent
process
or
whatever?
It
is
right,
so
you
have
all
these
details
here
to
investigate
further.
C
C
So
it
automatically
takes
my
rule
id
and
gives
me
the
related
alert,
so
I
can
start
investigating
or
if
I
want,
I
can
put
it
in
progress,
close
the
alert
or
importantly,
even
directly,
from
this
alert.
I
can
attach
it
to
a
case
or
existing
case
right,
so
I
can
have
all
the
security
operations
workflow
like.
I
found
something
related
to
my
existing
case,
which
I
am
investigating,
so
I
can
add
it
to
my
existing
case.
I
can
do
all
sorts
of
things
yeah,
it
automatically
gets
added.
C
So
if
I
want,
I
can
add
some
investigation
notes
to
my
alert
everything
yeah.
So
this
is
how
you
will
be
creating
your
alert,
investigating
your
alert
and
everything.
So
I
think
that
gave
you
a
better
idea
and
hope
you
learned
new
stuffs
today
hope
this
session
was
useful.
Let
us
know
your
thoughts
and
happy
to
connect
with
you
all
in
another
session,
with
elastic
and
with
kubernetes
and
other
things.
So
thank
you
so
much
over
to
arvind
yeah.
A
So
so,
for
example,
the
lab
will
be
there
for
the
entire
day
and
we
am
happy
to
help
so
this
this
environment
will
be
there
and
then
you
know
you
the
lab.
I
mean
you
could
also
try
the
audit
beat
in
centos
step
and
try
to
get
the
data
as
well,
so
that
will
also
follow,
and
actually
that
might
be
a
bit
easier
for
you
to
do
stuff,
but
because
we
want
to
show
you
some
live
signals,
etc.
A
So
we
are
here
yeah
so
that
that
is
the
only
thing
if
you,
if
you
have
any
questions
or
like
you
know
anything,
please
ask
right
now
I
mean
we're
good
to
tell
because,
like
I
think
we
took
half
an
hour
more
than
what
we
were
telling
yeah
so
so
to
join
the
community.
We
do
regularly
security
related
stuff,
more
things
on
this
area.
Not
just
this
thing
there
is
eql,
there
is
other
stuff.
Actually,
so
you
could,
and
we
also
do
it
on
the
youtube
channel.
A
Live
streams
are
happening
all
the
time,
so
we
are
a
global
team.
So
this
is
the
community
youtube
channel,
not
the
corporate
one.
So
we
do
more
stuff
like
this,
so
you
could
go
and
learn
about
it
like
take
only
specific,
like
investigation
or
like
take
only
specific
about
kubernetes,
and
how
is
the
security
take
only
container
security
and
go
deep
into
it,
so
something
like
that
will
also
be
there.
A
So
please
subscribe
the
youtube
channel
so
that
you
get
events
community.elastic.com
for
for
meetups
and
then
and
then
like
join
the
chapter
that
you
are
interested
in
so
like
you
know,
you
could
join
bangalore
or
like
delhi
or
wherever
the
area
that
you
are
or
if
you
want
to
ask
questions
and
further
like
elastic
ela
dot,
st
slack,
there
are
already
eight
thousand
plus
people
in
the
slack
group
and
people
talk
to
us
all
the
time
so
yeah.
Please
do
that.
A
So
if
you
could
go
to
the
next
slide
once
or
okay,
no
no
go
back.
Go
back.
I
yeah
still
go
back
yeah,
so
we
learned
creating.
No,
no
just
just
we
learned
creating
kubernetes
cluster.
We
explored
the
security
app
thing.
We
looked
at
the
query,
languages,
the
indicator,
rule,
etcetera,
I've
just
taken
a
look
at
it.
We
saw
letting
and
ingesting
security
data.
Of
course
we
couldn't
do
audit
beat.
A
I
think
there
were
some
problems
and
we
we
were
not
able
to
do
that
and
we
simulated
a
simple
detonation
in
the
wind
block
beat,
but
where
you
could
go
next
or
what
steps
next
you
could
do
by
redoing
this
operation.
I'll
tell
you
I
don't
if
you
could
move
to
the
next
slide
yeah,
so
we
you
could
definitely
go
and
look
at
the
elastic
agent
and
fleet
server.
So
now
we
are
doing
beads
that
this
and
all
there
is
one
agent
that
we
are
building
we
have
already
built.
A
I
should
say
so
and
then
that
agent
we
you
could
deploy
using
automation
or
anything.
Actually
it
is
automation
also,
so
you
could
deploy
and
line
by
ui.
You
could
configure
what
data
to
be
collected
not
needed
to
configure
this
kibana
elastic
setup.
Anything
there
is
api
key
and
you
don't
need
to
do
all
of
this
from
ui.
You
will
tell
that
what
integrations
need
to
be
enabled
like
I
want
to
collect
data
from
aws.
A
I
want
to
collect
data
from
ensure
I
want
to
collect
data
from
logs
from
sysmon
or
whatever,
like
you
know,
seek
or
bro
or
sterekata,
or
a
lot
of
the
security
modules,
and
then
it
will
simply
collect,
and
then
it
also
provides
endpoint
protection.
That's
there's
elastic
also
already
has
this,
but
then
like
anti-malware
protection
and
then
additional
have
set
rules.
A
If
you
have
apm
configured
like
tracing
code
tracing
configured
in
your
applications,
you
could
bring
in
that
to
the
to
the
elasticsearch
sim
and
that
can
be
done
and,
more
importantly,
eql,
like
very
popular,
not
just
in
elastic
world.
There
are
many
other
security
companies
which
are
which
are
very
much
interested
in
aql.
Then
you
have
kibana
lens
which
showed
in
the
walkthrough
like
you
could
drag
and
drop
stuff
and
like
look
it.
That
is
one
other
thing.
Then.
A
Obviously
ts
will
be
time
series
visual
builder,
through
which
you
could
build
aggregations
and
data
on
your
stuff
to
see
things
are
happening
so
so
yeah.
These
are
the
things
pointers
for
me.
If
I
am
a
workshop
attendee,
I
would
learn
from
here
that
environment
is
available.
Things
are
available
and
then,
if
you
have
more
questions,
we
are
also
available
to
us
like
I'll
paste.
The
linkedin
urls
of
mine,
link,
twitter
and
linkedin
urls
of
mine.
A
You
can
dm
us
we'll
also
give
I'll
also
give
my
email
id
so
that
you
could
write
to
us
and
then
linkedin
or
foreign.
Please
correct
me
if
I'm
wrong
aaron
kumar
right
or
are
you
type,
your
linkedin,
you
type
your
linkedin,
that's
better
yeah.
A
Yeah
haran
kumar,
I
think
you
will
find
because
there
are
very
less
currents
in
the
world.
So
this
is
my
linkedin,
so
you
could
dm.
You
could
connect
with
us
and
we
are
happy
to
connect
with
you.
I
think
we
are
already
connected
with
some
people.
Yeah,
that's
it
from
our
side
and
if
you
have
any
questions,
we
are
happy
to
take.
A
G
A
Exactly
thank
you
shashi.
Thank
you,
any
other
information,
any
other
thing
that
you
want
like
do
that
so
I'll
go
there.
Thank
you
so
much
so
that's
it.
I
think
you
could
leave
the
workshop.
We
will
not
end
the
meeting,
because
if
I
end
the
meeting
you
could
leave
the
room
that,
like
we
have
other
workshops
as
well,
so
I
can't
end
the
meeting,
so
you
could
leave
the
room
just
like
any
other
thing.
We
look
forward
to
kubernetes
community
days
next
year,
probably
in
person,
so
so
yeah.
Please.
A
Please
join
this
year's
one
kcdblr.com
yeah
kcblr.com.
So
please
join
this
year's
and,
like
you
know,
yeah
keep
in
touch
with
us.
Thank
you.
Thank
you.
Haran
as
well.
Like
you
know,
haran
is
joining
from
singapore,
so
he's
two
and
a
half
hours
ahead
of
us
and
then
he
joined
that,
like
you
know
his
lunch
time
and
then
I
guess
I
guess
like
it's
a
bit
delayed
now
cool.
C
A
G
I've
helped
out
with
other
open
source
things
like
openstack,
so
glad
to
be
of
help.
No
problem,
yeah.
A
A
Fpv
announced
like
it
is
on
kcd.sm
apply
dot
io,
that
is
the
site
reopened,
and
then
I
think
you
need
to
be
part
of
the
cncf
newsletters
and
everything
we
shared,
but
it
is
still
not
enough.
There
are
a
lot
of
people,
but
conferences
like
cubecons
get
a
lot
of
people
so
exactly
yeah.
So
so
we
didn't
do
that.
Question
is
again
limited
to
bengaluru
only,
but
because
it's
common
time
zone
across,
we
are
just
putting
it
out
across
india.
Yes,
for.
A
I
guess
I'll
I'll
yeah
sure
I'll
leave
the
room
as
well.
So
if
you
have
any
questions,
you
have
our
details
when
you're
on
event
will
be
there
thanks
for
joining
this
morning,
have
a
nice
day.