Visão Geral

Este curso apresenta o uso do Elastic Stack (Elasticsearch, Logstash, Kibana, Beats e Elastic Agent) como uma solução completa de SIEM (Security Information and Event Management). Os participantes aprenderão a coletar, normalizar, centralizar, analisar e visualizar eventos de segurança, além de configurar detecções, alertas, dashboards e automações de resposta dentro do Elastic Security.

Publico Alvo

• Analistas de Segurança da Informação
• Administradores de Sistemas
• SOC Analysts (Nível 1, 2 e 3)
• Engenheiros de SIEM
• Engenheiros DevSecOps
• Profissionais de redes e infraestrutura
• Consultores de segurança

Pre-Requisitos

• Conhecimentos básicos de redes e protocolos
• Conhecimento básico de Linux
• Noções de segurança da informação
• Familiaridade com logs e monitoramento

Informações Gerais

Após realizar este curso “Elastic Stack as a SIEM”, você será capaz de:

• Implantar e configurar o Elastic Stack como uma solução completa de SIEM
• Coletar e normalizar logs de diferentes fontes (firewalls, sistemas, endpoints, aplicações)
• Criar dashboards e visualizações avançadas no Kibana
• Configurar ingestão de dados via Beats, Elastic Agent e Logstash
• Criar regras de detecção, correlação e alertas de segurança
• Implementar automações de resposta e investigações
• Operar o Elastic Security em um ambiente corporativo
• Integrar o SIEM com outras ferramentas de segurança

Materiais

Conteúdo Programatico

Module 1 — Introduction to Elastic Stack and SIEM

1. Overview of SIEM concepts
2. Elastic Stack architecture
3. Elastic Security overview
4. Main components (Elasticsearch, Kibana, Logstash, Beats, Elastic Agent)
5. How Elastic works as a SIEM

Module 2 — Installation and Configuration

1. Installing Elasticsearch cluster
2. Configuring Kibana
3. Installing Logstash and Beats
4. Deployment of Elastic Agent and Fleet Server
5. Basic cluster administration

Module 3 — Data Collection and Ingestion Pipelines

1. Log ingestion strategies
2. Ingestion via Filebeat, Metricbeat, Packetbeat, Winlogbeat
3. Centralized management with Fleet
4. Logstash pipelines and filters
5. Parsing, enrichment, and normalization

Module 4 — Data Normalization and ECS (Elastic Common Schema)

1. What is ECS
2. ECS fields and structure
3. Mapping third-party logs to ECS
4. Benefits for correlation

Module 5 — Building Dashboards and Visualizations in Kibana

1. Discover and data exploration
2. Kibana Lens
3. Dashboards creation
4. Filters, tags, and saved queries
5. Visualizing security-related metrics

Module 6 — Threat Detection and Correlation Rules

1. Elastic Security detection engine
2. Prebuilt detection rules
3. Custom rule creation
4. Threshold rules
5. EQL (Event Query Language) correlation
6. Machine Learning-based detections

Module 7 — Alerting and Response Automation

1. Configuring alerting connectors
2. Email, Slack, Webhook, and Elasticsearch actions
3. Case management
4. Automated remediation workflows
5. SOAR-like features in Elastic Security

Module 8 — Threat Hunting with Elastic

1. Threat hunting methodology
2. Querying with KQL and Lucene queries
3. Indicator of compromise (IOC) hunting
4. Network and endpoint analysis
5. Practical hunting exercises

Module 9 — Endpoint Security and EDR

1. Elastic Endpoint Security
2. Malware detection
3. Behavioral analytics
4. Preventing ransomware and exploits
5. EDR capabilities
6. Live response

Module 10 — Integration with Other Security Tools

1. SIEM integrations:
2. Firewalls (Palo Alto, Fortigate, Cisco ASA)
3. Windows and Linux endpoints
4. AWS CloudTrail
5. Sysmon
6. Active Directory logs
7. External threat intelligence feeds

Module 11 — SOC Operations with Elastic

1. Incident triage
2. Investigation workflows
3. Case management and reporting
4. Best practices for SOC teams
5. Retention, scaling, and performance tuning

Module 12 — Final Project

1. Designing and implementing a fully functional Elastic SIEM
2. Configuring logs, detections, dashboards, and alerts
3. Presenting a security incident investigation