Curated list of blog posts, presentations, how to guides, tools, scripts, and other resources related to Threat Hunting with the ELK stack. Links will be updated and annotated over time.
- https://www.peerlyst.com/posts/security-monitoring-and-attack-detection-with-elasticsearch-logstash-and-kibana-martin-boller
- https://www.elastic.co/blog/monitoring-windows-logons-with-winlogbeat
- https://cyberwardog.blogspot.com
- https://github.com/philhagen/sof-elk
- http://rocknsm.io/
- http://blog.securityonion.net/2017/03/towards-elk-on-security-onion.html
- https://technet.microsoft.com/en-us/sysinternals/sysmon
- https://www.rsaconference.com/events/us16/agenda/sessions/2461/tracking-hackers-on-your-network-with-sysinternals
- https://www.rsaconference.com/events/us17/agenda/sessions/7516-How-to-Go-from-Responding-to-Hunting-with-Sysinternals-Sysmon
- https://cyberwardog.blogspot.com/2017/03/building-sysmon-dashboard-with-elk-stack.html
- https://joshuadlewis.blogspot.com/2014/10/advanced-threat-detection-with-sysmon_74.html
- https://medium.com/@haggis_m/splunking-the-endpoint-threat-hunting-with-sysmon-9dd956e3e1bd (based on Splunk but applicable to ELK)
- https://medium.com/@haggis_m/hunting-with-sysmon-38de012e62e6 (based on Splunk but applicable to ELK)
- https://www.peerlyst.com/posts/botconf-2016-advanced-incident-detection-and-threat-hunting-using-sysmon-and-splunk-guurhart (based on Splunk but applicable to ELK)
- https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
- https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html