Overview
Explore the evolution and capabilities of ELSA (Enterprise Log Search and Archive) in this conference talk from Security Onion Conference 2016. Dive into the reasons behind choosing Sphinx and ELSA, and discover the exciting features of ELSA 2.0. Learn about the integration with Elasticsearch, including its noteworthy features and architectural considerations. Examine improvements in syslog-ng, containerization, and the new branched breadcrumb data model. Gain insights into navigable transcript history, transcript actions like scope and pivot, and the quantifiable investigation performance. Discover visualization tools such as grouped histograms, Sankey diagrams, force-directed graphs, and geo country maps. Get an update on ELSA 2.0's status and timeline, equipping yourself with valuable knowledge for enhancing your security analysis capabilities.
Syllabus
Intro
AN ELSA TIMELINE
WHY SPHINX?
WHY ELSA?
INTRODUCING ELSA 2.0
GOALS OF ELSA 2.0
ELASTICSEARCH: EMBRACE THE HORROR
ELASTICSEARCH 2.X NOTEWORTHY FEATURES
ELASTICSEARCH IS NOT ELASTIC
FED ARCHITECTURE
SYSLOG-NG IMPROVEMENTS
CONTAINERS
ACTION STATUS
BRANCHED BREADCRUMB DATA MODEL
TRANSCRIPTS ARE NAVIGABLE HISTORY
TRANSCRIPT ACTION: SCOPE
TRANSCRIPT ACTION: PIVOT
TRANSCRIPT DATA MODEL
QUANTIFIABLE INVESTIGATION PERFORMANCE
FAVORITES
GROUPED HISTOGRAM
SANKEY
FORCE DIRECTED GRAPH
GEO COUNTRY MAP
ELSA 2.0 STATUS AND TIMELINE
Taught by
Security Onion