You're reading from Practical Threat Intelligence and Data-Driven Threat Hunting A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Product type Paperback

Published in Feb 2021

Publisher Packt

ISBN-13 9781838556372

Length 398 pages

Edition 1st Edition

Tools

Elasticsearch

Concepts

Application Security

Author (1):

Valentina Costa-Gazcón

Preface

1. Section 1: Cyber Threat Intelligence

2. Chapter 1: What Is Cyber Threat Intelligence? FREE CHAPTER

3. Chapter 2: What Is Threat Hunting?

4. Chapter 3: Where Does the Data Come From?

5. Section 2: Understanding the Adversary

6. Chapter 4: Mapping the Adversary

7. Chapter 5: Working with Data

8. Chapter 6: Emulating the Adversary

9. Section 3: Working with a Research Environment

10. Chapter 7: Creating a Research Environment

11. Chapter 8: How to Query the Data

12. Chapter 9: Hunting for the Adversary

13. Chapter 10: Importance of Documenting and Automating the Process

14. Section 4: Communicating to Succeed

15. Chapter 11: Assessing Data Quality

16. Chapter 12: Understanding the Output

17. Chapter 13: Defining Good Metrics to Track Success

18. Chapter 14: Engaging the Response Team and Communicating the Result to Executives

19. Other Books You May Enjoy

Appendix – The State of the Hunt

Configuring Winlogbeat

Winlogbeat is an open source tool that runs as a Windows service and is in charge of sending Windows logs to an Elasticsearch or Logstash instance.

Let's go ahead and configure this tool:

Download the Winlogbeat official package from the following URL: https://www.elastic.co/downloads/beats/winlogbeat. Unzip it and move the folder to C:\Program Files\. Rename the folder to Winlogbeat.

Open PowerShell as Administrator and run the following commands:

cd C:\Users\Administrator 
cd 'C:\Program Files\Winlogbeat'
.\install-service-winlogbeat.ps1

If you get an execution policy error, run the following command and select A when prompted:
```
Set-ExecutionPolicy Unrestricted
```
You will get the following output:
Figure 7.65 – Installing Winlogbeat
Once installed, open Notepad as Administrator to edit the winlogbeat.yml configuration file in C:\Program Files\Winlogbeat:
Figure 7.66 – Opening Winlogbeat.yml
Scroll to the Outputs...