Save $200 on Cyber Security Training at SANS Miami 2018. Ends 12/27.

SEC455: SIEM Design & Implementation Beta

Standing up and maintaining a SIEM solution is difficult, and often involves vendor assistance to produce a functioning result. These systems involve multiple complex appliances and can leave security teams feeling that they do not truly understand how to operate or customize them. Combine this situation with a shortage of available skills and a lack of simple documentation, and it is no wonder why SIEM deployments often fail. SIEMs can be the most powerful tool a cyber defense team can wield, but only when they are fully understood and used to their full potential. This course is designed to address this problem by demystifying SIEMs, and simplifying the process of implementing and maintaining a solution that is understandable, scalable, and simple to maintain.

This course will teach students how to use the Elastic Stack to build a SIEM from the ground up. Using the Elastic Stack allows building both a customized SIEM solution, and user experience, and empowers organizations to fully understand how the system operates. The results of this approach are that organizations will save money on professional services, and end up with a nimbler solution than many existing deployments. For example, many organizations may pay thousands of dollars in consulting fees when a unique log source needs a custom parser. This course will train students how to easily parse any log source themselves, saving their organizations both time and money, and facilitating faster time to use of new log sources.

SEC455 will serve as an important primer to those who are unfamiliar with the architecture required to build an Elastic based SIEM. Students have taken or plan to take SEC555 may find the additional background and context provided in this course a helpful supplement to the advanced concepts they will encounter in further courses. In addition to new SIEM design, the concepts discussed in this course will enable students to not only build a new SIEM, but improve and supplement their already existing implementations, producing a more efficient system that provides the answers they need quickly, and for less money. The overall goal is to educate students on what they need to know to design and modify a SIEM, improve upon their current solution, and enable them to reach their original defensive goal - catching adversary activity in their environment.


This course will prepare you for:

  • Architecting and designing a SIEM solution
  • Design a SIEM focused on speed and efficiency
  • Deploying an open source SIEM solution meant for enterprise workloads
  • Sizing and using a SIEM based on any budget (shoestring budgets to unlimited funding)
  • Collecting and parsing logs of any type or source
  • Scaling log collection, ingestion, and search capabilities
  • Enrich logs to provide advanced detection as well as context to analysis
  • Building a compliance and tactical SIEM, whether a single system or dual stack (multiple SIEMs)
  • Knowing when, why, and how to deploy multiple SIEM solutions and how to integrate them
  • Deploy an alert engine and setup alert rules
  • Implement tiered storage with aging policies to handle data retention and disk speeds
  • Enhance logs to add context
  • Implement searches that do not take coffee breaks to finish
  • Knowing when and when not to augment logs
  • Finding meaningful log sources and how to automate data collection
  • Identifying common SIEM deployment pitfalls and hurdles


Course Syllabus


Day one focuses on Elasticsearch and Kibana and will take students on a journey from their first steps in the Elastic stack, to having a functioning SIEM by the end of the day. Students will learn the skills required to install, configure, and use Elasticsearch, and become comfortable with using Kibana to visualize imported data in multiple useful ways.

Class begins with an introduction to the components of a SIEM and how each relates to the pieces of the Elastic stack. After the high-level view is covered, Elasticsearch receives a deep dive with a focus on the core practical concepts of node types, indexes, shards, and data type mapping. In addition, administrative activities such as cluster creation, management, data retention and optimization are covered and put into practice with hands on labs. Through these activities, students will become comfortable creating, modifying, and managing their Elasticsearch cluster. The Elasticsearch lesson also includes recommendations and calculations to ensure the capacity of the cluster meets storage and event-per-second requirements.

The second part of the day features a similar deep dive on how to install, setup, and use Kibana. Students will become familiar with the search, visualization, and dashboard interfaces and learn how to use these tools, and more, to explore log data. In addition, students will learn the multiple ways of securing access to their Elastic stack and locking down indexes and documents with role based permission schemes.

  • Installing, managing and scaling Elasticsearch - Creating your first Elasticsearch node, joining nodes into a cluster, indexes and shard management.
  • Index Lifecycle Management - Using Curator to optimize, allocate, and manage indexes
  • Kibana Hands-on - Ingesting your first logs, adding indexes, running searches, and creating visualizations and dashboards.
  • Securing the Stack

CPE/CMU Credits: 6


SEC455.1 Distributed Search and Visualization

  • What is ELK?
  • ElasticSearch
    • General Architecture
    • Indexes / Shards
    • Node Types
    • Scaling out
    • Cerebro
    • Indices naming
    • Templates
    • Field Types
    • Dealing with data already ingested
    • Hot vs cold
    • Retention with Curator
    • Optimization
  • Elasticsearch sizing & EPS
    • Hardware
    • Monitoring EPS
    • Shards & replicas
    • Dynamic sizing for nodes
  • Kibana
    • Adding Index patterns
    • Creating Visualizations
    • Creating searches
    • Creating Dashboards
    • Linking to data from logs
    • Timelion
    • Graph and network plugins
    • Machine Learning
    • Other visualization tools (Graphite)
    • Big Data / Hadoop
  • Securing the elastic stack
    • X-Pack vs. Elasticguard vs. Apache frontend (Securing)
    • Field level, anonymization, logon with AD, 2FA
    • Securing
      • X-Pack Security
      • Search Guard
      • Apache Proxy
      • Index, Document, & field level security

Building upon the infrastructure prepared throughout day one, day two continues by focusing on how to efficiently move logs from your edge devices and transport, parse, and enrich them. Any organization can create an enormous amount of log events in a short period of time so the creation of an efficient and dependable pipeline is crucial to maintaining the integrity, and stability of any logging solution. The multitude of log formats and transport protocols will be discussed, as well as how to decide on the best configuration for any given situation. Traditionally, log parsing has been painful and full of potential error, but the techniques shown throughout this day will serve to reduce or eliminate this pain, and teach students how to substitute legacy solutions with more modern and efficient solutions. By the end of day 2, students will be familiar with optimal logging formats, as well as be armed with new and effective ways to parse those legacy or difficult to handle logs.

While having perfectly parsed logs is great on its own, we can go much further. The value of a parsed log can be improved hundreds of times over with proper enrichment, and this can be done with nominal performance impacts on log ingestion rates. This includes adding context to logs and various other techniques used to increase your detection capabilities. Additionally, conditional logic and strategies for log filtering are discussed to ensure that the system will not be bogged down processing unneeded information.

The final piece of SIEM architecture is collecting logs off edge devices. Many organizations are unwilling or unable to deploy agent based log collection, so both agent and agentless methods of log collection will be discussed so that students can identify their ideal deployment. Although many students may already have a SIEM present in their environment, the Elastic set of tools can also be used to further supplement and improve the performance of other commercial SIEMs. New trends such as the dual-stack SIEM environment will be explained, as well as how to use Logstash to supplement pre-existing SIEM deployments that struggle with high volume issues and poor data enrichment features. Alerting based on logs is also covered with a review of both Elastic and 3rd party solutions.

  • Logstash Intro - Becoming familiar with the Logstash input/filter/output pipeline debugging techniques, and the standard organization and workflow for dealing with configuration files.
  • Traditional Log Parsing - Advanced log parsing
  • Modern Log Parsing
  • Log Enrichment - Enrichment and tagging of logs in the pipeline
  • Log Agents
  • Alerting
  • Logstash

CPE/CMU Credits: 6


SEC455.2 Enriching and Managing Logs

  • Log Aggregation
    • General Architecture
    • Open source solutions
    • Scaling out
      • Synchronizing configurations across multiple nodes
      • Handling EPS
    • Input/Filter/Output
    • Traditional Parsing
      • Syslog
      • Regex
      • Grok
      • Patterns
    • Modern Parsing
      • Log Formats
      • Automatic parsers
      • Extraction vs Parsing
    • Log Enrichment
      • Field Standardization
      • Tags
      • Conditional Filters
      • Enrichment
      • Debugging
      • Custom enrichment
      • Performance Impact
  • Message Brokers
    • Log buffering and back pressure
    • Enterprise message brokers
    • Key Advantages
      • Upgrades
      • Log resiliency
  • Agents
    • Architecture
    • Core Features
    • Endpoint Filtering
    • Scaling
    • Automatic Configuration Control
    • Scripts
  • 3rd Party Integration & Dual stack SIEM
    • Compliance vs Tactical
    • Commercial vs Open source
    • Duplicating data to multiple sources
    • Converting output format per SIEM
    • Migrating into or out of Elastic
  • Alerting
    • Alert engines and how they function
    • Rule types
    • Rule development
    • Rule testing

Additional Information


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Workstation Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.


  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
  • Wireless Ethernet 802.11 B/G/N/AC
  • USB 3.0 Ports Highly Recommended
  • Disk: 25 Gigabytes of free disk space
  • VMware Workstation 11, Workstation Player 7, or Fusion 7 (or newer)
  • A Linux virtual machine will be provided in class

If you have additional questions about the laptop specifications, please contact

  • Custom distribution of Linux with software ready to setup your own custom SIEM
  • Realistic log data
  • MP3 audio files of the complete course lecture
  • Intro and Walkthrough videos of labs with advanced functionality such as text searching and navigation
  • Digital wiki with labs
  • USB 3.0 stick that includes the above and more

*CPE/CMU credits not offered for the SelfStudy delivery method

0 Training Results
Sorry, this course is not currently available.