Skip Navigation
BlackBerry Blog

NorthSec: Threat Hunting Utilizing the ELK Stack and Machine Learning

NEWS / 03.14.18 / The Cylance Team

The days of using Excel to find malicious activity are over. Breaches are only expanding in size, so incident responders need their own way of growing out of the days of using Excel to hunt through mountains of data.

In this course being offered at NorthSec on May 14th, 15th and 16th, attendees will learn how to create their own enterprise-wide hunting platform using ELK with data enrichment feeds. Creating the means of retrieving the data from the various endpoints and data sources will also be introduced and explained throughout the course.

Students will be provided with a virtual machine that has a robust data set from multiple systems that have been infected, as well as some systems that have not.

Students will then enrich the data from both a normalization perspective as well as using visualizations to assist in finding outliers and anomalies within the data sets.

Students will be introduced to a multitude of machine learning algorithms and concepts that are useful for threat hunting purposes in enterprise data sets. 

This course will teach you how to not only set up an ELK server specifically geared to facilitate powerful hunting but will also show you how to collect data efficiently from every single endpoint on your network in a very short span of time, thereby enabling you to proactively hunt on a regular basis.



Students should expect to conduct 5-6 labs each day. Labs will include functional components of building out the ELK stack and its respective modules as well as highlight how those components can be leveraged to assist you in finding malicious activity in your environment.  Utilization of machine learning will also be highlighted in a multitude of labs throughout the course.

Topics to be Covered:

  • Overview, introduction to threat hunting, ELK
  • Indicators of Compromise (IoCs)
  • Data collection methods
  • Data enrichment
  • Real-time data collection
  • PowerShell Basics
  • Machine Learning for Threat Hunting
  • Logstash Filters
  • Elasticsearch Optimizations
  • Kibana Dashboard and Save Search creation
  • Building Visualizations
  • Building Dashboards
  • Final Exercise

Who Should Take This Course

IT Admins, CERT analysts, Forensic Analysts. Anyone that has a desire to understand threat hunting, the ELK stack or enhancing the incident response processes at their organization.

Student Requirements

  • Basic understanding of scripting concepts
  • Basic forensics knowledge
  • Windows OS fundamentals

What Students Should Bring

  • Windows 7 or Windows 10 laptop with at least 16GB of RAM and at least 100gb of free disk space
  • Virtualization software capable of running VMDKs and OVA files
  • PDF Reader software

What Students Will be Provided With

  • Thumbdrive loaded with scripts for forensic data collection and other goodies for hunting.
  • ELK configuration files
  • Course materials



Tom Pace is the Sr. Director of Worldwide Consulting at Cylance, where he focuses on putting together solutions for clients around the world. Tom began his career in security when he joined the Marine Corps as an infantryman and intelligence specialist. During this time, he deployed to both Iraq and Afghanistan where he conducted hundreds of missions. After the military Tom worked as an incident responder and cybersecurity engineer for multiple large enterprises and government agencies. Tom holds a M.S. from the University of Pittsburgh with a specialization in Information Security. He also possesses the CISSP, SFCP, GCFA, GCIH, GCWN, GICSP and GCIA certifications.

Derek McCarthy is a Technical Director for Incident Response & Forensics at Cylance. In addition to leading the development of both Compromise Assessment & Incident Response methodologies, McCarthy is often found on the frontlines leading teams of incident responders in some of the largest breaches of the last decade. Prior to working at Cylance, McCarthy worked on the information security team at Draper Laboratories in Cambridge, MA.

Matt Maisel is a data scientist passionate about the intersection of machine learning, software engineering, and computer security domains. He’s worked across several departments within Cylance including research engineering as a software architect and consulting as a technical director of the incident response practice. He previously worked in incident response and malware analysis in the healthcare and defense consulting industries. Matt holds a M.S. in Computer Science with a specialization in machine learning and distributed systems from Johns Hopkins University.    

The Cylance Team

About The Cylance Team

Our mission: to protect every computer, user, and thing under the sun.

Cylance’s mission is to protect every computer, user, and thing under the sun. That's why we offer a variety of great tools and resources to help you make better-informed security decisions.