Skip Navigation
BlackBerry Blog

Black Hat USA: Threat Hunting Utilizing the ELK Stack and Machine Learning

NEWS / 07.03.18 / The Cylance Team

Black Hat USA: Threat Hunting Utilizing the ELK Stack
and Machine Learning

The days of using Excel to find malicious activity are over. Breaches are only expanding in size, so incident responders need their own way of growing out of the days of using Excel to hunt through mountains of data.

In these courses offered at Black Hat USA (August 4-5 and 6-7), attendees will learn how to create their own enterprise-wide hunting platform using ELK with data enrichment feeds.

Creating the means of retrieving the data from the various endpoints and data sources will also be introduced and explained throughout the course.

Students will be provided with a virtual machine that has a robust data set from multiple systems that have been infected, as well as some systems that have not.

Students will then enrich the data from both a normalization perspective, as well as using visualizations to assist in finding outliers and anomalies within the data sets.

Students will be introduced to a multitude of machine learning algorithms and concepts that are useful for threat hunting purposes in enterprise data sets. 

This course will teach you how to not only set up an ELK server specifically geared to facilitate powerful hunting, but will also show you how to collect data efficiently from every single endpoint on your network in a very short span of time, thereby enabling you to proactively hunt on a regular basis.



Students should expect to conduct 5-6 labs each day. Labs will include functional components of building out the ELK stack and its respective modules as well as highlight how those components can be leveraged to assist you in finding malicious activity in your environment.  Utilization of machine learning will also be highlighted in a multitude of labs throughout the course.

Day 1:

  • Overview, introduction to threat hunting, ELK
  • Indicators of Compromise
  • Knowing how to find bad
  • Data collection methods
  • Data enrichment
  • Real-time data collection
  • PowerShell Basics
  • Machine Learning for Threat Hunting

Day 2:

  • Logstash Filters
  • Elasticsearch Optimizations
  • Kibana Dashboard and Save Search creation
  • Building Visualizations
  • Building Dashboards
  • Final Exercise


IT Admins, CERT analysts, Forensic Analysts. Anyone that has a desire to understand threat hunting, the ELK stack or enhancing the incident response processes at their organization.


  • Basic understanding of scripting concepts
  • Basic forensics knowledge
  • Windows OS fundamentals


  • Windows 7 or Windows 10 laptop, with at least 16GB of RAM and at least 100gb of free disk space
  • Virtualization software capable of running VMDKs and OVA files
  • PDF Reader software


  • Thumbdrive loaded with scripts for forensic data collection and other goodies for hunting.
  • ELK configuration files
  • Course materials



Tom Pace is the Sr. Director of Worldwide Consulting at Cylance, where he focuses on putting together solutions for clients around the world. Tom began his career in security when he joined the Marine Corps as an infantryman and intelligence specialist. During this time, he deployed to both Iraq and Afghanistan, where he conducted hundreds of missions. After the military Tom worked as an incident responder and cybersecurity engineer for multiple large enterprises and government agencies. Tom holds a M.S. from the University of Pittsburgh with a specialization in Information Security. He also possesses the CISSP, SFCP, GCFA, GCIH, GCWN, GICSP and GCIA certifications.

Derek McCarthy is a Technical Director for Incident Response & Forensics at Cylance. In addition to leading the development of both Compromise Assessment and Incident Response methodologies, McCarthy is often found on the frontlines leading teams of incident responders in some of the largest breaches of the last decade. Prior to working at Cylance, McCarthy worked on the information security team at Draper Laboratories in Cambridge, MA.

Matt Maisel is a Data Scientist passionate about the intersection of machine learning, software engineering, and computer security domains. He’s worked across several departments within Cylance, including research engineering as a Software Architect and consulting as a Technical Director of the incident response practice. He previously worked in incident response and malware analysis in the healthcare and defense consulting industries. Matt holds a M.S. in Computer Science with a specialization in machine learning and distributed systems from Johns Hopkins University.    

The Cylance Team

About The Cylance Team

Our mission: to protect every computer, user, and thing under the sun.

Cylance’s mission is to protect every computer, user, and thing under the sun. That's why we offer a variety of great tools and resources to help you make better-informed security decisions.