Another open source option for a SIEM is the Elastic Stack (or the ELK Stack, as it is commonly known). The Elastic Stack is a combination of three tools in one. The open source tools Elasticsearch, Logstash, and Kibana are combined to provide threat hunters with an open source platform that ingests data and then transforms it into a format that can be viewed and analyzed via the Kibana GUI. This provides the ability for threat hunters to visualize log data from multiple systems at once. The Elastic Stack is built into a number of different open source security tools, including the aforementioned Security Onion. The Elastic Stack can also be configured as a standalone SIEM solution, with tools such as Winlogbeat, which forwards Windows event logs to the Elastic Stack.

The following is the most visible portion of the Elastic Stack, and that is the Kibana interface. This interface allows data visualization and searching, as can be seen here:

SIEM platforms are an excellent way for responders to examine a wide range of logs from a large number of systems. One facet where this becomes critical is examining Windows event logs. The next section will examine the variety of Windows event logs and the insight they can provide responders into account and application usage.