On This Page

A Guide to Threat Hunting Utilizing the ELK Stack and Machine Learning

Cylance | August 4-5 & August 6-7


The days of using excel to find malicious activity are over. Breaches are only expanding in size, so incident responders need their own way of growing out of the days of using excel to hunt through mountains of data. In this course, you will learn how to create your own enterprise-wide hunting platform using ELK with data enrichment feeds. Additionally, creating the means of retrieving the data from the various endpoints and data sources will also be introduced and explained throughout the course. Students will deploy PowerShell scripts across a customized network environment to gather critical data necessary to respond to an incident. Once the data has been collected students will then enrich the data from both a normalization perspective as well as using visualizations to assist in finding outliers and anomalies within the data sets. This course will teach you how to not only set up an ELK server specifically geared to facilitate powerful hunting, but will also show you how to collect data efficiently from every single endpoint on your network in a very short span of time, thereby enabling you to proactively hunt on a regular basis.

Outline: Students should expect to conduct 3-4 labs each day. Labs will include functional components of building out the ELK stack and its respective modules as well as highlight how those components can be leveraged to assist you in finding malicious activity in your environment.

Day 1:
  • Overview, introduction to threat hunting, ELK
  • Indicators of Compromise
  • Knowing how to find bad
  • Final Configuration demonstration
  • Data collection methods
  • PowerShell Basics
  • Logstash
  • Elasticsearch basics
  • Kibana basics

Day 2:
  • Building Visualizations
  • Building Dashboards
  • Data enrichment
  • Real-time data collection
  • Machine Learning for Threat Hunting
  • Final Exercise

Who Should Take this Course

IT Admins, CERT analysts, Forensic Analysts. Anyone that has a desire to understand threat hunting, the ELK stack or enhancing the incident response processes at their organization.

Student Requirements

  • Basic understanding of scripting concepts
  • Basic forensics knowledge
  • Windows OS fundamentals

What Students Should Bring

  • Windows 7 or Windows 10 laptop with at least 16GB of RAM and at least 100gb of free disk space
  • Virtualization software capable of running VMDKs and OVA files
  • PDF Reader software

What Students Will Be Provided With

  • Thumbdrive loaded with scripts for forensic data collection and other goodies for hunting.
  • ELK configuration files
  • Course materials


Thomas Pace began his career in security when he joined the Marine Corps as an infantryman and intelligence specialist. During this time, he deployed to both Iraq and Afghanistan. He then moved on to work for PNC Bank where he was an incident response investigator and assisted in mitigating the ongoing DDoS attacks that were occurring in 2012 and 2013. Thomas Pace then worked for the Department of Energy as a contractor where he leads the incident response and intrusion detection teams, as well as conducts forensic investigations. In addition, he is an Adjunct Professor at Tulane University where he teaches an undergraduate Cyber Security course. Currently Thomas is a Principal Consultant with Cylance within the Incident Response and Forensics services organization. At Cylance, he assists organizations in remediating incidents and developing incident response policies and procedures. Thomas Pace graduated with a Master's Degree from the University of Pittsburgh with a degree in Information Security. He also possesses the CISSP, SFCP, GCFA, GCIH, GCWN and GCIA certifications.

Derek McCarthy is a Technical Director for Incident Response & Forensics at Cylance. In addition to leading the development of both Compromise Assessment & Incident Response methodologies, Derek is often found on the frontlines leading teams of incident responders in some of the largest breaches of the last decade. Prior to working at Cylance, Derek worked on the information security team at Draper Laboratories in Cambridge, MA.

Matt Maisel is a data scientist passionate about the intersection of machine learning, software engineering, and information security domains. He’s currently the manager of Security Data Science at Cylance. Matt recently architected a scalable malware analysis and modeling service used to process customer malware detections. He’s worked in several organization within Cylance including research engineering as a software architect and consulting as the technical director of the incident response practice. Matt holds a M.S. in Computer Science with a focus in machine learning and distributed systems from Johns Hopkins University.