Attacks Detection Through Logs Inspecting Using ELK Stack and MITRE ATTACK Framework

Abstract

The logs files are a significant resource for the security analyst to identify and investigate events of interest as they provide detailed information about user activities. Although the logs files might be considered valuable resources to examine suspicious behaviors re- lated to the systems and applications, they are not represented in a simple, readable format that can help the investigator analyze them within an efficient time manner. Additionally, the logs files have thousands of lines, which would lead to consuming much time to determine the set of log messages that report the investigated event. Our aim with this paper was to provide an abstraction layer of sys- tems and application logs for the security analyst by eliminating the irrelevant logs files data and representing only security-related logs in a readable format. Besides, this research aimed to study the default logs files of the systems and application to determine whether these default logs files can be considered as efficient resources to detect attacks or not. Moreover, the set of the security-related logs were determined based on the MITRE ATTACK matrix, and finally, the log management system was built using the ELK stack to represent these logs data.