Threat Identification from Access Logs Using Elastic Stack

Abstract

Access log management is an essential part of cybersecurity. Lack of insight into user authentication patterns can hinder readiness and reaction to the growing threat of cyberattacks. Central Authentication Service (CAS) log is underutilized in threat detection due to its detailed and complex logging nature. This paper investigates the feasibility of turning unfriendly CAS logs into helpful datapoints utilizing Elastic Stack (Filebeat, Logstash, Elasticsearch and Kibana) to detect anomalies. CAS logs are collected by Filebeat and forwarded to Logstash. The deployment of a custom Grok filter in Logstash facilitates the normalization of complex CAS logs and the resulting data is indexed in Elasticsearch. A Python program using Elasticsearch’s aggregate function was developed to query the indexed data and compare password and multi-factor submission counts. This mechanism was found to have potential in detecting threats. Finally, Kibana’s rich visualization capabilities allow for exploring and shaping of data in innovative ways.