ELK for Security Analysis Training

You must master your data If you want to catch bad guys and find evil. But, how can you do that? That’s where the ELK stack comes in.

ELK is Elasticsearch, Logstash, and Kibana and together they provide a framework for collecting, storing, and investigating network security data. In this course, you’ll learn how to use this powerful trio to perform security analysis. This isn’t just an ELK course, it’s a course on how to use ELK specifically for incident responders, network security monitoring analysts, and other security blue teamers.

You’ll learn the basics of:

  • Elasticsearch: How data is stored and indexed. Working with JSON documents.
  • Logstash: How to collect and manipulate structured and unstructured data.
  • Kibana: Techniques for searching data and building useful visualizations and dashboards.
  • Beats: Use the agent to ship data from endpoints and servers to your ELK systems.

I’ll show you how to build complete data pipelines from ingest to search. This means you’ll get to watch step-by-step guides for dealing with security specific data types like:

  • HTTP Proxy Logs
  • File-Based Logs (Unix, auth, and application logs)
  • Windows Events & Sysmon Data
  • NetFlow Data
  • IDS Alerts
  • Dealing with any CSV file you’re handed
  • Parsing unstructured logs, no matter how weird they are

When you walk away from this course, you should be equipped with the skills you need to build a complete IDS alert console, investigation platform, or security analysis lab.

Course Format

ELK for Security Analysis is delivered completely online using recorded video lectures that you can go through at your convenience. It is modeled like a college course and consists of lectures that overview critical concepts, demonstrations where I walk through ELK configuration, and lab exercises when you practice the concepts you’ve learned. There is also a discussion forum where you can ask questions and share tips and tricks with other students. The course can be completed at whatever pace is comfortable for you.


No prior ELK experience is required.

The demonstrations are done on Linux, so a basic understanding of the Linux command line is helpful.

The course is delivered in English.


Click here to view the detailed syllabus.


ELK for Security Analysis is $497 for a single user license. Bulk discounts are available for organizations that want to purchase multiple licenses (please contact me to discuss payment and pricing). A portion of the purchase price will go to support multiple charities including the Rural Technology Fund and others.

You’ll receive:

  • 6-month access to course video lectures and lab exercises
  • Access to Chris Sanders online “office hours” held every 7-14 days with 1:1 text/audio/video chat
  • A Certification of Course Completion
  • Continuing Education Credits (CPEs/CEUs)


Q: Who is this course designed for?
A: Anyone who wants to learn how to use ELK to collect, store, and investigate data. This course is specifically targeted at blue teamers like DFIR investigators or NSM analysts. However, you’ll also gain a lot from this course as a red teamer or sysadmin too!

Q: How much ELK experience should I have before starting?
A: No previous experience is required. We start with the fundamentals. If you have some prior knowledge and want to get straight into the sections on building security-related data pipelines, you can do that!

Q: Are there any hands-on labs?
A: Yes! Lots of them. You’ll have plenty of opportunities to practice the techniques we discuss. The class is loaded with demonstrations you can follow along with, too!

Get Started Now for Just $497