The growing complexity of online threats requires security surveillance solutions, which can present a single perspective of IT environment of an organization. Analysing disparate host-level and network-level security logs in isolation often fails to detect complex attack patterns. To solve this difficulty, this paper proposes an integrated security monitoring architecture that is fully based on open-source tools, namely the ELK Stack (Elasticsearch, Logstash, Kibana), Winlogbeat, and the Zeek Network Security Monitor. To gather, organize, and analyse structured network traffic logs from Zeek and Windows Event Logs from endpoints, the suggested framework was created and put into use in a virtualized lab environment. The Metasploit Framework was used to simulate a controlled brute-force assault against a Windows target to empirically verify its effectiveness. Through the direct correlation of many unsuccessful logon events (Windows Event ID 4625) on the target host with unusual connection patterns more precisely, an increase in TCP connection attempts from the attacker's IP address recorded in Zeek's conn.log, the results show that the framework successfully detected the attack. This paper presents a scalable architecture of integrated open source threat detection and establishes better security visibility and high fidelity alerting that is achievable with the help of the correlation of heterogeneous sources of data.
Sangher et al. (Sun,) studied this question.