The investigation of modern digital threats requires more than just raw log data; it demands a robust platform capable of ingesting, parsing, and visualizing massive volumes of telemetry in real time. SOF-ELK® (Security Operations and Forensics Elasticsearch, Logstash, Kibana) addresses this need by providing a pre-built, community-driven virtual appliance designed specifically for the workflow of computer forensic investigators and information security operations personnel. Built upon the open-source Elastic stack, this platform eliminates the traditionally complex and time-consuming configuration process associated with deploying Elasticsearch, Logstash, Kibana, and Filebeat. Instead, it offers a ready-to-use environment that consumes diverse data sources, including NetFlow and various log types, parsing critical indicators and presenting them through customizable dashboards. This technical overview details the operational deployment of SOF-ELK, covering both local virtual machine utilization for endpoint analysis and cloud-based deployment on Amazon EC2 for scalable Microsoft 365 Unified Audit Log (UAL) wrangling.
Architecture and Platform Composition
At its core, SOF-ELK® is a customized build of the Elastic stack, tailored to meet the specific analytical requirements of forensic and security operations. The platform integrates four primary components: Elasticsearch serves as the storage and search engine, Logstash handles data ingestion and enrichment, Kibana provides the dashboard frontend for visualization, and Elastic Beats (specifically Filebeat) acts as the log shipper. By bundling these components into a single virtual appliance, the platform abstracts the complexity of individual service configuration, allowing analysts to focus on investigation rather than infrastructure maintenance.
The platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and has since been integrated into several other SANS courses and workshops. These include SANS FOR509, Cloud Forensics and Incident Response; SANS FOR589, Cybercrime Intelligence; and the SANS Aviata Cloud Solo Flight Challenge. The software is distributed as a community resource, with all parsers and dashboards maintained in the primary GitHub repository. This open development model allows advanced users to create custom visualizations tailored to specific investigative needs and contribute them back to the codebase.
Local Virtual Machine Deployment and Configuration
For analysts working with local evidence, particularly Windows Event Logs (EVTX), deploying SOF-ELK as a local virtual machine is the most straightforward approach. The virtual machine is distributed in two versions to accommodate different hardware architectures: an x86 version for Intel-based processors and an ARM version for Apple M-series and other ARM processors.
System Requirements and Virtualization Setup
Running the virtual appliance requires VMware Workstation, VMware Player, or VMware Fusion. The specific virtual machine image to be used depends on the host processor architecture. At the time of the referenced documentation, the archive file was named SOF-ELK.vmx after extraction from a 7z archive. When running the VM on a Windows host system, it is recommended to edit the virtual machine settings and enable "Virtualize IOMMU" to improve user interface performance, though this step is optional.
The latest version of the virtual machine itself is available for download from the SANS FOR572 repository. The distribution details are as follows:
- Operating System Base: Ubuntu 24.04.3
- Update Status: Includes all OS updates as of October 10, 2025
- Elastic Stack Version: v9.1.5 for all components
- Configuration Source: Public/v20251010 branch of the GitHub repository
Downloading and Verifying the Virtual Appliance
Analysts must download the appropriate version based on their host CPU architecture. The repository provides specific metadata for verification purposes.
x86 Version (Intel-based processors):
- Filename: Public SOF-ELK x86 v20251010.7z
- File Size: 2,694,708,898 bytes
- MD5 Checksum: 9e794d824fe48439a37b63eb34a8fa92
- SHA256 Checksum: d176d4f1218271fb598c52b56cc5d3932ad11ea75f5b8f69da95e1a1d1a8b3d5
ARM Version (Apple M-series and other ARM processors):
- Filename: Public SOF-ELK ARM v20251010.7z
- File Size: 2,500,605,767 bytes
- MD5 Checksum: 0d6c3308414ccfb007fdd2ded81e8bc2
- SHA256 Checksum: 723cf93fbdae47eca1834ef8a541967b1c6367137fd748c15b1020a871ab6291
After downloading, the archive must be extracted. The virtual machine is then launched by opening the SOF-ELK.vmx file through VMware. Once the VM is powered on, access is gained by logging in with the username elk_user and the password forensics.
Updating the Environment
Upon initial login, it is critical to ensure the environment is current. The update process is executed via the terminal using the following command:
bash
sudo sof-elk_update.sh
This script updates the SOF-ELK platform to the latest available configuration and components. Once the update completes, the system is ready for data ingestion.
Ingesting Hayabusa Output for Windows Endpoint Analysis
A common use case for SOF-ELK is the analysis of Windows Event Logs. Tools like Hayabusa are often used to parse EVTX files and identify indicators of compromise. While Hayabusa significantly reduces the volume of events—achieving approximately a 75% reduction in entries—it still leaves analysts with tens of thousands of entries per endpoint. Filtering this output by severity (e.g., "critical" and "high") further prioritizes the investigation but may still result in thousands of entries that are difficult to manage in traditional spreadsheet applications like Excel.
SOF-ELK provides prebuilt parsers specifically designed for Hayabusa ingestion, allowing for efficient searching, sorting, and filtering through an intuitive web interface. To ingest this data:
- Stage the Hayabusa output on the host analysis system.
- Use Secure Copy (
scp) to transfer the output data from the host to the SOF-ELK virtual machine. - Place the files into the designated
logstashfolder within the SOF-ELK environment.
The ingestion process is automated by Logstash. Analysts must exercise patience during this phase as the "SOF-ELK magic" occurs. Once parsing is complete, the data can be analyzed via the Kibana web UI, accessible at http://localhost:5601 or the specific local IP address of the VM.
Deploying SOF-ELK on Amazon EC2 for Cloud Forensics
While local virtualization is effective for single-endpoint analysis, cloud-based deployments offer greater portability, flexibility, and scalability, particularly when dealing with large datasets like the Microsoft 365 Unified Audit Log (UAL). Deploying SOF-ELK on Amazon EC2 allows for collaboration and easier access to cloud-hosted data sources.
Converting the VM to OVA Format
The deployment process begins similarly to the local setup by downloading and unzipping the virtual machine archive. However, to facilitate cloud deployment, the VM must be converted into an OVA (Open Virtual Appliance) format. This is achieved using VMware Workstation or Fusion:
- Launch VMware and import the extracted VM.
- Select the imported VM.
- Navigate to "File" and select "Export to OVF".
- Specify the save location and filename.
- Critical: Ensure the file extension is explicitly set to
.ova(e.g.,sof-elk.ova).
Configuring EC2 Security Groups
Proper network configuration is essential for accessing the Kibana interface and managing the instance. A Security Group must be created to control inbound traffic.
- Navigate to the EC2 console and create a new Security Group named "SOF-ELK Security Group."
- Add a description and any desired tags.
- Click "Edit inbound rules."
- Add a rule with the type set to "All TCP." For more restrictive configurations, only ports 22 (SSH) and 5601 (Kibana) may be allowed.
- Set the "Source" to "Custom" and add the Security Group to itself. This allows instances within the same group to communicate, which is useful if additional analysis servers need to access SOF-ELK.
- Save the rules.
Launching and Verifying the Instance
With the OVA file prepared and the Security Group configured, the instance can be launched on EC2. During initialization, the private IP address of the instance should be noted. Once the instance is running, access can be verified by launching a web browser and navigating to the SOF-ELK URL:
text
http://<sof-elk-private-ip>:5601
Successful access to the Kibana dashboard confirms that the SOF-ELK platform is operational on EC2. This setup provides the flexibility and scale necessary for wrangling M365 UAL data, allowing analysts to export data via PowerShell and ingest it into the cloud-hosted Elastic stack for comprehensive auditing and investigative queries.
Conclusion
SOF-ELK represents a significant advancement in the toolset available to digital forensics and incident response professionals. By packaging the complex Elastic stack into a readily deployable virtual appliance, it removes the barrier to entry for big data analytics in security operations. Whether utilized locally for granular Windows endpoint analysis via Hayabusa output or deployed on Amazon EC2 for scalable cloud forensics involving Microsoft 365 audit logs, the platform provides the necessary infrastructure for efficient data ingestion, parsing, and visualization. The availability of specific builds for both x86 and ARM architectures, combined with rigorous update procedures and community-maintained parsers, ensures that investigators can maintain a secure and up-to-date environment regardless of their hardware or cloud infrastructure preferences. As the volume of telemetry data continues to grow, tools like SOF-ELK will remain essential for transforming raw logs into actionable intelligence.