-
Notifications
You must be signed in to change notification settings - Fork 70
/
Copy pathattempt-to-disable-gatekeeper.html
454 lines (430 loc) · 23.7 KB
/
attempt-to-disable-gatekeeper.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="UTF-8">
<title>Attempt to Disable Gatekeeper | Elastic Security Solution [8.18] | Elastic</title>
<meta class="elastic" name="content" content="Attempt to Disable Gatekeeper | Elastic Security Solution [8.18]">
<link rel="home" href="index.html" title="Elastic Security Solution [8.18]"/>
<link rel="up" href="prebuilt-rules.html" title="Prebuilt rule reference"/>
<link rel="prev" href="attempt-to-disable-auditd-service.html" title="Attempt to Disable Auditd Service"/>
<link rel="next" href="attempt-to-disable-iptables-or-firewall.html" title="Attempt to Disable IPTables or Firewall"/>
<meta class="elastic" name="product_version" content="8.18"/>
<meta class="elastic" name="product_name" content="Security"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Security/Guide/8.18"/>
<meta name="DC.subject" content="Security"/>
<meta name="DC.identifier" content="8.18"/>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<script src="https://cdn.optimizely.com/js/18132920325.js"></script>
<link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
<link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
<link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="/manifest.json">
<meta name="apple-mobile-web-app-title" content="Elastic">
<meta name="application-name" content="Elastic">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/mstile-144x144.png">
<meta name="theme-color" content="#ffffff">
<meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
<meta name="yandex-verification" content="d8a47e95d0972434" />
<meta name="localized" content="true" />
<meta name="st:robots" content="follow,index" />
<meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
<meta property="og:image:width" content="500" />
<meta property="og:image:height" content="172" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
<link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
<link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
<!-- Give IE8 a fighting chance -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
</head>
<!--© 2015-2025 Elasticsearch B.V. -->
<!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
<!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->
<body>
<!-- Google Tag Manager -->
<script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
<!-- End Google Tag Manager -->
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-12395217-16');
</script>
<!-- Google Tag Manager for GA4 -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager for GA4-->
<div id='elastic-nav' style="display:none;"></div>
<script src='https://www.elastic.co/elastic-nav.js'></script>
<div class="main-container">
<section id="content" >
<div class="content-wrapper">
<section id="guide" lang="en">
<div class="container-fluid">
<div class="row pb-3">
<div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
<!-- The TOC is appended here -->
</div>
<div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
<!-- start body -->
<div class="navheader">
<span class="prev">
<a href="attempt-to-disable-auditd-service.html">« Attempt to Disable Auditd Service</a>
</span>
<span class="next">
<a href="attempt-to-disable-iptables-or-firewall.html">Attempt to Disable IPTables or Firewall »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Elastic Security Solution [8.18]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="detection-engine-overview.html">Detections and alerts</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="prebuilt-rules.html">Prebuilt rule reference</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>Attempt to Disable Gatekeeper</h1><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-gatekeeper.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
A newer version is available. Check out the <a href="https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/defense_evasion_attempt_to_disable_gatekeeper">latest documentation</a>.
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="attempt-to-disable-gatekeeper"></a>Attempt to Disable Gatekeeper</h2><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-gatekeeper.asciidoc">edit</a></div>
</div></div></div>
<p>Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that’s designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.</p>
<p><span class="strong strong"><strong>Rule type</strong></span>: query</p>
<p><span class="strong strong"><strong>Rule indices</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
logs-endpoint.events.*
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Severity</strong></span>: medium</p>
<p><span class="strong strong"><strong>Risk score</strong></span>: 47</p>
<p><span class="strong strong"><strong>Runs every</strong></span>: 5m</p>
<p><span class="strong strong"><strong>Searches indices from</strong></span>: now-9m (<a href="/guide/en/elasticsearch/reference/8.18/common-options.html#date-math" class="ulink" target="_top">Date Math format</a>, see also <a class="xref" href="rules-ui-create.html#rule-schedule" title="Set the rule’s schedule"><code class="literal">Additional look-back time</code></a>)</p>
<p><span class="strong strong"><strong>Maximum alerts per execution</strong></span>: 100</p>
<p><span class="strong strong"><strong>References</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a href="https://support.apple.com/en-us/HT202491" class="ulink" target="_top">https://support.apple.com/en-us/HT202491</a>
</li>
<li class="listitem">
<a href="https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397" class="ulink" target="_top">https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397</a>
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Tags</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Domain: Endpoint
</li>
<li class="listitem">
OS: macOS
</li>
<li class="listitem">
Use Case: Threat Detection
</li>
<li class="listitem">
Tactic: Defense Evasion
</li>
<li class="listitem">
Data Source: Elastic Defend
</li>
<li class="listitem">
Resources: Investigation Guide
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Version</strong></span>: 110</p>
<p><span class="strong strong"><strong>Rule authors</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Elastic
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Rule license</strong></span>: Elastic License v2</p>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h3 class="title"><a id="_investigation_guide_159"></a>Investigation guide</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-gatekeeper.asciidoc">edit</a></div>
</div></div></div>
<p><span class="strong strong"><strong>Triage and analysis</strong></span></p>
<div class="quoteblock">
<blockquote>
<p><span class="strong strong"><strong>Disclaimer</strong></span>:
This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.</p>
</blockquote>
</div>
<p><span class="strong strong"><strong>Investigating Attempt to Disable Gatekeeper</strong></span></p>
<p>Gatekeeper is a macOS security feature that ensures only trusted software runs by verifying app signatures. Adversaries may attempt to disable it to execute unauthorized code, bypassing security checks. The detection rule identifies such attempts by monitoring process events for specific commands used to disable Gatekeeper, flagging potential defense evasion activities.</p>
<p><span class="strong strong"><strong>Possible investigation steps</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Review the process event details to confirm the presence of the command <code class="literal">spctl --master-disable</code> in the <code class="literal">process.args</code> field, which indicates an attempt to disable Gatekeeper.
</li>
<li class="listitem">
Identify the user account associated with the process event to determine if the action was initiated by a legitimate user or an unauthorized actor.
</li>
<li class="listitem">
Check the <code class="literal">event.category</code> and <code class="literal">event.type</code> fields to ensure the event is categorized as a process start, which aligns with the rule’s detection criteria.
</li>
<li class="listitem">
Investigate the parent process of the flagged event to understand the context in which the Gatekeeper disabling attempt was made, looking for any suspicious or unexpected parent processes.
</li>
<li class="listitem">
Examine recent process events on the same host to identify any subsequent or preceding suspicious activities that might indicate a broader attack or compromise.
</li>
<li class="listitem">
Review system logs and other security alerts on the host for additional indicators of compromise or related malicious activities.
</li>
<li class="listitem">
Assess the risk and impact of the event by considering the host’s role, the sensitivity of data it handles, and any potential exposure resulting from the attempted Gatekeeper disablement.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>False positive analysis</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
System administrators or IT personnel may intentionally disable Gatekeeper for legitimate software installations or troubleshooting. To manage this, create exceptions for known administrative accounts or specific maintenance windows.
</li>
<li class="listitem">
Some legitimate applications may require Gatekeeper to be disabled temporarily for installation. Identify these applications and whitelist their installation processes to prevent false alerts.
</li>
<li class="listitem">
Development environments on macOS might disable Gatekeeper to test unsigned applications. Consider excluding processes initiated by development tools or specific user accounts associated with development activities.
</li>
<li class="listitem">
Automated scripts or management tools that configure macOS settings might trigger this rule. Review and adjust these scripts to ensure they are recognized as non-threatening, or exclude them from monitoring if they are verified as safe.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Response and remediation</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Immediately isolate the affected macOS device from the network to prevent potential lateral movement or further execution of unauthorized code.
</li>
<li class="listitem">
Terminate any suspicious processes associated with the attempt to disable Gatekeeper, specifically those involving the <em>spctl --master-disable</em> command.
</li>
<li class="listitem">
Conduct a thorough review of recent system changes and installed applications on the affected device to identify and remove any unauthorized or malicious software.
</li>
<li class="listitem">
Restore Gatekeeper settings to their default state to ensure that only trusted software can be executed on the device.
</li>
<li class="listitem">
Escalate the incident to the security operations team for further analysis and to determine if additional devices or systems may be affected.
</li>
<li class="listitem">
Implement additional monitoring on the affected device and similar systems to detect any further attempts to disable Gatekeeper or other security features.
</li>
<li class="listitem">
Review and update endpoint security policies to enhance protection against similar threats, ensuring that all macOS devices are configured to prevent unauthorized changes to security settings.
</li>
</ul>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h3 class="title"><a id="_setup_95"></a>Setup</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-gatekeeper.asciidoc">edit</a></div>
</div></div></div>
<p><span class="strong strong"><strong>Setup</strong></span></p>
<p>This rule requires data coming in from Elastic Defend.</p>
<p><span class="strong strong"><strong>Elastic Defend Integration Setup</strong></span></p>
<p>Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.</p>
<p><span class="strong strong"><strong>Prerequisite Requirements:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Fleet is required for Elastic Defend.
</li>
<li class="listitem">
To configure Fleet Server refer to the <a href="/guide/en/fleet/current/fleet-server.html" class="ulink" target="_top">documentation</a>.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>The following steps should be executed in order to add the Elastic Defend integration on a macOS System:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Go to the Kibana home page and click "Add integrations".
</li>
<li class="listitem">
In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
</li>
<li class="listitem">
Click "Add Elastic Defend".
</li>
<li class="listitem">
Configure the integration name and optionally add a description.
</li>
<li class="listitem">
Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
</li>
<li class="listitem">
Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. <a href="/guide/en/security/current/configure-endpoint-integration-policy.html" class="ulink" target="_top">Helper guide</a>.
</li>
<li class="listitem">
We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
</li>
<li class="listitem">
Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the <a href="/guide/en/fleet/current/agent-policy.html" class="ulink" target="_top">helper guide</a>.
</li>
<li class="listitem">
Click "Save and Continue".
</li>
<li class="listitem">
To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the <a href="/guide/en/security/current/install-endpoint.html" class="ulink" target="_top">helper guide</a>.
</li>
</ul>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h3 class="title"><a id="_rule_query_163"></a>Rule query</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-gatekeeper.asciidoc">edit</a></div>
</div></div></div>
<div class="pre_wrapper lang-js">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-js">event.category:process and host.os.type:macos and event.type:(start or process_started) and
process.args:(spctl and "--master-disable")</pre>
</div>
<p><span class="strong strong"><strong>Framework</strong></span>: MITRE ATT&CK<sup>TM</sup></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>Tactic:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Name: Defense Evasion
</li>
<li class="listitem">
ID: TA0005
</li>
<li class="listitem">
Reference URL: <a href="https://attack.mitre.org/tactics/TA0005/" class="ulink" target="_top">https://attack.mitre.org/tactics/TA0005/</a>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Technique:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Name: Subvert Trust Controls
</li>
<li class="listitem">
ID: T1553
</li>
<li class="listitem">
Reference URL: <a href="https://attack.mitre.org/techniques/T1553/" class="ulink" target="_top">https://attack.mitre.org/techniques/T1553/</a>
</li>
</ul>
</div>
</li>
</ul>
</div>
</div>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
<a href="attempt-to-disable-auditd-service.html">« Attempt to Disable Auditd Service</a>
</span>
<span class="next">
<a href="attempt-to-disable-iptables-or-firewall.html">Attempt to Disable IPTables or Firewall »</a>
</span>
</div>
<!-- end body -->
</div>
<div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
<div id="sticky_content">
<!-- The OTP is appended here -->
<div class="row">
<div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
<div class="col-12 col-md-8 col-lg-12">
<div id="rtpcontainer">
<div class="mktg-promo" id="most-popular">
<p class="aside-heading">Most Popular</p>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
<p class="mb-0">Get Started with Elasticsearch</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
<p class="mb-0">Intro to Kibana</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
<p class="mb-0">ELK for Logs & Metrics</p>
</a>
</div>
</div>
</div>
<!-- Feedback widget -->
<div id="feedbackWidgetContainer"></div>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<div id='elastic-footer'></div>
<script src='https://www.elastic.co/elastic-footer.js'></script>
<!-- Footer Section end-->
</section>
</div>
<!-- Feedback modal -->
<div id="feedbackModalContainer"></div>
<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs-v1.js"></script>
<script type="text/javascript">
window.initial_state = {}</script>
</body>
</html>