Video link - https://vimeo.com/1169343971/c165e0c809?share=copy&fl=sv&fe=ci
🌟 Inspiration In today's hyperconnected world, billions of IoT devices generate massive volumes of data every second — from smart factories and healthcare monitors to connected vehicles and smart cities. With this explosion of connected devices comes an equally massive security attack surface. Traditional security tools struggle to keep pace: they're reactive, siloed, and often can't correlate threats across thousands of heterogeneous devices in real time.
We were inspired by a simple question: What if we could combine Elasticsearch's powerful search and observability capabilities with AI-driven anomaly detection to create a unified security platform purpose-built for the IoT era?
The Elastic stack already excels at ingesting, indexing, and searching massive datasets. We wanted to push it further — using machine learning to automatically detect threats, provide real-time observability across device fleets, and generate AI-powered threat intelligence summaries that help security teams act faster.
🔧 What It Does ElasticGuard AI is an intelligent security threat detection and observability platform that:
🔌 Ingests real-time IoT device telemetry — Simulates hundreds of IoT devices (sensors, cameras, industrial controllers) streaming logs, metrics, and security events 🔍 Indexes and searches with Elasticsearch — Custom index templates and mappings optimized for security event correlation and full-text search across millions of events 🤖 Detects anomalies with ML — Uses Elastic's built-in ML capabilities combined with custom Python-based anomaly detection to identify suspicious patterns (brute-force attempts, unusual data exfiltration, device spoofing) 📊 Provides real-time observability dashboards — Kibana dashboards + a custom React frontend showing device health, threat maps, alert timelines, and risk scores 💡 Generates AI-powered threat summaries — Natural language threat analysis that explains what happened, why it matters, and what to do next 🚨 Alerts and responds — Configurable alerting rules with automated response recommendations 🏗️ How We Built It Architecture Code IoT Simulators (Python/MQTT) │ ▼ Logstash / Elastic Agent (Ingestion & Enrichment) │ ▼ Elasticsearch (Indexing, Search, ML Jobs) │ ├──▶ Kibana (Dashboards & Visualization) │ ▼ FastAPI Backend (REST API + Custom ML Pipeline) │ ▼ React Dashboard (Real-time Threat Monitoring) Tech Stack Component Technology IoT Simulation Python, MQTT protocol, Faker library Data Ingestion Logstash pipelines, Elastic Agent Storage & Search Elasticsearch 8.x with custom mappings ML/Anomaly Detection Elastic ML Jobs + scikit-learn Isolation Forest Backend API FastAPI (Python) with async support Frontend React + Recharts for real-time visualization AI Summaries LLM integration for natural language threat analysis Infrastructure Docker Compose for one-command deployment Observability Kibana dashboards, custom alerting rules Key Implementation Details Custom Elasticsearch index templates with optimized mappings for security events, device metrics, and threat intelligence Multi-stage Logstash pipelines that parse, enrich, and geo-tag incoming IoT data Hybrid ML approach: Elastic's native anomaly detection for time-series metrics + custom Isolation Forest models for multi-dimensional threat scoring WebSocket-powered real-time updates on the React dashboard Fully containerized — docker-compose up spins up the entire stack 🧗 Challenges We Ran Into Realistic IoT data generation — Creating simulated data that accurately represents real-world attack patterns (DDoS, credential stuffing, lateral movement) while maintaining realistic baseline behavior was surprisingly complex. We iterated multiple times on our simulator to produce convincing anomalies.
Elasticsearch mapping optimization — Balancing between search flexibility and index performance. We learned the hard way that overly dynamic mappings cause mapping explosions. We settled on strict templates with strategic use of keyword vs text fields.
ML model tuning under time pressure — Anomaly detection is sensitive to thresholds. Too sensitive = alert fatigue. Too loose = missed threats. We spent significant time tuning our Isolation Forest contamination parameter and Elastic ML bucket spans.
Real-time pipeline backpressure — When our IoT simulator ramped up to thousands of events/second, we hit ingestion bottlenecks. We solved this with Logstash persistent queues and Elasticsearch bulk indexing optimization.
Correlating events across device types — Different IoT devices produce fundamentally different log formats. Building a unified threat correlation engine that works across heterogeneous data sources required careful schema design.
🏆 Accomplishments That We're Proud Of End-to-end working platform — Not slideware! The entire pipeline works: simulate → ingest → index → detect → visualize → alert. One docker-compose up and it's running.
Sub-second threat detection — From the moment an anomalous event is generated to when it appears on the dashboard with a threat score and AI summary: under 1 second.
Hybrid ML approach — We combined the best of Elastic's native ML with custom models, creating a more robust detection system than either could achieve alone.
Beautiful, actionable dashboards — Both in Kibana and our custom React UI. Security teams can immediately understand the threat landscape without being data scientists.
Production-ready architecture — While built in a hackathon, the architecture patterns (containerization, async processing, index lifecycle management) are genuinely production-viable.
Comprehensive documentation — Full README, architecture diagrams, and setup guides. Anyone can clone and run it.
📚 What We Learned Elasticsearch is incredibly powerful for security use cases — The combination of full-text search, aggregations, and built-in ML makes it a natural fit for security observability. Features like anomaly detection jobs and data frame analytics are underutilized gems.
The Elastic stack's flexibility is a double-edged sword — There are many ways to solve the same problem (Beats vs Agent, Logstash vs Ingest Pipelines). Choosing the right tool for each job matters.
IoT security is a genuinely unsolved problem — The scale and heterogeneity of IoT environments make traditional security approaches inadequate. There's a massive opportunity for AI-driven solutions.
ML in production requires more engineering than science — The ML model itself was maybe 20% of the work. The other 80% was data pipelines, feature engineering, monitoring, and handling edge cases.
Docker Compose is a hackathon superpower — Being able to spin up Elasticsearch, Kibana, Logstash, our API, and our frontend with a single command saved us hours.
🔮 What's Next for ElasticGuard AI Real IoT device integration — Replace simulators with actual IoT protocols (MQTT, CoAP, Zigbee) and test with real device fleets
SIEM integration — Connect with Elastic SIEM's detection rules engine for enterprise-grade threat detection workflows
Federated learning — Enable anomaly detection models to learn across multiple deployments without sharing sensitive data
Automated response playbooks — Go beyond alerting to automated containment (device isolation, credential rotation, firewall rule updates)
Threat intelligence feed integration — Incorporate external threat feeds (MITRE ATT&CK for ICS, CVE databases) for enriched threat context
Edge computing support — Deploy lightweight detection agents on edge gateways for offline-capable threat detection
Multi-tenancy — Enable managed security service providers (MSSPs) to monitor multiple customer environments from a single platform
Built With
- docker
- elasticsearch
- fastapi
- python
Log in or sign up for Devpost to join the conversation.