R001 Investigating with ELK 101

Introduction

ELK Stack is a combination of tools bind together to provide log analytics solution. It is an open source project. There are 4 main components in ELK. They are:

Components

  1. Beats - an agent to transport the data from endpoint to ELK stack

  2. Logstash - Component used to take input, filter and send the output to other components of ELK stack. Each input, filter and output processing's has separate plugins based on data.

  3. Elastic search - Component used to index and store the processed data

  4. Kibana - Component used to analyze and visualize the data

Components of ELK Stack

In this room, we focus mainly on Kibana, which is a visualization component of ELK. It is a tool used to Discover patterns or investigate an incident and create dashboards for trends, anomalies, and visualizations.

When you are analyzing the data within Kibana, the GUI appears to be as below enabling us to perform various actions like drill down, selecting a particular field, filtering out etc.

Kibana Discover screen

Kibana uses KQL (Kibana Query Language) which is a simple text-based query language. It does not perform aggregation, transforming or sorting data. KQL uses filters, boolean operators, wildcards to fetch the data.

We can also use Lucene Query language to analyze the data.

THM Questions

Q1. Select the index vpn_connections and filter from 31st December 2021 to 2nd Feb 2022. How many hits are returned?

2861

Q2. Which IP address has the max number of connections?

238.163.231.224

Q3. Which user is responsible for max traffic?

James

Q4. Create a table with the fields IP, UserName, Source_Country and save.

Save the search in Kibana

Q5. Apply Filter on UserName Emanda; which SourceIP has max hits?

107.14.1.247

Q6. On 11th Jan, which IP caused the spike observed in the time chart?

172.201.60.191

Q7. How many connections were observed from IP 238.163.231.224, excluding the New York state?

48

Q8. Create a search query to filter out the logs from Source_Country as the United States and show logs from User James or Albert. How many records were returned?

161 (Source_Country : "United States" and UserName : "Albert" or "James")

Q9. As User Johny Brown was terminated on 1st January 2022, create a search query to determine how many times a VPN connection was observed after his termination.

1

Q10. Which user was observed with the greatest number of failed attempts?

Simon

Q11. How many wrong VPN connection attempts were observed in January?

274

NextR002 Advanced ELK Queries

Last updated