We covered using advanced queries in Kibana and Elastic Search such as using nested queries, queries to extract number and date ranges, proximity queries, fuzzy searches and queries including regular expressions to extract insights from cyber security incidents and pertinent to this scenario was Ransomware infection on web and email servers. This was part of TryHackMe Advanced ELK Queries room which is part of SOC Level 2 track.
يسلط الضوء
ما هو المكدس المرن؟
المكدس المرن عبارة عن مجموعة من المكونات المختلفة مفتوحة المصدر المرتبطة ببعضها البعض لمساعدة المستخدمين على أخذ البيانات من أي مصدر وبأي تنسيق وإجراء بحث وتحليل وتصور البيانات في الوقت الفعلي.
بحث مرن
Elasticsearch هو محرك بحث وتحليل للنص الكامل يستخدم لتخزين المستندات بتنسيق JSON. يعد Elasticsearch مكونًا مهمًا يستخدم لتخزين البيانات وتحليلها وتنفيذ الارتباط بينها وما إلى ذلك.
It is built on top of Apache Lucene and provides a scalable solution for full-text search, structured querying, and data analysis.
يدعم Elasticsearch واجهة برمجة تطبيقات RESTFul للتفاعل مع البيانات.
سجل مخبأ
Logstash هو محرك معالجة بيانات يستخدم لأخذ البيانات من مصادر مختلفة، وتطبيق عامل التصفية عليها أو تطبيعها، ثم إرسالها إلى الوجهة التي يمكن أن تكون Kibana أو منفذ استماع.
كيبانا
Kibana عبارة عن تصور للبيانات على شبكة الإنترنت يعمل مع Elasticsearch لتحليل تدفق البيانات والتحقيق فيه وتصوره في الوقت الفعلي. يسمح للمستخدمين بإنشاء تصورات ولوحات معلومات متعددة لتحسين الرؤية.
Kibana Query Language (KQL)
It is a search query language used to search the ingested logs/documents in the elasticsearch. Apart from the KQL language, Kibana also supports Lucene Query Language.
KQL is similar to splunk seach processing language as in concepts of how it works and its objectives.
Free text Search
Free text search allows users to search for the logs based on the text-only. That means a simple search of the term security will return all the documents that contain this term, irrespective of the field.WILD CARD
KQL allows the wild card * to match parts of the term/word. Let’s find out how to use this wild card in the search query.
For example, Range queries allow us to search for documents with field values within a specified range.
Fuzzy searching is beneficial when searching for documents with inconsistencies or typos in the data. It accounts for these variations and retrieves relevant documents by allowing a specified number of character differences (known as the fuzziness value) between the search term and the actual field value.
Proximity searches allow you to search for documents where the field values contain two or more terms within a specified distance. In KQL, you can use the match_phrase query with the slop parameter to perform a proximity search. The slop parameter sets the maximum distance that the terms can be from each other. For example, a slop value of 2 means that the words can be up to 2 positions away.
Room Answers | TryHackMe Advanced ELK
How do you escape the text “password:Me&Try=Hack!” (Not including the double quotes)
password:Me\&Try=Hack!
Using wildcards, what will your query be if you want to search for all documents that contain the words “hacking” and “hack” in the “activity” field?
activity:hack*
Task 3 – Q1 – How many incidents exist where the affected file is “marketing_strategy_2023_07_23.pptx”?
4
How many incidents exist where the affected files in file servers are titled “marketing_strategy”?
135
There is a true positive alert on a webserver where the admin and it users were logged on. What is the name of the webserver?
web-server-77
How many “Data Leak” incidents have a severity level of 9 and up?
52
How many incidents before December 1st, 2022 has AJohnston investigated where the affected system is either an Email or Web server?
63
From the incident IDs 1 to 500, what is the email address of the SOC Analyst that left a comment on an incident that the data leak on file-server-65 is a false positive?
jlim@cybert.com
Including the misspellings, how many incidents has JLim handled where he misspelt the word “true”?
110
How many incidents has JLim handled where he misspelt the word “negative”?
4
How many incidents are there when you want to look for the words “data leak” and “true negative” in the comments that are at least 3 words in between them?
33
How many incidents has AJohnston investigated that have the words “detected” and “negative” in the comments that are two words apart?
40
How many incidents are there where a “client_list” file was affected by ransomware?
70
LoWhat is the name of the affected system at the earliest incident date that EVenis investigated with a filename containing the word “project”?
file-server-78
Video Walkthrough | TryHackMe Advanced ELK
