We covered using advanced queries in Kibana and Elastic Search such as using nested queries, queries to extract number and date ranges, proximity queries, fuzzy searches and queries including regular expressions to extract insights from cyber security incidents and pertinent to this scenario was Ransomware infection on web and email servers. This was part of TryHackMe Advanced ELK Queries room which is part of SOC Level 2 track.

Blue Team Study Notes

The Elastic Stack Study Notes


What is Elastic Stack?

Elastic stack is the collection of different open source components linked together to help users take the data from any source and in any format and perform a search, analyze and visualize the data in real-time.

Elastic Search

Elasticsearch is a full-text search and analytics engine used to store JSON-formated documents. Elasticsearch is an important component used to store, analyze, perform correlation on the data, etc.
It is built on top of Apache Lucene and provides a scalable solution for full-text search, structured querying, and data analysis.
Elasticsearch supports RESTFul API to interact with the data.

Log Stash

Logstash is a data processing engine used to take the data from different sources, apply the filter on it or normalize it, and then send it to the destination which could be Kibana or a listening port.


Kibana is a web-based data visualization that works with elasticsearch to analyze, investigate and visualize the data stream in real-time. It allows the users to create multiple visualizations and dashboards for better visibility.

Kibana Query Language (KQL)

It is a search query language used to search the ingested logs/documents in the elasticsearch. Apart from the KQL language, Kibana also supports Lucene Query Language.

KQL is similar to splunk seach processing language as in concepts of how it works and its objectives.

Free text Search
Free text search allows users to search for the logs based on the text-only. That means a simple search of the term security will return all the documents that contain this term, irrespective of the field.
KQL allows the wild card * to match parts of the term/word. Let’s find out how to use this wild card in the search query.

For example, Range queries allow us to search for documents with field values within a specified range. 

Fuzzy searching is beneficial when searching for documents with inconsistencies or typos in the data. It accounts for these variations and retrieves relevant documents by allowing a specified number of character differences (known as the fuzziness value) between the search term and the actual field value.

Proximity searches allow you to search for documents where the field values contain two or more terms within a specified distance. In KQL, you can use the match_phrase query with the slop parameter to perform a proximity search. The slop parameter sets the maximum distance that the terms can be from each other. For example, a slop value of 2 means that the words can be up to 2 positions away.

Room Answers | TryHackMe Advanced ELK

How do you escape the text “password:Me&Try=Hack!” (Not including the double quotes) 


Using wildcards, what will your query be if you want to search for all documents that contain the words “hacking” and “hack” in the “activity” field? 


Task 3 – Q1 – How many incidents exist where the affected file is “marketing_strategy_2023_07_23.pptx”?


How many incidents exist where the affected files in file servers are titled “marketing_strategy”?


There is a true positive alert on a webserver where the admin and it users were logged on. What is the name of the webserver?


How many “Data Leak” incidents have a severity level of 9 and up?


How many incidents before December 1st, 2022 has AJohnston investigated where the affected system is either an Email or Web server?


From the incident IDs 1 to 500, what is the email address of the SOC Analyst that left a comment on an incident that the data leak on file-server-65 is a false positive?


Including the misspellings, how many incidents has JLim handled where he misspelt the word “true”?


How many incidents has JLim handled where he misspelt the word “negative”?


How many incidents are there when you want to look for the words “data leak” and “true negative” in the comments that are at least 3 words in between them?


How many incidents has AJohnston investigated that have the words “detected” and “negative” in the comments that are two words apart?


How many incidents are there where a “client_list” file was affected by ransomware?


LoWhat is the name of the affected system at the earliest incident date that EVenis investigated with a filename containing the word “project”?


Video Walkthrough | TryHackMe Advanced ELK

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles