Ransomware Detection with Advanced Elastic Search Queries | TryHackMe Advanced ELK
We covered using advanced queries in Kibana and Elastic Search such as using nested queries, queries to extract number and date ranges, proximity queries, fuzzy searches and queries including regular expressions to extract insights from cyber security incidents and pertinent to this scenario was Ransomware infection on web and email servers. This was part of TryHackMe Advanced ELK Queries room which is part of SOC Level 2 track.
Full blog post is here.
Highlights
What is Elastic Stack?
Elastic stack is the collection of different open source components linked together to help users take the data from any source and in any format and perform a search, analyze and visualize the data in real-time.
Elastic Search
Elasticsearch is a full-text search and analytics engine used to store JSON-formated documents. Elasticsearch is an important component used to store, analyze, perform correlation on the data, etc.
It is built on top of Apache Lucene and provides a scalable solution for full-text search, structured querying, and data analysis.
Elasticsearch supports RESTFul API to interact with the data.
Log Stash
Logstash is a data processing engine used to take the data from different sources, apply the filter on it or normalize it, and then send it to the destination which could be Kibana or a listening port.
Kibana
Kibana is a web-based data visualization that works with elasticsearch to analyze, investigate and visualize the data stream in real-time. It allows the users to create multiple visualizations and dashboards for better visibility.
Kibana Query Language (KQL)
It is a search query language used to search the ingested logs/documents in the elasticsearch. Apart from the KQL language, Kibana also supports Lucene Query Language.
KQL is similar to splunk seach processing language as in concepts of how it works and its objectives.
Free text Search
Free text search allows users to search for the logs based on the text-only. That means a simple search of the term security will return all the documents that contain this term, irrespective of the field.WILD CARD
KQL allows the wild card * to match parts of the term/word. Let’s find out how to use this wild card in the search query.
For example, Range queries allow us to search for documents with field values within a specified range.
Fuzzy searching is beneficial when searching for documents with inconsistencies or typos in the data. It accounts for these variations and retrieves relevant documents by allowing a specified number of character differences (known as the fuzziness value) between the search term and the actual field value.
Proximity searches allow you to search for documents where the field values contain two or more terms within a specified distance. In KQL, you can use the match_phrase query with the slop parameter to perform a proximity search. The slop parameter sets the maximum distance that the terms can be from each other. For example, a slop value of 2 means that the words can be up to 2 positions away.
Room Answers
Room answers can be found here.
