Scribd
Upload
8 views

ELK Lab Exercises

The document outlines a series of exercises and visualizations related to the ELK stack, focusing on log analysis and security. It includes practical tasks for querying and visualizing data using Kibana Query Language (KQL) and Event Query Language (EQL), as well as Logstash and Grok for log parsing. Additionally, it provides examples of log patterns and configurations for effective data processing and threat detection.

Uploaded by

ssetrdhassan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
8 views

ELK Lab Exercises

The document outlines a series of exercises and visualizations related to the ELK stack, focusing on log analysis and security. It includes practical tasks for querying and visualizing data using Kibana Query Language (KQL) and Event Query Language (EQL), as well as Logstash and Grok for log parsing. Additionally, it provides examples of log patterns and configurations for effective data processing and threat detection.

Uploaded by

ssetrdhassan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

OT Security CII SECEX-2025

ELK PRACTICE SHEET


ELK Hands-on flow
1. Exercises
2. Visualization Problems
3. KQL, EQL, Grok patterns

Exercise
Exercise 1:
1. Find all 404 status code responses with a response time greater than 1 second.
2. Find how many total documents are present in the index (clue: check under index
management)
Hints:
1. Go to Elastic IP as provided.
2. Go to "Discover" in the main menu
3. Select the index ‘web-logs’

Exercise 2:
1. Find all Samsung products that have "Smart" in their name and are currently in stock.
2. Find how many total documents are present in the index (clue: check under index
management)
Hints:
1. Go to "Discover" in the main menu
2. Select the "products*" index pattern
3. Set the time range to "Last 1 year" (or appropriate range)

Exercise 3:
1. Find all completed purchases that were paid using credit_card or paypal, but exclude transactions
from the US.
2. Find all refunds that were paid using credit_card or paypal, but exclude transactions from the US.
Hints:
1. Go to "Discover" in the main menu
2. Select the "transactions*" index pattern
OT Security CII SECEX-2025

3. Set the time range to "Last 6 months" (or appropriate range)


4. Status: completed, transaction type: purchase/ refund, payment method: credit card/ paypal,
location: not US

Exercise 4:
1. Find all delivered orders
1. Filter for orders that contain at least one Electronics item
2. Filter for discounted orders AND orders with free shipping.
3. Look for delivered orders with more than 4 items
4. How many cancelled orders are there?
Hints:
1. Go to "Discover" in the main menu
2. Select the "orders*" index pattern
3. Set the time range to "Last 3 months" (or appropriate range)

Exercise: 5:
1. Find all instances where web servers in the production environment had CPU load above 90% in the
last 24 hours.
Hints:
1. Select the "system_metrics*" index pattern
2. Set the time range to "Last 7 days" (or appropriate range)

Exercise 6:
1. Create a KQL query to find high-priority tickets that took longer than 24 hours to resolve
2. Create a KQL query to identify trends in customer satisfaction across different teams and subscription
types
3. Create a visualization with:
a. X-axis: assigned_team
b. Y-axis: Average of customer_satisfaction
c. Split series by: subscription_type
Hints:
1. Go to Kibana "Discover" page
OT Security CII SECEX-2025

2. select the “support_tickets” index pattern

Exercise 7:
1. Create a KQL query to detect potential data exfiltration (large outbound data transfers)
2. Create a KQL query to identify suspicious connection patterns and security signatures
Hints:
1. Go to Kibana "Discover" page
2. Select the network_traffic index pattern
3. Source and destination should not be internal
4. Signature pattern detected will not be null
5. Destination ports for: RDP= 3389, SSH= 22
6. HTTP error codes numbers like 405, 500 etc. (400: client side issues, 500: server side issues)
OT Security CII SECEX-2025

Visualization Problems
Visualization 1: Create Visualizations for Support Tickets
a. Ticket Priority Distribution (Pie Chart) Navigate to Analytics → Visualize Library
click "Create visualization" Choose "Pie" visualization
b. Select the support_tickets index pattern Under "Metrics", verify "Count" is selected select
priority keyword
c. Set "Number of values" to 10 Click "Save and return"
d. Save as "Ticket Priority Distribution"

Visualization 2: Customer Satisfaction by Team (Heat Map)


a. Navigate to → Visualize Library Click "Create visualization" Choose "Heat map" visualization
b. Select the support_tickets index pattern
c. For the Y-axis, select "Terms" and choose assigned_team.keyword For the X-axis, select "Terms"
and choose customer_satisfaction For "Value", keep the default "Count" Click "Save and
return"
d. Save as "Customer Satisfaction by Team"

Visualization 3: Average Resolution Time by Category (Bar Chart)


a. Navigate to Analytics → Visualize Library Click "Create visualization"
b. Choose "Bar" visualization (vertical) Select the support_tickets index
pattern
c. Under "Metrics", change from "Count" to "Average" and select resolution_time_hours
Under "Breakdown field", select category.keyword
d. Set "Number of values" to 10 Click "Save and return"
e. Save as "Average Resolution Time by Category"

Visualization 4: Resolution Time Trend (Line Chart)


a. Navigate to Analytics → Visualize Library Click Create visualization "Choose Line"
visualization
b. Select the support_tickets index pattern
OT Security CII SECEX-2025

c. Under "Metrics", change from "Count" to "Average" and select resolution_time_hours


Under "Break down by", select "Date histogram" and choose created_at Set interval to
"Weekly" Click "Save and return"
d. Save as "Resolution Time Trend"
OT Security CII SECEX-2025

Log Analysis with Kibana Query Language, Event Query Language,


Logstash & Grok

● KQL for filtering logs.


● EQL for detecting sequences like cyberattacks.
● Logstash + Grok for parsing and structuring logs.

Together, these make up the core of ELK-based threat detection. Diagram:


[ Beats ] → [ Logstash ] → [ Elasticsearch ] → [ Kibana ]

● Beats: Log shippers (Filebeat, Winlogbeat)


● Logstash: Data processing pipeline
● Elasticsearch: Stores indexed logs
● Kibana: Search & visualize

KQL
● Used in Kibana → Discover, Dashboards, Visualizations, Simple Rules
● Doesn't support joins or sequences
● Great for dashboards and reports

Examples:
● Errors from Apache logs:
log.level: "error" AND service.name: "apache" Use filters instead of
free text for performance.
● Use _exists_ for null checks.
● Combine conditions using: field1:value1 AND (field2:value2 OR field3:value3)

EQL
● Used in Elastic Security
● Designed for event correlation
OT Security CII SECEX-2025

● Useful for attack chains like:


● Initial access → Execution → Exfiltration

EQL Sequence Example

● Detecting PowerShell after Word:


sequence
[process where process.name == "winword.exe"] [process where
process.name == "powershell.exe"]

Alert use case:


● Attacker uses Word to run a macro → launches PowerShell.

DNS Tunneling Detection:


● network where network.protocol == "dns" and network.bytes > 1000
Suspicious child process:
● process where process.parent.name == "explorer.exe" and process.name == "cmd.exe"
Potential SSH Password Guess:
● sequence by host.id, source.ip, user.name with maxspan=15s
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0"] with runs=10
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0"]

What is Logstash?
● Ingests and transforms logs Plugins:
● Input: file, beats, tcp Filter: grok, mutate, geoip
Output: elasticsearch, stdout
Diagram:
● [file] → [grok filter] → [elasticsearch]

Grok Concept
OT Security CII SECEX-2025

● Grok = regex with labels


● Matches patterns and assigns them as fields
● Used in filter block of Logstash Log:
● 10.0.0.1 GET /login 200 Pattern:
● %{IP:ip} %{WORD:method} %{URIPATH:request} %{NUMBER:status}

➔ Apache Access Log Log:


● 127.0.0.1 - - [04/Apr/2025:10:01:42 +0000] "GET /index.html HTTP/1.1" 200 1043
Pattern:
● %{IP:client_ip} - - %{DATA:timestamp} "%{WORD:method} %{URIPATH:request}
HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:bytes}

➔ SSH Log Log:


● Apr 4 12:34:56 server sshd[2345]: Failed password for root from 192.168.1.5 port 22 ssh2
Pattern:
● %{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname}
sshd\[%{NUMBER:pid}\]: Failed password for %{USER:username} from
%{IP:src_ip} port %{NUMBER:src_port} ssh2

➔ App Log with Level Log:


● 2025-04-04 12:00:01,234 INFO Authenticated user admin Pattern:
● %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}
➔ Firewall Event Log:
● DENY TCP 10.0.0.10:443 -> 192.168.1.100:34567
Pattern:
● %{WORD:action} %{WORD:protocol} %{IP:src_ip}:%{NUMBER:src_port} ->
%{IP:dst_ip}:%{NUMBER:dst_port}

➔ Custom Application Log Log:


● 2025-04-04 12:15:30 User login: johndoe 10.1.2.3 Pattern:
● %{TIMESTAMP_ISO8601:timestamp} User login: %{USERNAME:user} %{IP:ip}
OT Security CII SECEX-2025

Full Logstash Config Example

input { file {
path => "/var/log/myapp.log" start_position =>
"beginning"
}
}
filter { grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp} User login: %{USERNAME:user}
%{IP:ip}"
}
}
}
output { elasticsearch {
hosts => ["http://localhost:9200"] index =>
"myapp-logs"
}
}

You might also like