2026-04-13 10-31-04
May 25, 2026 15:04
· 12:33
· English
· Whisper Turbo
· 2 غږوونکي
دا ليکنه نن ختميږي.
د تلپاتې ذخيرې لپاره لوړول →
يوازې ښودل
0:00
S…
Speaker 1 (2026-04-13 10-31-04)
In this video,
0:01
S…
Speaker 2 (2026-04-13 10-31-04)
we're going to take a look at a couple of the search language options
0:06
S…
Speaker 2 (2026-04-13 10-31-04)
that are available in ELK.
0:08
S…
Speaker 2 (2026-04-13 10-31-04)
So first of all,
0:09
S…
Speaker 2 (2026-04-13 10-31-04)
when we're searching with Elk,
0:11
S…
Speaker 2 (2026-04-13 10-31-04)
it does have multiple different query languages that can
0:15
S…
Speaker 1 (2026-04-13 10-31-04)
be used.
0:16
S…
Speaker 2 (2026-04-13 10-31-04)
The first one we're going to look at is KQL,
0:19
S…
Speaker 2 (2026-04-13 10-31-04)
the Kibana Query Language.
0:22
S…
Speaker 2 (2026-04-13 10-31-04)
A little difficult to say there.
0:24
S…
Speaker 2 (2026-04-13 10-31-04)
It is the kind of the faster,
0:27
S…
Speaker 2 (2026-04-13 10-31-04)
the simpler of the query languages that's available in
0:31
S…
Speaker 2 (2026-04-13 10-31-04)
Splunk, or then it's available in Elk,
0:33
S…
Speaker 1 (2026-04-13 10-31-04)
excuse me.
0:34
S…
Speaker 2 (2026-04-13 10-31-04)
It is typically based off of just filter -based searches
0:38
S…
Speaker 2 (2026-04-13 10-31-04)
and filter -based matching.
0:41
S…
Speaker 2 (2026-04-13 10-31-04)
Now, if we want to compare KQL and SPL,
0:45
S…
Speaker 2 (2026-04-13 10-31-04)
the language used in Splunk,
0:47
S…
Speaker 2 (2026-04-13 10-31-04)
KQL is typically going to be a lot simpler.
0:51
S…
Speaker 2 (2026-04-13 10-31-04)
It is primarily just your field -based matches,
0:54
S…
Speaker 2 (2026-04-13 10-31-04)
and it doesn't really offer any options for visualizations or
0:59
S…
Speaker 2 (2026-04-13 10-31-04)
the commands that we've seen in Splunk if you've watched some of those other
1:03
S…
Speaker 2 (2026-04-13 10-31-04)
videos.
1:03
S…
Speaker 2 (2026-04-13 10-31-04)
So KQL is...
1:05
S…
Speaker 2 (2026-04-13 10-31-04)
Primarily just going to be your raw log searches,
1:09
S…
Speaker 2 (2026-04-13 10-31-04)
looking for information in different fields,
1:12
S…
Speaker 2 (2026-04-13 10-31-04)
and that's pretty much the limitation of it.
1:15
S…
Speaker 2 (2026-04-13 10-31-04)
You also have what's known as EQL,
1:18
S…
Speaker 2 (2026-04-13 10-31-04)
the Elastic Search Query Language.
1:20
S…
Speaker 2 (2026-04-13 10-31-04)
This kind of excels at correlating
1:24
S…
Speaker 2 (2026-04-13 10-31-04)
events and searching based on kind of multi
1:28
S…
Speaker 2 (2026-04-13 10-31-04)
-step actions or what they call sequences.
1:31
S…
Speaker 2 (2026-04-13 10-31-04)
So let's start off by taking a look at KQL.
1:35
S…
Speaker 2 (2026-04-13 10-31-04)
KQL is done,
1:37
S…
Speaker 2 (2026-04-13 10-31-04)
like I said,
1:37
S…
Speaker 2 (2026-04-13 10-31-04)
primarily off of your field -based searching.
1:41
S…
Speaker 2 (2026-04-13 10-31-04)
You use the colon for the kind of equals,
1:45
S…
Speaker 2 (2026-04-13 10-31-04)
where if you want,
1:46
S…
Speaker 2 (2026-04-13 10-31-04)
again, compared to Splunk,
1:47
S…
Speaker 2 (2026-04-13 10-31-04)
Splunk used the equal sign for equals.
1:50
S…
Speaker 2 (2026-04-13 10-31-04)
KQL uses the colon instead.
1:53
S…
Speaker 2 (2026-04-13 10-31-04)
It does offer Boolean logic as well,
1:56
S…
Speaker 2 (2026-04-13 10-31-04)
using and,
1:56
S…
Speaker 2 (2026-04-13 10-31-04)
or, not,
1:58
S…
Speaker 2 (2026-04-13 10-31-04)
things like that.
1:59
S…
Speaker 2 (2026-04-13 10-31-04)
And it does have the option for wildcard usage as
2:03
S…
Speaker 2 (2026-04-13 10-31-04)
well.
2:04
S…
Speaker 2 (2026-04-13 10-31-04)
You can also,
2:06
S…
Speaker 2 (2026-04-13 10-31-04)
based on the results you get,
2:08
S…
Speaker 2 (2026-04-13 10-31-04)
you can select individual fields to just kind
2:12
S…
Speaker 2 (2026-04-13 10-31-04)
of add filters on an ad hoc basis without necessarily
2:17
S…
Speaker 2 (2026-04-13 10-31-04)
typing them into the search.
2:20
S…
Speaker 2 (2026-04-13 10-31-04)
There are some typical best practices for
2:24
S…
Speaker 2 (2026-04-13 10-31-04)
KQL.
2:26
S…
Speaker 2 (2026-04-13 10-31-04)
Number one, you want to try and if you can stick with your field -based
2:30
S…
Speaker 2 (2026-04-13 10-31-04)
searches instead of your full text searches.
2:33
S…
Speaker 2 (2026-04-13 10-31-04)
And by that,
2:34
S…
Speaker 1 (2026-04-13 10-31-04)
I mean doing like,
2:35
S…
Speaker 2 (2026-04-13 10-31-04)
you know, field colon to equal something and then whatever you're searching
2:39
S…
Speaker 1 (2026-04-13 10-31-04)
for.
2:40
S…
Speaker 2 (2026-04-13 10-31-04)
You can do just a wide full text search,
2:43
S…
Speaker 2 (2026-04-13 10-31-04)
but this can potentially have performance
2:48
S…
Speaker 2 (2026-04-13 10-31-04)
impacts when you're doing searches similar to Splunk.
2:53
S…
Speaker 2 (2026-04-13 10-31-04)
A lot of the same best practices are going to apply
2:57
S…
Speaker 2 (2026-04-13 10-31-04)
here with the addition of being able to save,
3:01
S…
Speaker 2 (2026-04-13 10-31-04)
easily save your commonly used queries to kind of just easily
3:05
S…
Speaker 2 (2026-04-13 10-31-04)
pull them back up and repeat a search.
3:08
S…
Speaker 1 (2026-04-13 10-31-04)
But again,
3:08
S…
Speaker 2 (2026-04-13 10-31-04)
a lot of your same best practices for KQL will still apply.
3:13
S…
Speaker 2 (2026-04-13 10-31-04)
making sure you have the right time frame selected,
3:16
S…
Speaker 2 (2026-04-13 10-31-04)
using fields as appropriate for the searches,
3:20
S…
Speaker 2 (2026-04-13 10-31-04)
and then limiting the use of the wildcard usage
3:24
S…
Speaker 2 (2026-04-13 10-31-04)
when it's practical.
3:26
S…
Speaker 2 (2026-04-13 10-31-04)
It's still okay to use it because sometimes you do need to use wildcards in your searches.
3:30
S…
Speaker 2 (2026-04-13 10-31-04)
But when it's practical,
3:31
S…
Speaker 2 (2026-04-13 10-31-04)
you should try to avoid it just to avoid the performance
3:36
S…
Speaker 2 (2026-04-13 10-31-04)
hit, especially when you're searching through hundreds of thousands or
3:40
S…
Speaker 2 (2026-04-13 10-31-04)
millions of events.
3:42
S…
Speaker 2 (2026-04-13 10-31-04)
So let's go ahead and jump back over to our lab environment and take a look at
3:46
S…
Speaker 2 (2026-04-13 10-31-04)
some examples of searches in KQL just to see
3:50
S…
Speaker 2 (2026-04-13 10-31-04)
what those look like again.
3:53
S…
Speaker 1 (2026-04-13 10-31-04)
All right,
3:54
S…
Speaker 2 (2026-04-13 10-31-04)
over here in the ELK search,
3:57
S…
Speaker 2 (2026-04-13 10-31-04)
we can do a very simple search like we looked at in a previous video
4:01
S…
Speaker 2 (2026-04-13 10-31-04)
just by searching for a specific event code.
4:04
S…
Speaker 2 (2026-04-13 10-31-04)
I almost started typing some Splunk language in there.
4:07
S…
Speaker 2 (2026-04-13 10-31-04)
So we're looking here for event ID 11,
4:11
S…
Speaker 2 (2026-04-13 10-31-04)
basically the file creation event in Sysmon.
4:16
S…
Speaker 1 (2026-04-13 10-31-04)
In Elk,
4:17
S…
Speaker 2 (2026-04-13 10-31-04)
you do event .code and a colon for equals and
4:22
S…
Speaker 1 (2026-04-13 10-31-04)
11.
4:22
S…
Speaker 2 (2026-04-13 10-31-04)
Whereas in Splunk,
4:24
S…
Speaker 2 (2026-04-13 10-31-04)
it would actually look like that.
4:26
S…
Speaker 2 (2026-04-13 10-31-04)
So there's the comparison between the two.
4:29
S…
Speaker 2 (2026-04-13 10-31-04)
Now you can also use Boolean searches here as it so
4:33
S…
Speaker 2 (2026-04-13 10-31-04)
helpfully suggests right there.
4:36
S…
Speaker 2 (2026-04-13 10-31-04)
So say we want to find any file that
4:40
S…
Speaker 1 (2026-04-13 10-31-04)
was created that had PDF in
4:46
S…
Speaker 1 (2026-04-13 10-31-04)
the name.
4:47
S…
Speaker 2 (2026-04-13 10-31-04)
So we are just doing a kind of a blanket search.
4:51
S…
Speaker 2 (2026-04-13 10-31-04)
So right here with the PDF,
4:52
S…
Speaker 2 (2026-04-13 10-31-04)
we are not searching a specific field.
4:55
S…
Speaker 2 (2026-04-13 10-31-04)
We're looking for anywhere that the letters PDF show
4:59
S…
Speaker 1 (2026-04-13 10-31-04)
up in.
5:00
S…
Speaker 1 (2026-04-13 10-31-04)
the event in general.
5:01
S…
Speaker 1 (2026-04-13 10-31-04)
And we get no results there,
5:03
S…
Speaker 1 (2026-04-13 10-31-04)
which is perfectly fine.
5:04
S…
Speaker 1 (2026-04-13 10-31-04)
That's not abnormal.
5:07
S…
Speaker 1 (2026-04-13 10-31-04)
You can also add,
5:09
S…
Speaker 1 (2026-04-13 10-31-04)
let's go back to just showing our file creation events.
5:13
S…
Speaker 1 (2026-04-13 10-31-04)
You can expand any of the events here and add
5:17
S…
Speaker 1 (2026-04-13 10-31-04)
any of these fields as a filter very easy.
5:21
S…
Speaker 1 (2026-04-13 10-31-04)
So let's say we are looking for,
5:24
S…
Speaker 1 (2026-04-13 10-31-04)
we want to add the log level of information here.
5:28
S…
Speaker 1 (2026-04-13 10-31-04)
We can just come over here and filter for value on the left -hand
5:32
S…
Speaker 1 (2026-04-13 10-31-04)
side of the result.
5:34
S…
Speaker 1 (2026-04-13 10-31-04)
And it will add that as a filter up in this section right
5:39
S…
Speaker 1 (2026-04-13 10-31-04)
there.
5:39
S…
Speaker 1 (2026-04-13 10-31-04)
So we see log .level colon information.
5:42
S…
Speaker 1 (2026-04-13 10-31-04)
It is practically the exact same thing as just typing
5:46
S…
Speaker 1 (2026-04-13 10-31-04)
it into the search box,
5:48
S…
Speaker 1 (2026-04-13 10-31-04)
except you just didn't have to type it.
5:50
S…
Speaker 1 (2026-04-13 10-31-04)
If you want to get rid of that event or that filter there,
5:53
S…
Speaker 1 (2026-04-13 10-31-04)
you just click the X next to it and it's gone.
5:57
S…
Speaker 2 (2026-04-13 10-31-04)
In addition,
5:58
S…
Speaker 2 (2026-04-13 10-31-04)
you can do grouping.
6:00
S…
Speaker 1 (2026-04-13 10-31-04)
So let's say we want to search in the
6:04
S…
Speaker 1 (2026-04-13 10-31-04)
security log.
6:05
S…
Speaker 1 (2026-04-13 10-31-04)
So we're going to search win log
6:11
S…
Speaker 2 (2026-04-13 10-31-04)
channel,
6:13
S…
Speaker 1 (2026-04-13 10-31-04)
and we want to match the security channel.
6:19
S…
Speaker 1 (2026-04-13 10-31-04)
And we want to search specific events in there.
6:21
S…
Speaker 1 (2026-04-13 10-31-04)
So we will do,
6:22
S…
Speaker 2 (2026-04-13 10-31-04)
move the cursor out of the way.
6:24
S…
Speaker 1 (2026-04-13 10-31-04)
We will do an open parentheses.
6:26
S…
Speaker 1 (2026-04-13 10-31-04)
And you can see there that elk automatically completes the other
6:30
S…
Speaker 1 (2026-04-13 10-31-04)
side of the parentheses there.
6:32
S…
Speaker 1 (2026-04-13 10-31-04)
So don't let that trip you up.
6:34
S…
Speaker 1 (2026-04-13 10-31-04)
Sometimes I do,
6:34
S…
Speaker 1 (2026-04-13 10-31-04)
and I'll type the closing parentheses as well.
6:37
S…
Speaker 1 (2026-04-13 10-31-04)
And it may not see that,
6:39
S…
Speaker 1 (2026-04-13 10-31-04)
and it'll give you syntax errors.
6:41
S…
Speaker 1 (2026-04-13 10-31-04)
So if we want to do some grouping here,
6:43
S…
Speaker 1 (2026-04-13 10-31-04)
we'll type winlog.
6:46
S…
Speaker 1 (2026-04-13 10-31-04)
event underscore ID.
6:48
S…
Speaker 1 (2026-04-13 10-31-04)
And again, you have the suggestions here based on what it
6:53
S…
Speaker 1 (2026-04-13 10-31-04)
thinks you're looking for.
6:54
S…
Speaker 1 (2026-04-13 10-31-04)
So we're going to look for event ID 4688
6:59
S…
Speaker 1 (2026-04-13 10-31-04)
or event ID
7:03
S…
Speaker 1 (2026-04-13 10-31-04)
4698.
7:06
S…
Speaker 1 (2026-04-13 10-31-04)
So this is searching in the security
7:10
S…
Speaker 2 (2026-04-13 10-31-04)
logs.
7:11
S…
Speaker 1 (2026-04-13 10-31-04)
for either of these two events.
7:14
S…
Speaker 1 (2026-04-13 10-31-04)
So very similar syntax as you would see in Splunk
7:18
S…
Speaker 1 (2026-04-13 10-31-04)
as far as how the searches are kind of grouped
7:22
S…
Speaker 1 (2026-04-13 10-31-04)
together and how they're formatted.
7:24
S…
Speaker 1 (2026-04-13 10-31-04)
Different syntax than Splunk,
7:27
S…
Speaker 1 (2026-04-13 10-31-04)
but similar formatting for how you want to use Booleans and
7:31
S…
Speaker 1 (2026-04-13 10-31-04)
grouping and things like that.
7:33
S…
Speaker 1 (2026-04-13 10-31-04)
So that's the KQL language.
7:36
S…
Speaker 1 (2026-04-13 10-31-04)
Let's jump back over to these slides and take a look at what EQL
7:40
S…
Speaker 1 (2026-04-13 10-31-04)
is.
7:41
S…
Speaker 1 (2026-04-13 10-31-04)
All right,
7:43
S…
Speaker 1 (2026-04-13 10-31-04)
looking at EQL now,
7:45
S…
Speaker 1 (2026-04-13 10-31-04)
remember EQL stands for Elastic Search Query Language.
7:49
S…
Speaker 1 (2026-04-13 10-31-04)
The strength of EQL is kind of
7:53
S…
Speaker 1 (2026-04-13 10-31-04)
the multi -step attacks or multi -step events through the
7:57
S…
Speaker 1 (2026-04-13 10-31-04)
use of sequences.
7:58
S…
Speaker 1 (2026-04-13 10-31-04)
And we'll look at that here in just a second.
8:02
S…
Speaker 1 (2026-04-13 10-31-04)
So a simple query in EQL would look like some
8:06
S…
Speaker 1 (2026-04-13 10-31-04)
type of event,
8:07
S…
Speaker 1 (2026-04-13 10-31-04)
some type of thing that you're searching for,
8:10
S…
Speaker 1 (2026-04-13 10-31-04)
regardless of what it is,
8:11
S…
Speaker 1 (2026-04-13 10-31-04)
that matches a condition.
8:13
S…
Speaker 1 (2026-04-13 10-31-04)
So event type where condition matches.
8:16
S…
Speaker 1 (2026-04-13 10-31-04)
So basically,
8:17
S…
Speaker 1 (2026-04-13 10-31-04)
if you're looking for a running PowerShell process,
8:21
S…
Speaker 1 (2026-04-13 10-31-04)
you would do process where process .name
8:25
S…
Speaker 2 (2026-04-13 10-31-04)
equals...
8:26
S…
Speaker 2 (2026-04-13 10-31-04)
PowerShell.
8:27
S…
Speaker 1 (2026-04-13 10-31-04)
And you notice there the equals is actually two equal signs
8:31
S…
Speaker 1 (2026-04-13 10-31-04)
as opposed to KQL that uses a colon or
8:35
S…
Speaker 1 (2026-04-13 10-31-04)
Splunk that uses a single equal sign.
8:38
S…
Speaker 1 (2026-04-13 10-31-04)
So this EQL uses a number of different operators
8:42
S…
Speaker 1 (2026-04-13 10-31-04)
there.
8:42
S…
Speaker 1 (2026-04-13 10-31-04)
So you have your regular equals,
8:44
S…
Speaker 1 (2026-04-13 10-31-04)
which is just two equal signs.
8:46
S…
Speaker 1 (2026-04-13 10-31-04)
The exclamation point with the equal sign means does not equal.
8:51
S…
Speaker 1 (2026-04-13 10-31-04)
Then you have your typical less than,
8:53
S…
Speaker 1 (2026-04-13 10-31-04)
greater than,
8:54
S…
Speaker 1 (2026-04-13 10-31-04)
and then your Booleans and,
8:55
S…
Speaker 1 (2026-04-13 10-31-04)
or, and not.
8:57
S…
Speaker 1 (2026-04-13 10-31-04)
So similar to Splunk in part of that,
9:00
S…
Speaker 1 (2026-04-13 10-31-04)
but it does use,
9:03
S…
Speaker 1 (2026-04-13 10-31-04)
again,
9:03
S…
Speaker 1 (2026-04-13 10-31-04)
the double equals sign for equals,
9:05
S…
Speaker 1 (2026-04-13 10-31-04)
so don't let that throw you off.
9:07
S…
Speaker 2 (2026-04-13 10-31-04)
Now again,
9:08
S…
Speaker 2 (2026-04-13 10-31-04)
where...
9:10
S…
Speaker 1 (2026-04-13 10-31-04)
eql excels here is in what's known as
9:14
S…
Speaker 1 (2026-04-13 10-31-04)
sequences basically this happened and then this
9:18
S…
Speaker 1 (2026-04-13 10-31-04)
happened a sequence of events and the
9:22
S…
Speaker 1 (2026-04-13 10-31-04)
kind of the syntax for this looks like what you see here
9:27
S…
Speaker 1 (2026-04-13 10-31-04)
starts off with the keyword of sequence and this basically
9:31
S…
Speaker 1 (2026-04-13 10-31-04)
tells eql or tells elk
9:35
S…
Speaker 1 (2026-04-13 10-31-04)
that Euthysis should be an ordered series of events.
9:40
S…
Speaker 1 (2026-04-13 10-31-04)
So sequence by host name basically says
9:44
S…
Speaker 1 (2026-04-13 10-31-04)
that this field should be shared across all the
9:49
S…
Speaker 1 (2026-04-13 10-31-04)
events that are returned or searched through.
9:53
S…
Speaker 1 (2026-04-13 10-31-04)
They also see with max span equals 5m.
9:58
S…
Speaker 2 (2026-04-13 10-31-04)
That's optional,
9:59
S…
Speaker 1 (2026-04-13 10-31-04)
but what it does is it basically says between
10:04
S…
Speaker 1 (2026-04-13 10-31-04)
the first event we list there and the second one,
10:07
S…
Speaker 1 (2026-04-13 10-31-04)
these sections in brackets,
10:09
S…
Speaker 1 (2026-04-13 10-31-04)
only five minutes should have pass.
10:13
S…
Speaker 1 (2026-04-13 10-31-04)
So it's only,
10:14
S…
Speaker 1 (2026-04-13 10-31-04)
basically it constrains those matching results
10:18
S…
Speaker 1 (2026-04-13 10-31-04)
to within a certain time span.
10:22
S…
Speaker 1 (2026-04-13 10-31-04)
And then each of those entries in the brackets there is
10:26
S…
Speaker 1 (2026-04-13 10-31-04)
a step in the sequence.
10:28
S…
Speaker 1 (2026-04-13 10-31-04)
So our first step in the sequence here would be
10:33
S…
Speaker 1 (2026-04-13 10-31-04)
the process where process name is command.
10:37
S…
Speaker 1 (2026-04-13 10-31-04)
So basically,
10:37
S…
Speaker 1 (2026-04-13 10-31-04)
we're looking at any process.
10:39
S…
Speaker 1 (2026-04-13 10-31-04)
The first part of this should be searching for
10:43
S…
Speaker 1 (2026-04-13 10-31-04)
processes that are command prompts,
10:46
S…
Speaker 1 (2026-04-13 10-31-04)
essentially.
10:47
S…
Speaker 1 (2026-04-13 10-31-04)
And the second line of it,
10:49
S…
Speaker 1 (2026-04-13 10-31-04)
the second step,
10:50
S…
Speaker 1 (2026-04-13 10-31-04)
says basically,
10:51
S…
Speaker 1 (2026-04-13 10-31-04)
again, within five minutes,
10:54
S…
Speaker 1 (2026-04-13 10-31-04)
this process should reach out.
10:58
S…
Speaker 1 (2026-04-13 10-31-04)
Basically,
10:59
S…
Speaker 1 (2026-04-13 10-31-04)
we're searching to see if the command process reached out to
11:03
S…
Speaker 1 (2026-04-13 10-31-04)
a destination port of 4444.
11:07
S…
Speaker 1 (2026-04-13 10-31-04)
So this would find any hosts.
11:09
S…
Speaker 1 (2026-04-13 10-31-04)
where command .exe ran,
11:11
S…
Speaker 1 (2026-04-13 10-31-04)
and then within five minutes made a connection to
11:16
S…
Speaker 1 (2026-04-13 10-31-04)
that port 4444.
11:18
S…
Speaker 1 (2026-04-13 10-31-04)
So you can see where this can be very powerful when performing
11:23
S…
Speaker 1 (2026-04-13 10-31-04)
threat hunts,
11:24
S…
Speaker 1 (2026-04-13 10-31-04)
being able to build the sequences like this.
11:27
S…
Speaker 1 (2026-04-13 10-31-04)
Now one thing about EQL.
11:31
S…
Speaker 1 (2026-04-13 10-31-04)
These searches don't work.
11:33
S…
Speaker 1 (2026-04-13 10-31-04)
You don't do these in the same interface we just took
11:37
S…
Speaker 2 (2026-04-13 10-31-04)
a look at.
11:37
S…
Speaker 1 (2026-04-13 10-31-04)
That is for KQL searches.
11:39
S…
Speaker 1 (2026-04-13 10-31-04)
EQL uses the EQL search API,
11:43
S…
Speaker 1 (2026-04-13 10-31-04)
not the discovery section or the discover section like KQL.
11:48
S…
Speaker 1 (2026-04-13 10-31-04)
Since we're just starting out with ELK,
11:51
S…
Speaker 1 (2026-04-13 10-31-04)
we're going to stick with KQL for now.
11:54
S…
Speaker 1 (2026-04-13 10-31-04)
Now for the ECTPH exam,
12:00
S…
Speaker 1 (2026-04-13 10-31-04)
You don't need to know EQL.
12:03
S…
Speaker 1 (2026-04-13 10-31-04)
KQL is all you need to know for the exam.
12:07
S…
Speaker 1 (2026-04-13 10-31-04)
So that is what we're going to focus on in the rest of this
12:11
S…
Speaker 1 (2026-04-13 10-31-04)
course, or at least in this section on ELK for this course.
12:15
S…
Speaker 1 (2026-04-13 10-31-04)
It's going to be KQL,
12:16
S…
Speaker 1 (2026-04-13 10-31-04)
so the simpler language,
12:18
S…
Speaker 1 (2026-04-13 10-31-04)
because it is easier to use.
12:20
S…
Speaker 1 (2026-04-13 10-31-04)
It does not require any kind of API setup or any kind of communication with
12:25
S…
Speaker 1 (2026-04-13 10-31-04)
an API.
12:25
S…
Speaker 1 (2026-04-13 10-31-04)
It's all done in the web browser.
دا نقل د AI لخوا رامینځته شوی و (د خبرو اتومات پیژندنه). ممکن غلطۍ ولري - د مهم کارولو لپاره د اصلي غږ سره سم تایید کړئ. AI پالېسه
لنډيز
د دې د نقل د AI لنډیز توليد خلاصه کېکاږئ.
...لنډيز کيږي
د دې د نقل په اړه AI وپوښتئ
د دې نقل په اړه هرڅه وپوښتئ - AI به اړونده برخې او ځواب ومومي.