2026-04-13 10-31-04
May 25, 2026 15:04
· 12:33
· English
· Whisper Turbo
· 2 Talare
Den här utskriften går ut idag.
Uppgradering för permanent lagring →
Visar endast
0:00
S…
Speaker 1 (2026-04-13 10-31-04)
In this video,
0:01
S…
Speaker 2 (2026-04-13 10-31-04)
we're going to take a look at a couple of the search language options
0:06
S…
Speaker 2 (2026-04-13 10-31-04)
that are available in ELK.
0:08
S…
Speaker 2 (2026-04-13 10-31-04)
So first of all,
0:09
S…
Speaker 2 (2026-04-13 10-31-04)
when we're searching with Elk,
0:11
S…
Speaker 2 (2026-04-13 10-31-04)
it does have multiple different query languages that can
0:15
S…
Speaker 1 (2026-04-13 10-31-04)
be used.
0:16
S…
Speaker 2 (2026-04-13 10-31-04)
The first one we're going to look at is KQL,
0:19
S…
Speaker 2 (2026-04-13 10-31-04)
the Kibana Query Language.
0:22
S…
Speaker 2 (2026-04-13 10-31-04)
A little difficult to say there.
0:24
S…
Speaker 2 (2026-04-13 10-31-04)
It is the kind of the faster,
0:27
S…
Speaker 2 (2026-04-13 10-31-04)
the simpler of the query languages that's available in
0:31
S…
Speaker 2 (2026-04-13 10-31-04)
Splunk, or then it's available in Elk,
0:33
S…
Speaker 1 (2026-04-13 10-31-04)
excuse me.
0:34
S…
Speaker 2 (2026-04-13 10-31-04)
It is typically based off of just filter -based searches
0:38
S…
Speaker 2 (2026-04-13 10-31-04)
and filter -based matching.
0:41
S…
Speaker 2 (2026-04-13 10-31-04)
Now, if we want to compare KQL and SPL,
0:45
S…
Speaker 2 (2026-04-13 10-31-04)
the language used in Splunk,
0:47
S…
Speaker 2 (2026-04-13 10-31-04)
KQL is typically going to be a lot simpler.
0:51
S…
Speaker 2 (2026-04-13 10-31-04)
It is primarily just your field -based matches,
0:54
S…
Speaker 2 (2026-04-13 10-31-04)
and it doesn't really offer any options for visualizations or
0:59
S…
Speaker 2 (2026-04-13 10-31-04)
the commands that we've seen in Splunk if you've watched some of those other
1:03
S…
Speaker 2 (2026-04-13 10-31-04)
videos.
1:03
S…
Speaker 2 (2026-04-13 10-31-04)
So KQL is...
1:05
S…
Speaker 2 (2026-04-13 10-31-04)
Primarily just going to be your raw log searches,
1:09
S…
Speaker 2 (2026-04-13 10-31-04)
looking for information in different fields,
1:12
S…
Speaker 2 (2026-04-13 10-31-04)
and that's pretty much the limitation of it.
1:15
S…
Speaker 2 (2026-04-13 10-31-04)
You also have what's known as EQL,
1:18
S…
Speaker 2 (2026-04-13 10-31-04)
the Elastic Search Query Language.
1:20
S…
Speaker 2 (2026-04-13 10-31-04)
This kind of excels at correlating
1:24
S…
Speaker 2 (2026-04-13 10-31-04)
events and searching based on kind of multi
1:28
S…
Speaker 2 (2026-04-13 10-31-04)
-step actions or what they call sequences.
1:31
S…
Speaker 2 (2026-04-13 10-31-04)
So let's start off by taking a look at KQL.
1:35
S…
Speaker 2 (2026-04-13 10-31-04)
KQL is done,
1:37
S…
Speaker 2 (2026-04-13 10-31-04)
like I said,
1:37
S…
Speaker 2 (2026-04-13 10-31-04)
primarily off of your field -based searching.
1:41
S…
Speaker 2 (2026-04-13 10-31-04)
You use the colon for the kind of equals,
1:45
S…
Speaker 2 (2026-04-13 10-31-04)
where if you want,
1:46
S…
Speaker 2 (2026-04-13 10-31-04)
again, compared to Splunk,
1:47
S…
Speaker 2 (2026-04-13 10-31-04)
Splunk used the equal sign for equals.
1:50
S…
Speaker 2 (2026-04-13 10-31-04)
KQL uses the colon instead.
1:53
S…
Speaker 2 (2026-04-13 10-31-04)
It does offer Boolean logic as well,
1:56
S…
Speaker 2 (2026-04-13 10-31-04)
using and,
1:56
S…
Speaker 2 (2026-04-13 10-31-04)
or, not,
1:58
S…
Speaker 2 (2026-04-13 10-31-04)
things like that.
1:59
S…
Speaker 2 (2026-04-13 10-31-04)
And it does have the option for wildcard usage as
2:03
S…
Speaker 2 (2026-04-13 10-31-04)
well.
2:04
S…
Speaker 2 (2026-04-13 10-31-04)
You can also,
2:06
S…
Speaker 2 (2026-04-13 10-31-04)
based on the results you get,
2:08
S…
Speaker 2 (2026-04-13 10-31-04)
you can select individual fields to just kind
2:12
S…
Speaker 2 (2026-04-13 10-31-04)
of add filters on an ad hoc basis without necessarily
2:17
S…
Speaker 2 (2026-04-13 10-31-04)
typing them into the search.
2:20
S…
Speaker 2 (2026-04-13 10-31-04)
There are some typical best practices for
2:24
S…
Speaker 2 (2026-04-13 10-31-04)
KQL.
2:26
S…
Speaker 2 (2026-04-13 10-31-04)
Number one, you want to try and if you can stick with your field -based
2:30
S…
Speaker 2 (2026-04-13 10-31-04)
searches instead of your full text searches.
2:33
S…
Speaker 2 (2026-04-13 10-31-04)
And by that,
2:34
S…
Speaker 1 (2026-04-13 10-31-04)
I mean doing like,
2:35
S…
Speaker 2 (2026-04-13 10-31-04)
you know, field colon to equal something and then whatever you're searching
2:39
S…
Speaker 1 (2026-04-13 10-31-04)
for.
2:40
S…
Speaker 2 (2026-04-13 10-31-04)
You can do just a wide full text search,
2:43
S…
Speaker 2 (2026-04-13 10-31-04)
but this can potentially have performance
2:48
S…
Speaker 2 (2026-04-13 10-31-04)
impacts when you're doing searches similar to Splunk.
2:53
S…
Speaker 2 (2026-04-13 10-31-04)
A lot of the same best practices are going to apply
2:57
S…
Speaker 2 (2026-04-13 10-31-04)
here with the addition of being able to save,
3:01
S…
Speaker 2 (2026-04-13 10-31-04)
easily save your commonly used queries to kind of just easily
3:05
S…
Speaker 2 (2026-04-13 10-31-04)
pull them back up and repeat a search.
3:08
S…
Speaker 1 (2026-04-13 10-31-04)
But again,
3:08
S…
Speaker 2 (2026-04-13 10-31-04)
a lot of your same best practices for KQL will still apply.
3:13
S…
Speaker 2 (2026-04-13 10-31-04)
making sure you have the right time frame selected,
3:16
S…
Speaker 2 (2026-04-13 10-31-04)
using fields as appropriate for the searches,
3:20
S…
Speaker 2 (2026-04-13 10-31-04)
and then limiting the use of the wildcard usage
3:24
S…
Speaker 2 (2026-04-13 10-31-04)
when it's practical.
3:26
S…
Speaker 2 (2026-04-13 10-31-04)
It's still okay to use it because sometimes you do need to use wildcards in your searches.
3:30
S…
Speaker 2 (2026-04-13 10-31-04)
But when it's practical,
3:31
S…
Speaker 2 (2026-04-13 10-31-04)
you should try to avoid it just to avoid the performance
3:36
S…
Speaker 2 (2026-04-13 10-31-04)
hit, especially when you're searching through hundreds of thousands or
3:40
S…
Speaker 2 (2026-04-13 10-31-04)
millions of events.
3:42
S…
Speaker 2 (2026-04-13 10-31-04)
So let's go ahead and jump back over to our lab environment and take a look at
3:46
S…
Speaker 2 (2026-04-13 10-31-04)
some examples of searches in KQL just to see
3:50
S…
Speaker 2 (2026-04-13 10-31-04)
what those look like again.
3:53
S…
Speaker 1 (2026-04-13 10-31-04)
All right,
3:54
S…
Speaker 2 (2026-04-13 10-31-04)
over here in the ELK search,
3:57
S…
Speaker 2 (2026-04-13 10-31-04)
we can do a very simple search like we looked at in a previous video
4:01
S…
Speaker 2 (2026-04-13 10-31-04)
just by searching for a specific event code.
4:04
S…
Speaker 2 (2026-04-13 10-31-04)
I almost started typing some Splunk language in there.
4:07
S…
Speaker 2 (2026-04-13 10-31-04)
So we're looking here for event ID 11,
4:11
S…
Speaker 2 (2026-04-13 10-31-04)
basically the file creation event in Sysmon.
4:16
S…
Speaker 1 (2026-04-13 10-31-04)
In Elk,
4:17
S…
Speaker 2 (2026-04-13 10-31-04)
you do event .code and a colon for equals and
4:22
S…
Speaker 1 (2026-04-13 10-31-04)
11.
4:22
S…
Speaker 2 (2026-04-13 10-31-04)
Whereas in Splunk,
4:24
S…
Speaker 2 (2026-04-13 10-31-04)
it would actually look like that.
4:26
S…
Speaker 2 (2026-04-13 10-31-04)
So there's the comparison between the two.
4:29
S…
Speaker 2 (2026-04-13 10-31-04)
Now you can also use Boolean searches here as it so
4:33
S…
Speaker 2 (2026-04-13 10-31-04)
helpfully suggests right there.
4:36
S…
Speaker 2 (2026-04-13 10-31-04)
So say we want to find any file that
4:40
S…
Speaker 1 (2026-04-13 10-31-04)
was created that had PDF in
4:46
S…
Speaker 1 (2026-04-13 10-31-04)
the name.
4:47
S…
Speaker 2 (2026-04-13 10-31-04)
So we are just doing a kind of a blanket search.
4:51
S…
Speaker 2 (2026-04-13 10-31-04)
So right here with the PDF,
4:52
S…
Speaker 2 (2026-04-13 10-31-04)
we are not searching a specific field.
4:55
S…
Speaker 2 (2026-04-13 10-31-04)
We're looking for anywhere that the letters PDF show
4:59
S…
Speaker 1 (2026-04-13 10-31-04)
up in.
5:00
S…
Speaker 1 (2026-04-13 10-31-04)
the event in general.
5:01
S…
Speaker 1 (2026-04-13 10-31-04)
And we get no results there,
5:03
S…
Speaker 1 (2026-04-13 10-31-04)
which is perfectly fine.
5:04
S…
Speaker 1 (2026-04-13 10-31-04)
That's not abnormal.
5:07
S…
Speaker 1 (2026-04-13 10-31-04)
You can also add,
5:09
S…
Speaker 1 (2026-04-13 10-31-04)
let's go back to just showing our file creation events.
5:13
S…
Speaker 1 (2026-04-13 10-31-04)
You can expand any of the events here and add
5:17
S…
Speaker 1 (2026-04-13 10-31-04)
any of these fields as a filter very easy.
5:21
S…
Speaker 1 (2026-04-13 10-31-04)
So let's say we are looking for,
5:24
S…
Speaker 1 (2026-04-13 10-31-04)
we want to add the log level of information here.
5:28
S…
Speaker 1 (2026-04-13 10-31-04)
We can just come over here and filter for value on the left -hand
5:32
S…
Speaker 1 (2026-04-13 10-31-04)
side of the result.
5:34
S…
Speaker 1 (2026-04-13 10-31-04)
And it will add that as a filter up in this section right
5:39
S…
Speaker 1 (2026-04-13 10-31-04)
there.
5:39
S…
Speaker 1 (2026-04-13 10-31-04)
So we see log .level colon information.
5:42
S…
Speaker 1 (2026-04-13 10-31-04)
It is practically the exact same thing as just typing
5:46
S…
Speaker 1 (2026-04-13 10-31-04)
it into the search box,
5:48
S…
Speaker 1 (2026-04-13 10-31-04)
except you just didn't have to type it.
5:50
S…
Speaker 1 (2026-04-13 10-31-04)
If you want to get rid of that event or that filter there,
5:53
S…
Speaker 1 (2026-04-13 10-31-04)
you just click the X next to it and it's gone.
5:57
S…
Speaker 2 (2026-04-13 10-31-04)
In addition,
5:58
S…
Speaker 2 (2026-04-13 10-31-04)
you can do grouping.
6:00
S…
Speaker 1 (2026-04-13 10-31-04)
So let's say we want to search in the
6:04
S…
Speaker 1 (2026-04-13 10-31-04)
security log.
6:05
S…
Speaker 1 (2026-04-13 10-31-04)
So we're going to search win log
6:11
S…
Speaker 2 (2026-04-13 10-31-04)
channel,
6:13
S…
Speaker 1 (2026-04-13 10-31-04)
and we want to match the security channel.
6:19
S…
Speaker 1 (2026-04-13 10-31-04)
And we want to search specific events in there.
6:21
S…
Speaker 1 (2026-04-13 10-31-04)
So we will do,
6:22
S…
Speaker 2 (2026-04-13 10-31-04)
move the cursor out of the way.
6:24
S…
Speaker 1 (2026-04-13 10-31-04)
We will do an open parentheses.
6:26
S…
Speaker 1 (2026-04-13 10-31-04)
And you can see there that elk automatically completes the other
6:30
S…
Speaker 1 (2026-04-13 10-31-04)
side of the parentheses there.
6:32
S…
Speaker 1 (2026-04-13 10-31-04)
So don't let that trip you up.
6:34
S…
Speaker 1 (2026-04-13 10-31-04)
Sometimes I do,
6:34
S…
Speaker 1 (2026-04-13 10-31-04)
and I'll type the closing parentheses as well.
6:37
S…
Speaker 1 (2026-04-13 10-31-04)
And it may not see that,
6:39
S…
Speaker 1 (2026-04-13 10-31-04)
and it'll give you syntax errors.
6:41
S…
Speaker 1 (2026-04-13 10-31-04)
So if we want to do some grouping here,
6:43
S…
Speaker 1 (2026-04-13 10-31-04)
we'll type winlog.
6:46
S…
Speaker 1 (2026-04-13 10-31-04)
event underscore ID.
6:48
S…
Speaker 1 (2026-04-13 10-31-04)
And again, you have the suggestions here based on what it
6:53
S…
Speaker 1 (2026-04-13 10-31-04)
thinks you're looking for.
6:54
S…
Speaker 1 (2026-04-13 10-31-04)
So we're going to look for event ID 4688
6:59
S…
Speaker 1 (2026-04-13 10-31-04)
or event ID
7:03
S…
Speaker 1 (2026-04-13 10-31-04)
4698.
7:06
S…
Speaker 1 (2026-04-13 10-31-04)
So this is searching in the security
7:10
S…
Speaker 2 (2026-04-13 10-31-04)
logs.
7:11
S…
Speaker 1 (2026-04-13 10-31-04)
for either of these two events.
7:14
S…
Speaker 1 (2026-04-13 10-31-04)
So very similar syntax as you would see in Splunk
7:18
S…
Speaker 1 (2026-04-13 10-31-04)
as far as how the searches are kind of grouped
7:22
S…
Speaker 1 (2026-04-13 10-31-04)
together and how they're formatted.
7:24
S…
Speaker 1 (2026-04-13 10-31-04)
Different syntax than Splunk,
7:27
S…
Speaker 1 (2026-04-13 10-31-04)
but similar formatting for how you want to use Booleans and
7:31
S…
Speaker 1 (2026-04-13 10-31-04)
grouping and things like that.
7:33
S…
Speaker 1 (2026-04-13 10-31-04)
So that's the KQL language.
7:36
S…
Speaker 1 (2026-04-13 10-31-04)
Let's jump back over to these slides and take a look at what EQL
7:40
S…
Speaker 1 (2026-04-13 10-31-04)
is.
7:41
S…
Speaker 1 (2026-04-13 10-31-04)
All right,
7:43
S…
Speaker 1 (2026-04-13 10-31-04)
looking at EQL now,
7:45
S…
Speaker 1 (2026-04-13 10-31-04)
remember EQL stands for Elastic Search Query Language.
7:49
S…
Speaker 1 (2026-04-13 10-31-04)
The strength of EQL is kind of
7:53
S…
Speaker 1 (2026-04-13 10-31-04)
the multi -step attacks or multi -step events through the
7:57
S…
Speaker 1 (2026-04-13 10-31-04)
use of sequences.
7:58
S…
Speaker 1 (2026-04-13 10-31-04)
And we'll look at that here in just a second.
8:02
S…
Speaker 1 (2026-04-13 10-31-04)
So a simple query in EQL would look like some
8:06
S…
Speaker 1 (2026-04-13 10-31-04)
type of event,
8:07
S…
Speaker 1 (2026-04-13 10-31-04)
some type of thing that you're searching for,
8:10
S…
Speaker 1 (2026-04-13 10-31-04)
regardless of what it is,
8:11
S…
Speaker 1 (2026-04-13 10-31-04)
that matches a condition.
8:13
S…
Speaker 1 (2026-04-13 10-31-04)
So event type where condition matches.
8:16
S…
Speaker 1 (2026-04-13 10-31-04)
So basically,
8:17
S…
Speaker 1 (2026-04-13 10-31-04)
if you're looking for a running PowerShell process,
8:21
S…
Speaker 1 (2026-04-13 10-31-04)
you would do process where process .name
8:25
S…
Speaker 2 (2026-04-13 10-31-04)
equals...
8:26
S…
Speaker 2 (2026-04-13 10-31-04)
PowerShell.
8:27
S…
Speaker 1 (2026-04-13 10-31-04)
And you notice there the equals is actually two equal signs
8:31
S…
Speaker 1 (2026-04-13 10-31-04)
as opposed to KQL that uses a colon or
8:35
S…
Speaker 1 (2026-04-13 10-31-04)
Splunk that uses a single equal sign.
8:38
S…
Speaker 1 (2026-04-13 10-31-04)
So this EQL uses a number of different operators
8:42
S…
Speaker 1 (2026-04-13 10-31-04)
there.
8:42
S…
Speaker 1 (2026-04-13 10-31-04)
So you have your regular equals,
8:44
S…
Speaker 1 (2026-04-13 10-31-04)
which is just two equal signs.
8:46
S…
Speaker 1 (2026-04-13 10-31-04)
The exclamation point with the equal sign means does not equal.
8:51
S…
Speaker 1 (2026-04-13 10-31-04)
Then you have your typical less than,
8:53
S…
Speaker 1 (2026-04-13 10-31-04)
greater than,
8:54
S…
Speaker 1 (2026-04-13 10-31-04)
and then your Booleans and,
8:55
S…
Speaker 1 (2026-04-13 10-31-04)
or, and not.
8:57
S…
Speaker 1 (2026-04-13 10-31-04)
So similar to Splunk in part of that,
9:00
S…
Speaker 1 (2026-04-13 10-31-04)
but it does use,
9:03
S…
Speaker 1 (2026-04-13 10-31-04)
again,
9:03
S…
Speaker 1 (2026-04-13 10-31-04)
the double equals sign for equals,
9:05
S…
Speaker 1 (2026-04-13 10-31-04)
so don't let that throw you off.
9:07
S…
Speaker 2 (2026-04-13 10-31-04)
Now again,
9:08
S…
Speaker 2 (2026-04-13 10-31-04)
where...
9:10
S…
Speaker 1 (2026-04-13 10-31-04)
eql excels here is in what's known as
9:14
S…
Speaker 1 (2026-04-13 10-31-04)
sequences basically this happened and then this
9:18
S…
Speaker 1 (2026-04-13 10-31-04)
happened a sequence of events and the
9:22
S…
Speaker 1 (2026-04-13 10-31-04)
kind of the syntax for this looks like what you see here
9:27
S…
Speaker 1 (2026-04-13 10-31-04)
starts off with the keyword of sequence and this basically
9:31
S…
Speaker 1 (2026-04-13 10-31-04)
tells eql or tells elk
9:35
S…
Speaker 1 (2026-04-13 10-31-04)
that Euthysis should be an ordered series of events.
9:40
S…
Speaker 1 (2026-04-13 10-31-04)
So sequence by host name basically says
9:44
S…
Speaker 1 (2026-04-13 10-31-04)
that this field should be shared across all the
9:49
S…
Speaker 1 (2026-04-13 10-31-04)
events that are returned or searched through.
9:53
S…
Speaker 1 (2026-04-13 10-31-04)
They also see with max span equals 5m.
9:58
S…
Speaker 2 (2026-04-13 10-31-04)
That's optional,
9:59
S…
Speaker 1 (2026-04-13 10-31-04)
but what it does is it basically says between
10:04
S…
Speaker 1 (2026-04-13 10-31-04)
the first event we list there and the second one,
10:07
S…
Speaker 1 (2026-04-13 10-31-04)
these sections in brackets,
10:09
S…
Speaker 1 (2026-04-13 10-31-04)
only five minutes should have pass.
10:13
S…
Speaker 1 (2026-04-13 10-31-04)
So it's only,
10:14
S…
Speaker 1 (2026-04-13 10-31-04)
basically it constrains those matching results
10:18
S…
Speaker 1 (2026-04-13 10-31-04)
to within a certain time span.
10:22
S…
Speaker 1 (2026-04-13 10-31-04)
And then each of those entries in the brackets there is
10:26
S…
Speaker 1 (2026-04-13 10-31-04)
a step in the sequence.
10:28
S…
Speaker 1 (2026-04-13 10-31-04)
So our first step in the sequence here would be
10:33
S…
Speaker 1 (2026-04-13 10-31-04)
the process where process name is command.
10:37
S…
Speaker 1 (2026-04-13 10-31-04)
So basically,
10:37
S…
Speaker 1 (2026-04-13 10-31-04)
we're looking at any process.
10:39
S…
Speaker 1 (2026-04-13 10-31-04)
The first part of this should be searching for
10:43
S…
Speaker 1 (2026-04-13 10-31-04)
processes that are command prompts,
10:46
S…
Speaker 1 (2026-04-13 10-31-04)
essentially.
10:47
S…
Speaker 1 (2026-04-13 10-31-04)
And the second line of it,
10:49
S…
Speaker 1 (2026-04-13 10-31-04)
the second step,
10:50
S…
Speaker 1 (2026-04-13 10-31-04)
says basically,
10:51
S…
Speaker 1 (2026-04-13 10-31-04)
again, within five minutes,
10:54
S…
Speaker 1 (2026-04-13 10-31-04)
this process should reach out.
10:58
S…
Speaker 1 (2026-04-13 10-31-04)
Basically,
10:59
S…
Speaker 1 (2026-04-13 10-31-04)
we're searching to see if the command process reached out to
11:03
S…
Speaker 1 (2026-04-13 10-31-04)
a destination port of 4444.
11:07
S…
Speaker 1 (2026-04-13 10-31-04)
So this would find any hosts.
11:09
S…
Speaker 1 (2026-04-13 10-31-04)
where command .exe ran,
11:11
S…
Speaker 1 (2026-04-13 10-31-04)
and then within five minutes made a connection to
11:16
S…
Speaker 1 (2026-04-13 10-31-04)
that port 4444.
11:18
S…
Speaker 1 (2026-04-13 10-31-04)
So you can see where this can be very powerful when performing
11:23
S…
Speaker 1 (2026-04-13 10-31-04)
threat hunts,
11:24
S…
Speaker 1 (2026-04-13 10-31-04)
being able to build the sequences like this.
11:27
S…
Speaker 1 (2026-04-13 10-31-04)
Now one thing about EQL.
11:31
S…
Speaker 1 (2026-04-13 10-31-04)
These searches don't work.
11:33
S…
Speaker 1 (2026-04-13 10-31-04)
You don't do these in the same interface we just took
11:37
S…
Speaker 2 (2026-04-13 10-31-04)
a look at.
11:37
S…
Speaker 1 (2026-04-13 10-31-04)
That is for KQL searches.
11:39
S…
Speaker 1 (2026-04-13 10-31-04)
EQL uses the EQL search API,
11:43
S…
Speaker 1 (2026-04-13 10-31-04)
not the discovery section or the discover section like KQL.
11:48
S…
Speaker 1 (2026-04-13 10-31-04)
Since we're just starting out with ELK,
11:51
S…
Speaker 1 (2026-04-13 10-31-04)
we're going to stick with KQL for now.
11:54
S…
Speaker 1 (2026-04-13 10-31-04)
Now for the ECTPH exam,
12:00
S…
Speaker 1 (2026-04-13 10-31-04)
You don't need to know EQL.
12:03
S…
Speaker 1 (2026-04-13 10-31-04)
KQL is all you need to know for the exam.
12:07
S…
Speaker 1 (2026-04-13 10-31-04)
So that is what we're going to focus on in the rest of this
12:11
S…
Speaker 1 (2026-04-13 10-31-04)
course, or at least in this section on ELK for this course.
12:15
S…
Speaker 1 (2026-04-13 10-31-04)
It's going to be KQL,
12:16
S…
Speaker 1 (2026-04-13 10-31-04)
so the simpler language,
12:18
S…
Speaker 1 (2026-04-13 10-31-04)
because it is easier to use.
12:20
S…
Speaker 1 (2026-04-13 10-31-04)
It does not require any kind of API setup or any kind of communication with
12:25
S…
Speaker 1 (2026-04-13 10-31-04)
an API.
12:25
S…
Speaker 1 (2026-04-13 10-31-04)
It's all done in the web browser.
Denna utskrift genererades av AI (automatisk taligenkänning). Kan innehålla fel — verifiera mot originalljudet för kritisk användning. Politik för AI
Sammanfattning
Klicka på Summarize för att generera en AI sammanfattning av denna utskrift.
Sammanfatta...
Fråga AI om detta Transcript
Fråga något om denna utskrift — AI kommer att hitta relevanta avsnitt och svar.