Kuonyesha tu
0:05
S… Speaker 1 (2026-04-13 19-13-06)
In this video,
0:06
S… Speaker 1 (2026-04-13 19-13-06)
we're going to take a look at some examples of common queries you
0:11
S… Speaker 1 (2026-04-13 19-13-06)
can do in ELK using the KQL search
0:15
S… Speaker 1 (2026-04-13 19-13-06)
language.
0:16
S… Speaker 2 (2026-04-13 19-13-06)
Now,
0:17
S… Speaker 1 (2026-04-13 19-13-06)
a lot of these are going to be similar to what we did if you watched the video on the common
0:21
S… Speaker 1 (2026-04-13 19-13-06)
Splunk queries.
0:22
S… Speaker 1 (2026-04-13 19-13-06)
A lot of those are going to be similar.
0:24
S… Speaker 2 (2026-04-13 19-13-06)
And KQL,
0:25
S… Speaker 1 (2026-04-13 19-13-06)
with it being the more simplistic kind of query language,
0:29
S… Speaker 1 (2026-04-13 19-13-06)
if you will,
0:30
S… Speaker 1 (2026-04-13 19-13-06)
a lot of these are just going to be searching for keywords.
0:35
S… Speaker 1 (2026-04-13 19-13-06)
or searching for specific event IDs or something like
0:39
S… Speaker 2 (2026-04-13 19-13-06)
that, because KQL,
0:41
S… Speaker 1 (2026-04-13 19-13-06)
again, is much more simplistic,
0:43
S… Speaker 1 (2026-04-13 19-13-06)
and it is basically just searching through fields.
0:48
S… Speaker 1 (2026-04-13 19-13-06)
Now, we talked,
0:49
S… Speaker 1 (2026-04-13 19-13-06)
again, if you've watched the Common Splunk Queries video
0:53
S… Speaker 1 (2026-04-13 19-13-06)
as part of this course,
0:54
S… Speaker 1 (2026-04-13 19-13-06)
we've talked about building good queries previously in that
0:59
S… Speaker 1 (2026-04-13 19-13-06)
video, so we're not going to rehash,
1:01
S… Speaker 1 (2026-04-13 19-13-06)
you know, the process for building a good query or the hypothesis part
1:05
S… Speaker 1 (2026-04-13 19-13-06)
of it or anything like that.
1:06
S… Speaker 1 (2026-04-13 19-13-06)
We've also already talked about some of the best practices for
1:10
S… Speaker 1 (2026-04-13 19-13-06)
elk searches using KQL.
1:14
S… Speaker 1 (2026-04-13 19-13-06)
in our ELK introduction video.
1:16
S… Speaker 3 (2026-04-13 19-13-06)
So in this one,
1:17
S… Speaker 1 (2026-04-13 19-13-06)
we're just going to take a look at some of the common queries.
1:20
S… Speaker 1 (2026-04-13 19-13-06)
So we're going to take a look at searching for suspicious account logins,
1:25
S… Speaker 1 (2026-04-13 19-13-06)
different process launches,
1:27
S… Speaker 1 (2026-04-13 19-13-06)
specifically suspicious one,
1:30
S… Speaker 3 (2026-04-13 19-13-06)
that was hard to say,
1:31
S… Speaker 1 (2026-04-13 19-13-06)
any sort of unexpected or unknown outbound network
1:35
S… Speaker 2 (2026-04-13 19-13-06)
connections.
1:36
S… Speaker 1 (2026-04-13 19-13-06)
We'll look at some suspicious PowerShell activity like encoded
1:40
S… Speaker 1 (2026-04-13 19-13-06)
commands and downloads.
1:42
S… Speaker 1 (2026-04-13 19-13-06)
We'll look for evidence of various different types of persistence
1:47
S… Speaker 2 (2026-04-13 19-13-06)
techniques,
1:48
S… Speaker 1 (2026-04-13 19-13-06)
specifically the creation of new scheduled tasks and
1:52
S… Speaker 1 (2026-04-13 19-13-06)
malicious services.
1:53
S… Speaker 3 (2026-04-13 19-13-06)
So with that,
1:55
S… Speaker 1 (2026-04-13 19-13-06)
let's go ahead and jump over to our lab environment and we'll take a look
1:59
S… Speaker 1 (2026-04-13 19-13-06)
at those queries in the ELK system.
2:02
S… Speaker 3 (2026-04-13 19-13-06)
All right,
2:03
S… Speaker 3 (2026-04-13 19-13-06)
here we are back in Elk,
2:05
S… Speaker 1 (2026-04-13 19-13-06)
and we do have the,
2:08
S… Speaker 1 (2026-04-13 19-13-06)
we're in the Discover section,
2:09
S… Speaker 1 (2026-04-13 19-13-06)
and we do have our time frame set for the last year.
2:13
S… Speaker 3 (2026-04-13 19-13-06)
So just,
2:14
S… Speaker 2 (2026-04-13 19-13-06)
this is going to be fairly quick,
2:16
S… Speaker 1 (2026-04-13 19-13-06)
because again, we're going to be primarily just kind of searching for event IDs
2:20
S… Speaker 1 (2026-04-13 19-13-06)
and keywords.
2:21
S… Speaker 1 (2026-04-13 19-13-06)
So if we're looking for suspicious account logins,
2:25
S… Speaker 1 (2026-04-13 19-13-06)
one way we can do that is by looking for event ID 4648.
2:32
S… Speaker 1 (2026-04-13 19-13-06)
That is different than just a regular successful login.
2:36
S… Speaker 1 (2026-04-13 19-13-06)
That's a login was attempted using explicit credentials,
2:40
S… Speaker 1 (2026-04-13 19-13-06)
which is not a common method for
2:45
S… Speaker 1 (2026-04-13 19-13-06)
user accounts normally logging in.
2:49
S… Speaker 1 (2026-04-13 19-13-06)
So we are going to search for event code.
2:51
S… Speaker 1 (2026-04-13 19-13-06)
So event .code colon 4648.
2:55
S… Speaker 1 (2026-04-13 19-13-06)
And that will show us any.
2:58
S… Speaker 1 (2026-04-13 19-13-06)
logins using explicit credentials,
3:01
S… Speaker 1 (2026-04-13 19-13-06)
which can be a sign of malicious activity.
3:04
S… Speaker 2 (2026-04-13 19-13-06)
Again, it's an indicator.
3:06
S… Speaker 1 (2026-04-13 19-13-06)
It doesn't guarantee suspicious activity.
3:09
S… Speaker 2 (2026-04-13 19-13-06)
But as you see here,
3:10
S… Speaker 1 (2026-04-13 19-13-06)
out of the 4 ,000 hits we had previously,
3:13
S… Speaker 1 (2026-04-13 19-13-06)
we only have four results for this event.
3:17
S… Speaker 1 (2026-04-13 19-13-06)
So this could be a sign of suspected malicious activity.
3:22
S… Speaker 1 (2026-04-13 19-13-06)
Another thing we can do is look to see process launches
3:27
S… Speaker 1 (2026-04-13 19-13-06)
to see if there is anything suspicious there.
3:29
S… Speaker 2 (2026-04-13 19-13-06)
And again,
3:30
S… Speaker 1 (2026-04-13 19-13-06)
that would be a simple event code search.
3:33
S… Speaker 1 (2026-04-13 19-13-06)
And this would be using Sysmon event code number one.
3:38
S… Speaker 3 (2026-04-13 19-13-06)
Get rid of that message.
3:39
S… Speaker 1 (2026-04-13 19-13-06)
And we see we have 10 different results here.
3:42
S… Speaker 1 (2026-04-13 19-13-06)
And again, just like we have seen previously,
3:45
S… Speaker 1 (2026-04-13 19-13-06)
you can expand these to be able to see.
3:47
S… Speaker 1 (2026-04-13 19-13-06)
So we are matching the process create rule here.
3:50
S… Speaker 1 (2026-04-13 19-13-06)
We can see the information about the process created.
3:53
S… Speaker 1 (2026-04-13 19-13-06)
In this case, this was a scheduled task being created.
3:56
S… Speaker 1 (2026-04-13 19-13-06)
And this does appear that it was the creation of a
4:00
S… Speaker 1 (2026-04-13 19-13-06)
suspicious scheduled task.
4:03
S… Speaker 1 (2026-04-13 19-13-06)
in a lab environment because we see it's named for a flag,
4:06
S… Speaker 1 (2026-04-13 19-13-06)
but we also see because it's launching an application in the administrator
4:11
S… Speaker 1 (2026-04-13 19-13-06)
app data roaming that doesn't
4:15
S… Speaker 1 (2026-04-13 19-13-06)
quite look like it should be there.
4:19
S… Speaker 1 (2026-04-13 19-13-06)
So that's definitely a suspicious indicator there.
4:23
S… Speaker 1 (2026-04-13 19-13-06)
We can also look for suspicious network connections.
4:26
S… Speaker 1 (2026-04-13 19-13-06)
Again, very simple search.
4:28
S… Speaker 1 (2026-04-13 19-13-06)
We're just searching for a different event code.
4:31
S… Speaker 1 (2026-04-13 19-13-06)
Unlike Splunk,
4:32
S… Speaker 1 (2026-04-13 19-13-06)
we can't really do any kind of formatting with tables or anything like
4:36
S… Speaker 2 (2026-04-13 19-13-06)
that here.
4:37
S… Speaker 1 (2026-04-13 19-13-06)
These are just simple raw searches.
4:39
S… Speaker 1 (2026-04-13 19-13-06)
But we can look around and we can still make use of the available fields
4:44
S… Speaker 1 (2026-04-13 19-13-06)
here on the side to see if we have any sort of
4:48
S… Speaker 1 (2026-04-13 19-13-06)
suspicious destination IPs.
4:51
S… Speaker 1 (2026-04-13 19-13-06)
And we can see the top five values here.
4:53
S… Speaker 1 (2026-04-13 19-13-06)
It looks like we have two IPs listed here.
4:55
S… Speaker 1 (2026-04-13 19-13-06)
Any suspicious ports.
4:57
S… Speaker 1 (2026-04-13 19-13-06)
We have port 9200,
4:59
S… Speaker 1 (2026-04-13 19-13-06)
which is...
5:00
S… Speaker 2 (2026-04-13 19-13-06)
actually just for the logging components here,
5:03
S… Speaker 2 (2026-04-13 19-13-06)
but we also have some connections going over port 80.
5:06
S… Speaker 2 (2026-04-13 19-13-06)
We can add that to the filter here just by hitting the plus,
5:09
S… Speaker 2 (2026-04-13 19-13-06)
and it narrows it down,
5:11
S… Speaker 2 (2026-04-13 19-13-06)
and we only have two connections here,
5:12
S… Speaker 2 (2026-04-13 19-13-06)
and we can see immediately that jumps out at us.
5:15
S… Speaker 2 (2026-04-13 19-13-06)
Image is PowerShell .exe,
5:18
S… Speaker 2 (2026-04-13 19-13-06)
so PowerShell initiating a network connection on port 80.
5:22
S… Speaker 2 (2026-04-13 19-13-06)
is immediately suspicious.
5:24
S… Speaker 2 (2026-04-13 19-13-06)
So an easy way there to see if we have any suspicious
5:28
S… Speaker 2 (2026-04-13 19-13-06)
network connections.
5:31
S… Speaker 2 (2026-04-13 19-13-06)
Now if we want to look for any sort of encoded
5:35
S… Speaker 2 (2026-04-13 19-13-06)
PowerShell,
5:36
S… Speaker 2 (2026-04-13 19-13-06)
there's a couple of different events we want to look at.
5:39
S… Speaker 2 (2026-04-13 19-13-06)
So we're going to actually contain two of those inside the parentheses
5:43
S… Speaker 2 (2026-04-13 19-13-06)
to group them.
5:44
S… Speaker 2 (2026-04-13 19-13-06)
So we're going to look at event code 4103.
5:48
S… Speaker 2 (2026-04-13 19-13-06)
or event code 4104 for PowerShell.
5:52
S… Speaker 2 (2026-04-13 19-13-06)
And then we'll make sure that parentheses closed.
5:55
S… Speaker 2 (2026-04-13 19-13-06)
And then we want to include that we're going to search just in the message
5:59
S… Speaker 1 (2026-04-13 19-13-06)
field.
6:00
S… Speaker 2 (2026-04-13 19-13-06)
And if you remember looking at Splunk,
6:04
S… Speaker 2 (2026-04-13 19-13-06)
we did this with the search command by searching in the message field.
6:07
S… Speaker 2 (2026-04-13 19-13-06)
In Elk,
6:08
S… Speaker 2 (2026-04-13 19-13-06)
we're just going to look in the message field using it like
6:12
S… Speaker 2 (2026-04-13 19-13-06)
a regular field.
6:14
S… Speaker 2 (2026-04-13 19-13-06)
But we are going to use wildcard here.
6:17
S… Speaker 1 (2026-04-13 19-13-06)
You see it auto -completed,
6:18
S… Speaker 2 (2026-04-13 19-13-06)
the quotation marks.
6:20
S… Speaker 2 (2026-04-13 19-13-06)
And we're going to search for encoded.
6:22
S… Speaker 2 (2026-04-13 19-13-06)
And the wildcard here.
6:26
S… Speaker 2 (2026-04-13 19-13-06)
Search, no results,
6:27
S… Speaker 2 (2026-04-13 19-13-06)
but again, perfectly fine to not find results in a threat hunt.
6:31
S… Speaker 2 (2026-04-13 19-13-06)
If you're sure that your query is correct and you find no results,
6:35
S… Speaker 2 (2026-04-13 19-13-06)
that's usually a good thing with a threat hunt.
6:40
S… Speaker 2 (2026-04-13 19-13-06)
So another command we can do to look for malicious PowerShell
6:45
S… Speaker 2 (2026-04-13 19-13-06)
downloads,
6:46
S… Speaker 2 (2026-04-13 19-13-06)
we can do,
6:48
S… Speaker 2 (2026-04-13 19-13-06)
let's see how we want to do this.
6:51
S… Speaker 2 (2026-04-13 19-13-06)
We could look for event ID one and look for the
6:55
S… Speaker 2 (2026-04-13 19-13-06)
PowerShell image that way,
6:57
S… Speaker 2 (2026-04-13 19-13-06)
or we could just look in the message field.
7:02
S… Speaker 2 (2026-04-13 19-13-06)
There's a couple of different things we want to look for.
7:05
S… Speaker 2 (2026-04-13 19-13-06)
Remember, these are done with invoke.
7:08
S… Speaker 2 (2026-04-13 19-13-06)
Web request is a common method that attackers will use
7:13
S… Speaker 2 (2026-04-13 19-13-06)
to download using PowerShell.
7:16
S… Speaker 2 (2026-04-13 19-13-06)
But this also can be done with the IWR
7:22
S… Speaker 2 (2026-04-13 19-13-06)
shorthand.
7:23
S… Speaker 2 (2026-04-13 19-13-06)
So that's an easy way to just search the message.
7:26
S… Speaker 2 (2026-04-13 19-13-06)
So we're not searching any event fields.
7:28
S… Speaker 2 (2026-04-13 19-13-06)
Now, granted,
7:29
S… Speaker 2 (2026-04-13 19-13-06)
The fact that our search is more broad,
7:32
S… Speaker 2 (2026-04-13 19-13-06)
if we have more events that we're searching for,
7:34
S… Speaker 1 (2026-04-13 19-13-06)
okay, we only have,
7:35
S… Speaker 2 (2026-04-13 19-13-06)
we don't have that many in this instance of elk here,
7:38
S… Speaker 2 (2026-04-13 19-13-06)
but if we're searching through millions of events,
7:41
S… Speaker 2 (2026-04-13 19-13-06)
this might be a little too broad of a search.
7:44
S… Speaker 1 (2026-04-13 19-13-06)
Again,
7:45
S… Speaker 2 (2026-04-13 19-13-06)
we do not have anything suspicious here.
7:48
S… Speaker 1 (2026-04-13 19-13-06)
Now,
7:49
S… Speaker 2 (2026-04-13 19-13-06)
I'm curious, what if we were to expand this?
7:52
S… Speaker 2 (2026-04-13 19-13-06)
Let's see.
7:55
S… Speaker 2 (2026-04-13 19-13-06)
Let me actually correct this because I am missing the field
7:59
S… Speaker 1 (2026-04-13 19-13-06)
name.
8:00
S… Speaker 2 (2026-04-13 19-13-06)
Shouldn't matter too much here because that just means it was searching
8:04
S… Speaker 2 (2026-04-13 19-13-06)
anything in the event,
8:06
S… Speaker 2 (2026-04-13 19-13-06)
not just in the message field.
8:09
S… Speaker 2 (2026-04-13 19-13-06)
But we want to make sure.
8:10
S… Speaker 2 (2026-04-13 19-13-06)
Now let's also search for IEX,
8:14
S… Speaker 2 (2026-04-13 19-13-06)
which is another way of invoke expression that
8:19
S… Speaker 2 (2026-04-13 19-13-06)
attackers will sometimes use.
8:20
S… Speaker 2 (2026-04-13 19-13-06)
No results there either.
8:23
S… Speaker 2 (2026-04-13 19-13-06)
So I'm not going to continue expanding on that.
8:25
S… Speaker 2 (2026-04-13 19-13-06)
You get the idea of just some ways you can look for suspicious
8:29
S… Speaker 2 (2026-04-13 19-13-06)
PowerShell usage.
8:33
S… Speaker 1 (2026-04-13 19-13-06)
Now,
8:34
S… Speaker 2 (2026-04-13 19-13-06)
what if we wanted to look for scheduled tasks?
8:36
S… Speaker 2 (2026-04-13 19-13-06)
Again, a simple event code.
8:39
S… Speaker 2 (2026-04-13 19-13-06)
We're searching for 4698.
8:42
S… Speaker 2 (2026-04-13 19-13-06)
We see no results there.
8:45
S… Speaker 1 (2026-04-13 19-13-06)
No big deal.
8:47
S… Speaker 2 (2026-04-13 19-13-06)
Schedule.
8:48
S… Speaker 2 (2026-04-13 19-13-06)
Let's see if we have any malicious services created.
8:52
S… Speaker 2 (2026-04-13 19-13-06)
Remember, this can be one of two event codes.
8:57
S… Speaker 2 (2026-04-13 19-13-06)
So let's look for the other one of 7045.
9:00
S… Speaker 2 (2026-04-13 19-13-06)
Actually,
9:02
S… Speaker 2 (2026-04-13 19-13-06)
I want to do this in the other ELK instance.
9:06
S… Speaker 2 (2026-04-13 19-13-06)
We'll switch over to this one because I'm pretty sure we do have a hit
9:10
S… Speaker 2 (2026-04-13 19-13-06)
in this one.
9:11
S… Speaker 1 (2026-04-13 19-13-06)
There we go.
9:11
S… Speaker 2 (2026-04-13 19-13-06)
We actually have several hits for one of those
9:16
S… Speaker 2 (2026-04-13 19-13-06)
event IDs.
9:18
S… Speaker 2 (2026-04-13 19-13-06)
Let's expand.
9:19
S… Speaker 2 (2026-04-13 19-13-06)
Let's see.
9:20
S… Speaker 1 (2026-04-13 19-13-06)
We've got...
9:21
S… Speaker 2 (2026-04-13 19-13-06)
Several services that were created.
9:24
S… Speaker 2 (2026-04-13 19-13-06)
Let's look through our fields to see what kind of options we have.
9:28
S… Speaker 2 (2026-04-13 19-13-06)
If we have any kind of service name or anything.
9:32
S… Speaker 2 (2026-04-13 19-13-06)
We do have the image.
9:34
S… Speaker 1 (2026-04-13 19-13-06)
Let's
9:39
S… Speaker 1 (2026-04-13 19-13-06)
see.
9:39
S… Speaker 2 (2026-04-13 19-13-06)
Process name.
9:41
S… Speaker 1 (2026-04-13 19-13-06)
Here we go.
9:42
S… Speaker 2 (2026-04-13 19-13-06)
Service names.
9:43
S… Speaker 2 (2026-04-13 19-13-06)
Let's just take a look through here.
9:45
S… Speaker 2 (2026-04-13 19-13-06)
We see the top five values we have here.
9:49
S… Speaker 2 (2026-04-13 19-13-06)
Nothing out of these top five looks that suspicious.
9:53
S… Speaker 1 (2026-04-13 19-13-06)
This
9:57
S… Speaker 2 (2026-04-13 19-13-06)
one could be because it does appear to be potentially random
10:02
S… Speaker 1 (2026-04-13 19-13-06)
characters.
10:03
S… Speaker 2 (2026-04-13 19-13-06)
Could be suspicious,
10:05
S… Speaker 2 (2026-04-13 19-13-06)
but it may be a system process really
10:09
S… Speaker 1 (2026-04-13 19-13-06)
hard to tell.
10:10
S… Speaker 1 (2026-04-13 19-13-06)
What we can do,
10:10
S… Speaker 2 (2026-04-13 19-13-06)
though, is add it to the filter and look at the event itself
10:15
S… Speaker 2 (2026-04-13 19-13-06)
to just to get some context about it to see how
10:19
S… Speaker 2 (2026-04-13 19-13-06)
this service was created.
10:22
S… Speaker 2 (2026-04-13 19-13-06)
Looks like service host created its clipboard service group.
10:26
S… Speaker 2 (2026-04-13 19-13-06)
May not actually be malicious in nature.
10:30
S… Speaker 2 (2026-04-13 19-13-06)
But you get the idea of ways you can search for these malicious service
10:35
S… Speaker 2 (2026-04-13 19-13-06)
creation, or at least suspicious service creation.
10:37
S… Speaker 2 (2026-04-13 19-13-06)
So again,
10:38
S… Speaker 2 (2026-04-13 19-13-06)
when we're talking about KQL,
10:39
S… Speaker 2 (2026-04-13 19-13-06)
these are going to be your more simplistic searches,
10:42
S… Speaker 2 (2026-04-13 19-13-06)
just searching for keywords or specific event
10:46
S… Speaker 2 (2026-04-13 19-13-06)
IDs, just because of the more simple way
10:51
S… Speaker 2 (2026-04-13 19-13-06)
that KQL syntax works and the capabilities of it.

Nakala hii ilitokezwa na AI (utambuaji wa usemi wa kiaya). Inaweza kuwa na makosa Équipe dhidi ya sauti ya awali kwa utumizi wa kuchambua. Sera ya AI

❤️ Love STT.ai? Tell your friends!
Muhtasari
Bonyeza muhtasari ili kutokeza muhtasari wa AI juu ya nakala hii.
Kutoa muhtasari...
Uliza Maswali Kuhusu Mpito Huu
Uliza jambo lolote kuhusu nakala hii ya kitabu KULEA ile nitakayopata sehemu zinazofaa na majibu.