Learning the basics of ELK

I'll be using tryhackme to learn the basics of ELK (Elasticsearch).

How they all work together:

The questions to warm me up to ELK.

To answer the questions, I used a virtual machine provided to try hack me, and entered the ip address given to me to go into Elastic and then used the given crediantials to log in.

Here is the interface that was provided to me after logging in:

I clicked 'Discover' and then filtered the date to get the first answer.

For the second question, all I did was used the filter tool and chose 'source ip'. The ip that had the most hits was then provided to me.

The third question is basically the same as the second. All I did was hover over usernames to give me all the users with the most hits, which in this case was 'James'.

I then created tables with the fields IP, UserName, Source_Country and then saved it to a preset.

For the next question, I applied a username filtet 'Emanda' which had 56 hits. Then, I used the table to see which source IP was the most frequently used, which was 107.14.1.247.

The next question requires me to change the time filter to 11th of Jan 2022, which I did. There was a spike cause by an IP address, which I quickly indentified being 172.201.60.191

For the final question, in this segment, all I did was go back to the original date filter of 31st December 2021 to 2nd Feb 2022, and then create 2 new filters. The first, including source IP of 238.163.231.224, and the second, excluding the source state of New York, which yielded 48 hits.

Done!

There is still much more question in this room, which I'll be completing but not documenting. The Splunk section will be coming up next, and I'm the most excited for that!