Elastic Stack

Elastic Stack is a group of tools used to collect, store, search, and visualize data such as logs and security events. It commonly includes Elasticsearch for storing and searching data, Kibana for dashboards and analysis, and data collection tools like Logstash or Elastic Agent. Elastic describes it as a platform that takes data from many sources, then lets you search, analyze, and visualize it. Beats still exist, but Elastic says Elastic Agent has replaced Beats for most use cases.

Example: A company collects Windows logs, firewall logs, and web server logs using Elastic Agent or Logstash, stores them in Elasticsearch, and views them in Kibana dashboards. Elastic’s docs describe Kibana as the interface used to query, analyze, visualize, and manage data stored in Elasticsearch.

Use case: A SOC team uses the Elastic Stack to centralize logs from many systems so they can investigate suspicious logins, detect unusual activity, and build dashboards for monitoring. Elastic also positions Kibana and the platform for use cases including observability and security investigations.

Kibana Query Language (KQL)

This is a simple text-based query language used in Kibana to filter data. It helps you find documents where a field exists, matches a value, or falls within a range. Elastic notes that KQL is for filtering only, not for sorting, transforming, or aggregating data.

Example: event.code: 4625 AND source.ip: "192.168.1.10" This would filter for events where the event code is 4625 and the source IP is 192.168.1.10. Elastic also shows KQL examples such as filtering on a service name and HTTP status code in a Kibana-style query.

Use case: A SOC analyst can use KQL in Kibana Discover to quickly filter logs for suspicious activity, such as failed logins, PowerShell execution, or traffic from a specific IP. Kibana Discover supports searching and filtering data with KQL for this kind of investigation