# Elastic Stack ## Kibana ### Search Filters This is an example of looking for an logs that contain the string "password": ```bash password ``` This is an example of looking for logs that contain the name jhenderson stored in a field called user: ``` user:jhenderson ``` Note: Sometimes a string needs to be surrounded with double quotes. Example: ``` "sec555.com" ``` This is an example of looking for logs that contain a source port greater than 40000: ``` source_port:>40000 ``` This is an example of looking for logs that contain a destination IP between 10.0.0.0 and 10.255.255.255: ``` destination_ip:[10.0.0.0 TO 10.255.255.255] ``` This is an example of looking for logs that have a field named tls: ``` exists:tls ``` This is an example of looking for logs that do not have a field named tls: ``` -exists:tls ``` This is an example of looking for logs that do not have a tag of pci: ``` -tags:pci ``` This is an example of looking for logs that are between a specific date: ``` @timestamp:[2017-05-01 TO 2017-05-28] ``` ### Combining search filters Search filters can be combined using (), AND, and OR This is an example of looking for a network connection sourcing from 192.168.0.1 going to 8.8.8.8: ``` source_ip:192.168.0.1 AND destination_ip:8.8.8.8 ``` This is an example of looking for a network connection coming from 192.168.0.1 or 192.168.0.2: ``` source_ip:192.168.0.1 OR source_ip:192.168.0.2 ``` This is an example of looking for a network connection coming from 192.168.0.1 or 192.168.0.2 that is destined for 8.8.8.8: ``` (source_ip:192.168.0.1 OR source_ip:192.168.0.2) AND destination_ip:8.8.8.8 ``` This is an example of looking for network connections coming from 192.168.0.1 that are not going to 8.8.8.8: ``` source_ip:192.168.0.1 AND -destination_ip:8.8.8.8 ``` Note: Using AND is not required when using an exclusion filter Here is the same example as above that still works: ``` source_ip:192.168.0.1 -destination_ip:8.8.8.8 ``` This is an example of looking for network connections that are not going to a private IP address: ``` -destination_ip:[10.0.0.0 TO 10.255.255.255] -destination_ip:[192.168.0.0 TO 192.168.255.255] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/sans-sec511-and-labs/resources/tools/elastic-stack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.