meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
soc:tools:kibana [2026/06/10 09:18] titannetsoc:tools:kibana [2026/06/10 12:57] (current) titannet
Line 1: Line 1:
 ====== Kibana ====== ====== Kibana ======
 +
 +===== Query Basics =====
  
  
Line 11: Line 13:
   - Turn off KQL to use the Lucene query syntax   - Turn off KQL to use the Lucene query syntax
  
-==== Fuzzy ====+=== Fuzzy ===
  
 | ''fu~~y'' | fuzzy operator | | ''fu~~y'' | fuzzy operator |
Line 26: Line 28:
 Description: /(s|m).*/ Description: /(s|m).*/
 </code> </code>
 +
 +==== EQL ====
 +
 +<code>
 +file where host.os.type == "linux" and
 + event.action in ("rename", "creation") and
 + file.path in (
 +   "/etc/crontab",
 +   "/etc/cron.allow",
 +   "/etc/cron.deny"
 + )
 +
 +</code>
 +
 +===== Quicksheets =====
 +
 +==== Http/s ====
 +
 +<code>
 +client.ip
 +user.agent
 +http.request.method
 +url.path
 +http.response.status_code
 +</code>
 +
 +
 +