Скачать или смотреть Advanced ELK Queries: SOC Level 2: TryHackMe

Welcome back! In this video, I walk you through SOC Level 2: Advanced Queries on TryHackMe. You'll learn how to search large datasets efficiently using advanced querying techniques in Kibana.

🔍 From wildcards and nested queries to fuzzy searches and regex, this room teaches the essential tools every SOC analyst should know for threat hunting, log analysis, and data correlation.

🛠️ Skills Covered:

KQL (Kibana Query Language) vs Lucene

Nested queries for JSON-like data

Wildcard and range searches

Fuzzy and proximity matching

Regex searches for log analysis

If you're preparing for a SOC role or just looking to master Kibana—this one's for you.

TimeStamps:

00:00 - Introduction to the room
01:00 - What this room is about (Kibana, ELK Stack, analyst workflow)
02:50 - Setting up Kibana
03:30 - Task 2: Advanced Query Syntax (KQL vs Lucene)
05:00 - Escaping reserved characters + Wildcard examples
08:00 - Task 3: Nested Queries explained
12:00 - Querying nested objects (author & comment matching)
15:00 - Working with the incident dataset
18:00 - Filtering by file names and affected systems
26:00 - Filtering for true positive + admin activity
30:00 - Task 4: Range Queries (date, numbers, time)
36:00 - Response time filters, incident severity filters
40:00 - Combining date filters with logical operators
47:00 - Task 5: Fuzzy Search
55:00 - Matching typos and near matches in queries
58:00 - Fuzzy value examples in real scenarios
1:03:00 - Task 6: Proximity Searches explained
1:06:00 - Matchphrase and slope usage (distance between terms)
1:08:30 - Use case examples: data leak + true negative proximity
1:10:00 - Task 7: Regex Queries
1:12:00 - Regex for event types and descriptions (text vs keyword behavior)
1:15:00 - Final challenges and wrapping up with file name pattern match
1:22:00 - Conclusion & reflections