
This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.
Kibana provides the interface for exploring and visualizing Elasticsearch data. Mastering Kibana transforms raw log data into actionable security insight.
The Discover page is where investigation begins. Select an index pattern, set a time range, and start searching.
Kibana Query Language (KQL) provides intuitive search syntax:
event.action:login AND event.outcome:failure
This finds failed logins. KQL supports wildcards, ranges, and boolean operators:
host.name:web* AND response.status >= 400
user.name:admin* OR user.name:root
Field exploration reveals available data. The field list shows all indexed fields with value distributions. Click fields to add them as columns or filter by specific values.
Saved searches preserve useful queries. Save frequently used searches to reuse later or include in dashboards.
Kibana offers multiple visualization types:
Lens provides drag-and-drop visualization building. Add fields to axes, change chart types, and see results instantly. Lens is the fastest path from question to answer.
Bar charts compare categories—events by source, alerts by severity.
Line charts show trends—login volume over time, error rates.
Data tables display detailed records with selected fields.
Metrics present single important numbers—total events, unique users.
Maps show geographic distribution using geo_point fields.
Dashboards combine visualizations into coherent views. Effective security dashboards might include:
Drilldowns enable exploration. From a high-level view, click to see underlying details.
Time controls let users adjust the analysis period. Real-time views show the last few minutes; investigation might span days or weeks.
How do you query in Kibana?
What is the simple ELK query language?
How do you create visualizations?
What organizes visualizations in Kibana?
Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}