Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
SIEM & Log AnalysisELK Stack

Kibana Queries & Visualization

35 min
lab
+60 XP

Learning Objectives

  • Write effective Kibana queries for log analysis
  • Create visualizations and dashboards
  • Use Lens and Discover for investigation

Kibana Queries and Visualization

Kibana provides the interface for exploring and visualizing Elasticsearch data. Mastering Kibana transforms raw log data into actionable security insight.

Discover: Interactive Exploration

The Discover page is where investigation begins. Select an index pattern, set a time range, and start searching.

Kibana Query Language (KQL) provides intuitive search syntax:

event.action:login AND event.outcome:failure

This finds failed logins. KQL supports wildcards, ranges, and boolean operators:

host.name:web* AND response.status >= 400
user.name:admin* OR user.name:root

Field exploration reveals available data. The field list shows all indexed fields with value distributions. Click fields to add them as columns or filter by specific values.

Saved searches preserve useful queries. Save frequently used searches to reuse later or include in dashboards.

Visualizations

Kibana offers multiple visualization types:

Lens provides drag-and-drop visualization building. Add fields to axes, change chart types, and see results instantly. Lens is the fastest path from question to answer.

Bar charts compare categories—events by source, alerts by severity.

Line charts show trends—login volume over time, error rates.

Data tables display detailed records with selected fields.

Metrics present single important numbers—total events, unique users.

Maps show geographic distribution using geo_point fields.

Dashboard Construction

Dashboards combine visualizations into coherent views. Effective security dashboards might include:

  • Overview metrics: total events, alert counts, data volume

  • Time-based trends: event volume, alert patterns

  • Top-N lists: busiest sources, most common errors

  • Geographic views: login source locations


Filters on dashboards affect all panels. Add a host filter, and every visualization updates to show only that host.

Drilldowns enable exploration. From a high-level view, click to see underlying details.

Time controls let users adjust the analysis period. Real-time views show the last few minutes; investigation might span days or weeks.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

How do you query in Kibana?

Format: ******(6 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What is the simple ELK query language?

Format: ***(3 chars)
Exact match required
📚 KnowledgeQuestion 3

How do you create visualizations?

Format: *******(7 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What organizes visualizations in Kibana?

Format: *********(9 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue