TryHackMe Elastic Stack: The Basics | Full Walkthrough 2026

Understand how SOC analysts use the Elastic Stack (ELK) for log investigations. 📝📝 Room Link: https://tryhackme.com/room/investigatingwithelk101 😸 Learning Objectives 😸 This room has the following learning objectives: 🚀 Understand the components of ELK and their use in SOC 🚀 Explore the different features of ELK 🚀 Learn to search and filter data in ELK 🚀 Investigate VPN logs to identify anomalies 🚀 Familiarize with creating visualizations and dashboards in ELK 😸 Timestamp: 😸 [00:00] Task 1: Introduction [01:27] Task 2: Elastic Stack Overview [03:40] Task 3: Lab Connection [04:02] Task 4: Discover Tab [13:33] Task 5: KQL Overview [21:26] Task 6: Creating Visualizations [32:52] Task 7: Creating Dashboards [35:54] Task 8: Conclusion 😸 Room Tasks: 😸 🚀 Task 1: Introduction 🚀 Task 2: Elastic Stack Overview - Logstash is used to visualize the data. (yay / nay) - Elasticstash supports all data formats apart from JSON. (yay / nay) 🚀 Task 3: Lab Connection 🚀 Task 4: Discover Tab - Select the index vpn_connections and filter from 31st December 2021 to 2nd Feb 2022. How many hits are returned? - Which IP address has the maximum number of connections? - Which user is responsible for the overall maximum traffic? - Apply Filter on UserName Emanda; which SourceIP has max hits? - On 11th Jan, which IP caused the spike observed in the time chart? - How many connections were observed from IP 238.163.231.224, excluding the New York state? - Create a table with the fields IP, UserName, Source_Country and save. 🚀 Task 5: KQL Overview - Create a search query to filter the logs where Source_Country is the United States and show logs from User James or Albert. How many records were returned? - A user Johny Brown was terminated on the 1st of January, 2022. Create a search query to determine how many times a VPN connection was observed after his termination. 🚀 Task 6: Creating Visualizations - Which user was observed with the greatest number of failed attempts? - How many wrong VPN connection attempts were observed in January? 🚀 Task 7: Creating Dashboards 🚀 Task 8: Conclusion ⚠️ Educational Purpose Only This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems. #tryhackme #soc #elastic