Skip to main content

ELK Threat hunting

📅 Published: 2026-05-07 13:49 | 🔄 Last Updated: 2026-05-07 14:36


1. Elastic Common Schema (ECS) Fundamentals​

Understanding ECS is crucial for effective threat hunting in ELK. It normalizes data from various sources into a standard format.

FieldDescriptionKQL Examples
event.categoryIt looks for similar events from various data sources that can be grouped together for viewing or analysis.event.category: authentication
event.category: process
event.category: network
event.category: (malware or intrusion_detection)
event.typeIt serves as a sub-categorization that, when combined with the event.category field, allows for filtering events to a specific level.event.type: start
event.type: creation
event.type: access
event.type: deletion
event.outcomeIt indicates whether the event represents a successful or a failed outcome.event.outcome: success
event.outcome: failure

2. Common Search Fields & Time Filtering​

FieldKQL ExamplesOutput / Purpose
@timestamp@timestamp: "2023-01-26"Events that happened exactly on the 26th.
@timestamp <= "2023-01-25"Events that happened with a date less than or equal to the 25th of Jan.
@timestamp >= "2023-01-26" and @timestamp <= "2023-01-27"Events that happened between the 26th and the 27th of Jan.
agent.nameagent.name: DESKTOP-*Look for events from an agent name that starts with DESKTOP.
messagemessage: *powershell*Look for any log message containing the word powershell.

3. Process Related Fields​

FieldKQL ExamplesOutput / Purpose
process.nameevent.category: process and process.name: "powershell.exe"Look for powershell.exe executing as a process.
process.command_lineevent.category: process and process.command_line.text: *whoami*Look for a command line execution that has whoami in it.
process.pidevent.category: process and process.pid: 6360Look for a specific process ID: 6360.
process.parent.nameevent.category: process and process.parent.name: "cmd.exe"Looks for cmd.exe acting as a parent process.
process.parent.pidhost.name: DESKTOP-* and event.category: process and process.command_line.text: *powershell* and process.parent.pid: 12620Looks for a process command line containing powershell where the parent process ID is 12620 on a hostname starting with DESKTOP.

4. Network Related Fields​

FieldKQL ExamplesOutput / Purpose
source.ipsource.ip: 127.0.0.1Looks for any logs originated from the loopback IP address.
destination.ipdestination.ip: 23.194.192.66Looks for any logs originating to the IP 23.194.192.66.
destination.portdestination.port: 443Looks for any network logs targeting port 443.
dns.question.namedns.question.name: "www.youtube.com"Look for any DNS resolution towards www.youtube.com.
dns.response_codedns.response_code: "NXDOMAIN"Looks for DNS traffic towards non-existing domain names.
destination.geo.country_namedestination.geo.country_name: "Canada"Looks for any outbound traffic toward Canada.

5. Authentication Related Fields​

FieldKQL ExamplesOutput / Purpose
user.nameevent.category: "authentication" and user.name: "administrator" and event.outcome: "failure"Looks for failed login attempts targeting the username administrator.
winlog.logon.typeevent.category: "authentication" and winlog.logon.type: "Network"Look for authentication that happened over the network.
event.category: "authentication" and winlog.logon.type: "RemoteInteractive"Look for RDP (Remote Desktop) authentication.
winlog.event_data. AuthenticationPackageNameevent.category: "authentication" and event.action: "logged-in" and winlog.logon.type: "Network" and user.name.text: "administrator" and event.outcome: "success" and winlog.event_data.AuthenticationPackageName: "NTLM"Look for successful network authentication events against the user administrator, where the authentication package used is NTLM.

6. Web & Application Layer (HTTP / TLS)​

FieldKQL ExamplesOutput / Purpose
network.applicationnetwork.application: "http"
network.application: "tls"
Looks for traffic specifically identified as HTTP or TLS (HTTPS), regardless of the port used.
http.request.methodevent.category: "network" and http.request.method: "POST"Looks for HTTP POST requests (often investigated for data exfiltration, uploading malware, or C2 beacons).
url.domainurl.domain: "*pastebin.com*"
url.domain: "*ngrok.io*"
Looks for traffic heading to a specific domain. Wildcards (*) are useful for catching subdomains used by threat actors.
url.pathurl.path: "/login.php"
url.path: *cmd=*
Looks for requests targeting a specific file path or containing suspicious parameters in the URI.
http.response.status_codehttp.response.status_code: 200
http.response.status_code: (401 or 403 or 404)
Looks for successful HTTP transactions (200), or errors like unauthorized (401/403) and not found (404), which can indicate web directory brute-forcing.

7. Lateral Movement & Advanced DNS​

FieldKQL ExamplesOutput / Purpose
network.application (SMB)network.application: "smb"
destination.port: 445 and network.transport: "tcp"
Looks for Server Message Block (SMB) traffic. Crucial for detecting internal lateral movement (e.g., PsExec, passing the hash, ransomware spreading).
file.path (over Network)network.application: "smb" and file.path: *C$\Windows\System32*Looks for files being accessed or transferred over SMB targeting administrative shares (C$).
dns.question.typedns.question.type: "TXT"
dns.question.type: "MX"
Looks for specific DNS queries. TXT records are highly suspicious and frequently used by malware for DNS Tunneling or C2 communication.
dns.question.name (Long queries)dns.question.name: /.{50,}\.com/ (Using Regex)Looks for unusually long DNS queries (over 50 characters), a strong indicator of data exfiltration via DNS.