An introductory ELK challenge to get you started with Kibana.



Overnight we've had an attack on our network, we have two devices in the cloud and it appears both have been compromised.

The attack appears to have taken place on the 25th of May between 9pm and 11:30pm. Our network is composed of one box that is front facing with an SSH port open to the web and a second server behind it running an old Elastic Stack. Please recover the information requested in these challenges so we can piece together what happened.


Thanks, OussHr and th3c0rt3x for reveweing the challenge.


# Question Weight Solved
1 Using the "View Surrounding Documents" option, find the ID of the document that is 14 documents after the id GDQOB3IBwJHf9VOW-r0Y? 50 59

2 Using the "View Surrounding Documents" option, find the ip of the document that is 16 documents before the id vDQOB3IBwJHf9VOW-Lyd? 50 58

3 How many requests have come from the IP address between the 6th of May and the 13th of May? (time is in UTC) 50 74

4 What percentage of logs are from windows 8 machines on the 11th of May? (time is in UTC) 50 48

5 How many 503 errors were there on the 8th of May? (time is in UTC) 50 71

6 How many connections to the host "" were made on the 12th of May? (time is in UTC) 50 65

7 What is the second most common extension of files being accessed on the 12th of May? (time is in UTC) 50 64

8 Find the first IP address to connect to the host on the 12th of May. (time is in UTC) 50 66

9 What was the username used that failed to log in on the 15th of May at 10:44 pm? (time is in UTC) 50 51

10 What's the host machine's hostname? 50 54

11 Using current data, what version of the stack is running? 50 59

12 Using current data in the auditbeat index, what is the name of the elasticsearch node? 50 32

13 What is the name of the beat to collect windows logs? 50 56

14 What is the name of the beat that sends network data? 50 54

15 What are the three core programs in an ELK stack? 50 61

16 How many fields are in the auditbeat-* index pattern? 50 42

17 On the 14th of May, how many failed authentication attempts did the host server receive? (time is in UTC) 100 40

18 On the 13th and 14th of May, how many bytes were received by the source IP (time is in UTC) 100 34

19 What username did they crack? 100 37

20 What host was attacked? 100 35

21 How many were failed attempts made on the machine? 100 29

22 What time was the last failed attempted login? 100 31

23 What time did the attacker successfully login? 100 31

24 What is the first command the attacker ran on the box? 100 30

25 What tool did the attacker use to get the exploit onto the machine? 100 35

26 Shortly after getting the exploit on the machine, the attacker used vim to create a file. What is the name of that file? 100 33

27 What is the filename of the exploit that was run? 100 34

28 What is the first ID of the log that shows the exploit being run? 100 17

29 What parameter turned the script from testing to exploiting? 150 29

30 Using filebeat data - What IP was the shell sent to? 150 31

31 Using filebeat data - After running the exploit, they accessed the /etc/passwd file, what is the ID of the doc that shows this? 150 21

32 Using filebeat data - We think they created a new user. What was the name of that user? 150 23