diff --git a/doc/ElasticStackImport/01-SOF-ELK-Bootup.png b/doc/ElasticStackImport/01-SOF-ELK-Bootup.png
new file mode 100644
index 00000000..b37c8e31
Binary files /dev/null and b/doc/ElasticStackImport/01-SOF-ELK-Bootup.png differ
diff --git a/doc/ElasticStackImport/02-Kibana.png b/doc/ElasticStackImport/02-Kibana.png
new file mode 100644
index 00000000..7a70aab7
Binary files /dev/null and b/doc/ElasticStackImport/02-Kibana.png differ
diff --git a/doc/ElasticStackImport/03-Integrations.png b/doc/ElasticStackImport/03-Integrations.png
new file mode 100644
index 00000000..5249b941
Binary files /dev/null and b/doc/ElasticStackImport/03-Integrations.png differ
diff --git a/doc/ElasticStackImport/04-IntegrationsImportCSV.png b/doc/ElasticStackImport/04-IntegrationsImportCSV.png
new file mode 100644
index 00000000..2f8ca532
Binary files /dev/null and b/doc/ElasticStackImport/04-IntegrationsImportCSV.png differ
diff --git a/doc/ElasticStackImport/05-OverrideSettings.png b/doc/ElasticStackImport/05-OverrideSettings.png
new file mode 100644
index 00000000..25c57737
Binary files /dev/null and b/doc/ElasticStackImport/05-OverrideSettings.png differ
diff --git a/doc/ElasticStackImport/06-OverrideSettingsConfig.png b/doc/ElasticStackImport/06-OverrideSettingsConfig.png
new file mode 100644
index 00000000..40f77f30
Binary files /dev/null and b/doc/ElasticStackImport/06-OverrideSettingsConfig.png differ
diff --git a/doc/ElasticStackImport/07-CSV-Import.png b/doc/ElasticStackImport/07-CSV-Import.png
new file mode 100644
index 00000000..7abd3a09
Binary files /dev/null and b/doc/ElasticStackImport/07-CSV-Import.png differ
diff --git a/doc/ElasticStackImport/08-ImportDataSettings.png b/doc/ElasticStackImport/08-ImportDataSettings.png
new file mode 100644
index 00000000..74f3ab2c
Binary files /dev/null and b/doc/ElasticStackImport/08-ImportDataSettings.png differ
diff --git a/doc/ElasticStackImport/09-ImportFinish.png b/doc/ElasticStackImport/09-ImportFinish.png
new file mode 100644
index 00000000..9a5c6df1
Binary files /dev/null and b/doc/ElasticStackImport/09-ImportFinish.png differ
diff --git a/doc/ElasticStackImport/10-Discover.png b/doc/ElasticStackImport/10-Discover.png
new file mode 100644
index 00000000..acc4d1bf
Binary files /dev/null and b/doc/ElasticStackImport/10-Discover.png differ
diff --git a/doc/ElasticStackImport/11-Dashboard.png b/doc/ElasticStackImport/11-Dashboard.png
new file mode 100644
index 00000000..4af4a7d6
Binary files /dev/null and b/doc/ElasticStackImport/11-Dashboard.png differ
diff --git a/doc/ElasticStackImport/ElasticStackImport-English.md b/doc/ElasticStackImport/ElasticStackImport-English.md
new file mode 100644
index 00000000..984062e6
--- /dev/null
+++ b/doc/ElasticStackImport/ElasticStackImport-English.md
@@ -0,0 +1,79 @@
+# Importing Results Into Elastic Stack
+
+## Start an elastic stack distribution
+
+Hayabusa results can easily be imported into Elastic Stack. We recommend using [SOF-ELK](https://github.com/philhagen/sof-elk/blob/main/VM_README.md), a free elastic stack Linux distro focused on DFIR investigations.
+
+First download and unzip the SOF-ELK 7-zipped VMware image from [http://for572.com/sof-elk-vm](http://for572.com/sof-elk-vm).
+
+* Username: `elk_user`
+* Password: `forensics`
+
+When you boot up the VM, you will get a screen similar to below:
+
+![SOF-ELK Bootup](01-SOF-ELK-Bootup.png)
+
+Open Kibana in a web browser according to the URL displayed. For example: http://172.16.62.130:5601/
+
+>> Note: it may take a while for Kibana to load.
+
+You should see a webpage as follows:
+
+![SOF-ELK Kibana](02-Kibana.png)
+
+## Import the CSV results
+
+Click the sidebar icon in top-lefthand corner and open `Integrations`.
+
+![Integrations](03-Integrations.png)
+
+Type in `csv` in the search bar and click `Import a file`.
+
+![CSV Upload](04-IntegrationsImportCSV.png)
+
+After uploading the CSV file, click `Override settings` to specify the correct timestamp format.
+
+![Override Settings](05-OverrideSettings.png)
+
+Perform the following changes and then click `Apply`:
+    1. Change `Timestamp format` to `custom`.
+    2. Specify the format as `yyyy-MM-dd HH:mm:ss.SSS XXX`
+    3. Change the `Time field` to `Timestamp`.
+   
+![Override Settings Config](06-OverrideSettingsConfig.png)
+
+Now click `Import` in the bottom left-hand corner.
+
+![CSV Import](07-CSV-Import.png)
+
+Click on `Advanced` and perform the following settings:
+    1. Title the `Index name` as `evtxlogs-hayabusa`.
+    2. Under `Index settings`, add `, "number_of_replicas": 0` so that the index health status does not turn yellow.
+    3. Under `Mappings`, change the `RuleTitle` type of `text` to `keyword` so that we can do statistics on the rule titles.
+    4. Under `Ingest pipeline`, add `, "field": "Timestamp"` under the `remove` section. Timestamps will be displayed as `@timestamp` so this duplicate field is not needed.
+
+Settings should look similar to below:
+
+![Import Data Settings](08-ImportDataSettings.png)
+
+After importing, you should receive something similar to below:
+
+![Import Finish](09-ImportFinish.png)
+
+You can now click `View index in Discover` to view the results.
+
+## Analyzing results
+
+The default Discover view should look similar to this:
+
+![Discover View](10-Discover.png)
+
+
+
+Level: "critical" 
+
+*LatMov*
+"Password Spray"
+
+
+https://qiita.com/kzzzzo2/items/ead8ccc77b7609143749
\ No newline at end of file