I'm testing out a hosted ELK stack, and am forwarding Windows logs there. One of the logs in question is an "AppLocker" log which lists the applications that ran or were blocked on each machine.
Each AppLocker log entry contains a field called user_data.FileHash which contains a SHA1 hash of the binary in question, as well as another field called user_data.FilePath.
What I want to achieve is a "Top 10 Binaries (that were executed in the whole environment)" data table. I can get the below view using user_data.FileHash, which gets me the list of the top binaries that ran:
What I'd like to achieve, though, is something like this:
I want the count from the first screenshot, but I want to display the corresponding File Path rather than the File Hash which is a bit meaningless to a human observer.
Any ideas how this total ELK newbie could achieve this?
If there's only one file path for each hash, you could simply do a terms agg on the FilePath field instead. However, I'm guessing each hash might get logged with different FilePath's, is that correct? If so, you're question is how you might normalize those different file paths?
Yes, they are often logged with different file paths.
It’s kind of hard to explain, but if I have two hashes with different paths, I wouldn’t be fussed if the visualisation just returned one of the paths. As a nice-to-have, it would maybe be nice to use a regex to extract the file name out of the full path.
The only downside is that you can't hide the hash column, hopefully that's not too big a deal.
If you want to go the extra mile and extract the filename, you could do that with a scripted field. Then you would simply select the scripted field in the Top Hit metric config instead. Keep in mind scripted fields run at query time and can impact performance so if you find yourself using this field often you might want to consider extracting a "filename" field at ingest time with either logstash or Elasticsearch's ingest pipelines.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
