Elastic Query for Windows user accounts, excluding computer accounts

I am trying to write a query for a machine learning rule which filters for Windows Event Log 4625 but excludes all logs where the username contains a $ symbol (excluding computer accounts)

I have gotten this far but cant get the query to validate, nor do I know if my regex is even correct because various characters are reserved in lucene.

{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "winlog.event_id": "4625"
          }
        }
      ],
      "must_not": [
        {
          "query": {
            "regexp": {
              "user.name": {
                "value": "$"
              }
            }
          }
        }
      ]
    }
  }
}

The error is:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "[x_content_parse_exception: [parsing_exception] Reason: unknown query [query]]: [1:129] [bool] failed to parse field [filter]",
  "attributes": {
    "body": {
      "error": {
        "root_cause": [
          {
            "type": "parsing_exception",
            "reason": "unknown query [query]",
            "line": 1,
            "col": 129
          }
        ],
        "type": "x_content_parse_exception",
        "reason": "[1:129] [bool] failed to parse field [filter]",
        "caused_by": {
          "type": "parsing_exception",
          "reason": "unknown query [query]",
          "line": 1,
          "col": 129,
          "caused_by": {
            "type": "named_object_not_found_exception",
            "reason": "[1:129] unknown field [query]"
          }
        }
      },
      "status": 400
    }
  }
}

Can anyone help me understand where my query is going wrong?

You cannot have another query in your must_not section. And, you need a more proper regexp. So, it should really look like:

POST test/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "winlog.event_id": "4625"
          }
        }
      ],
      "must_not": [
        {
          "regexp": {
            "user.name": {
              "value": "$.*"
            }
          }
        }
      ]
    }
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.