I am trying to write a query for a machine learning rule which filters for Windows Event Log 4625 but excludes all logs where the username contains a $ symbol (excluding computer accounts)
I have gotten this far but cant get the query to validate, nor do I know if my regex is even correct because various characters are reserved in lucene.
{
"query": {
"bool": {
"must": [
{
"match": {
"winlog.event_id": "4625"
}
}
],
"must_not": [
{
"query": {
"regexp": {
"user.name": {
"value": "$"
}
}
}
}
]
}
}
}
The error is:
{
"statusCode": 400,
"error": "Bad Request",
"message": "[x_content_parse_exception: [parsing_exception] Reason: unknown query [query]]: [1:129] [bool] failed to parse field [filter]",
"attributes": {
"body": {
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "unknown query [query]",
"line": 1,
"col": 129
}
],
"type": "x_content_parse_exception",
"reason": "[1:129] [bool] failed to parse field [filter]",
"caused_by": {
"type": "parsing_exception",
"reason": "unknown query [query]",
"line": 1,
"col": 129,
"caused_by": {
"type": "named_object_not_found_exception",
"reason": "[1:129] unknown field [query]"
}
}
},
"status": 400
}
}
}
Can anyone help me understand where my query is going wrong?