Event Filter endpoint agent via Kibana (Fleet) with wildcards

Situation: I'm deploying endpoint security via Fleet and Elastic agent. Many of the default settings cause the agents to be extremely chatty, shipping many uninteresting, chatty logs. I want to filter out some of these events, and it seems that the Official Method is to use Security>Endpoints>Event filters.

The problem is that one of the types of superfluous logs are, eg, being generated are file operations done by docker, which are a LOT; however, they're easy to identify as they all happen in /var/lib/docker/. Other sources of chatty logs have similar situations.

Unfortunately, it seems like I'm not able to use a wildcard like 'file.path' is '/var/lib/docker/*'. The Event filter takes it, but.... doesn't work. I've tried various combinations of file.path, file.path.text, escape and wildcard characters, but I can't seem to filter out anything using Event filters unless it's an exact match to the field I'm using.

Prior to Elastic Agent, I would just pop a 'drop' processor into the filebeat.yml, or whatever, to filter out these logs, but there doesn't seem to be a way to add custom processors to most Elastic Agent integrations, including Endpoint security. I guess I could try modifying the ingest pipeline, but I'd rather use the Official Method, for scalability and maintainability reasons.

TL;DR Wildcards don't seem to work with Event Filters; can this be fixed/am I doing it wrong/how do I add processors to Endpoint security?

That's odd. I think they should be supported. See: Kibana queries and filters | Packetbeat Reference [7.15] | Elastic

Would you mind posting a screenshot here?

Not at all.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.