Filtering out event_data.TargetUserName ending in $

Trying to figure out how to create a working kibana-filter to filter out where event_data.TargetUserName ends in a dollar sign ($). For example computer accounts in AD or managed service accounts.

And by filterng out i mean, remove from results.

Anyone?

I would like to invert this, to say not contains $

{
"query": {
"regexp": {
"event_data.TargetUserName": "[a-zA-Z0-9-_]{1,32}"
}
}
}

Solved this like this, but maybe its not the most efficient search performance wise:

{
"query": {
"regexp": {
"event_data.TargetUserName": "[^$]{1,64}"
}
}
}

You anyone have a better more efficient Query, i will gladly take it :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.