ManuelF
May 27, 2020, 4:32pm
1
Hi,
Running ELK 6.8.9 on premises
I am trying to add a filter for a visualization that removes events containing "managed service accounts" (accounts ending in $ ) like "GKDG0C3$".
Solution provided in the following post did not work for me (perhaps for a different version of Kibana):
I would like to invert this, to say not contains $
{
"query": {
"regexp": {
"event_data.TargetUserName": "[a-zA-Z0-9-_]{1,32}"
}
}
}
The following post never got an answer for the same issue:
Dear Peter,
I do not have access to Kibana at the moment.
I will get right back to you as soon as I get access to Kibana.
Thank you for your help.
I have also tried adding the expression .*\$, but that did not work either.
Maybe using processors on the client side could be an option as described in the post:
Umm, this event should have been skipped with this config:
winlogbeat.event_logs:
- name: Security
processors:
- drop_event:
when:
and:
- or:
- equals.winlog.event_id: 4624
- equals.winlog.event_id: 4634
- or:
- equals.winlog.event_data.TargetUserName: "SYSTEM"
- equals.winlog.event_data.TargetUserName: "NAMESQL"
To add more rules to match names you don't need to remove these ones, you can for example add you…
But I haven't had any luck with processors:
Hi,
Running ELK 6.8.9 on premises
Output in Winlogbeat config file is Eslasticsearch (not Logstash)
I am trying to add some processing on the client side to filter only the Win events I need before sending the data to ELK. I am trying a drop_event filter following steps found in the following URL:
https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html
When applying the filter, no logs are received by ELK.
My goal is to send to ELK only the events li…
My goal is to filter out all events where:
event_data.TargetUserName: GKDG0C3$
event_data.SubjectUserName: GKDG0C3$
Must be a regular expression and not an exact match, because system accounts are not the same in all systems
Any help would be appreciated.
Thanks
ManuelF
June 5, 2020, 1:12pm
2
Hi,
Any other idea to resolve this. Please help.
Thank you
ManuelF
June 10, 2020, 1:26pm
3
Somebody from @Elastic Team (or a regular user) that could please help me to resolve the issue I am experiencing with Kibana filters?
Thank you
system
July 8, 2020, 1:26pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.