How to do OR query using wildcard

alerting

(Jason Esposito) #1

Hi all,

I'm trying to use a wildcard query inside my watcher to look for either or one of the following:

              "wildcard": {
                    "raw_event_log": [
                    "*{ :;};*",
                    "*/bin/*"
                ]

Is this the correct syntax?


(Alexander Reelsen) #2

have you tried running the query outside of a watch and checked if it returns the correct results?

I am not sure, what the exact question here is? It's hard to say from the outside if a query is correct, as it is hard to say what results you are expecting to get back. Putting this in a regular query will at least immediately show you, if there is a syntax error or something similar. All in all, judging by this query, I would think that preprocessing might be a better strategy in this case.

--Alex


(Jason Esposito) #3

Hi @spinscale again!

So, I ran the query below outside the watcher and I get an error (of course).

   {
       "query": {
          "wildcard": {
                        "command": [
                        "*systeminfo*",
                        "*ipconfig*",
                        "*tasklist*"
                    ]
               }
          }
     }

The aim of the query is to bring back any message that have any of the following strings: systeminfo, ipconfig, tasklist.

The reason I need the wildcard is because there may be something additonal such as "systeminfo | findstr /B /C:”OS Name” /C:”OS Version”"

And just searching for "systeminfo" as a term wouldn't bring this back.

If any of these events inside the command field match the query I want it to execute.

This is the error I get:

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_state_exception",
        "reason": "Can't get text on a START_ARRAY at 4:32"
      }
    ],
    "type": "illegal_state_exception",
    "reason": "Can't get text on a START_ARRAY at 4:32"
  },
  "status": 500
}

I'm not sure if the wildcard is the right way to go around this.

I could use "should", but that would mean that it would execute regardless of if it matches.. Confused :weary:

This works and brings back the correct results, but it is only for one. I need a list of possible commands and Im not sure how to achieve it.

 {
   "query": {
      "wildcard": {
                    "command": "*systeminfo*"
      }
   }
 }

Also please note that this works...

 {
   "query": {
      "terms": {
              "command": [
                    "systeminfo",
                    "ipconfig",
                    "tasklist"
                ]
           }
      }
 }

(Jason Esposito) #4

I found a solution that I'll write up for anyone that is looking for a solution.

I don't think wildcard can be used to search for an array.

Instead I used a query with logical operators and I think its working :slight_smile:

  {
       "query": {
             "query_string" : {
                     "query": "(command:syteminfo* OR command:ipconfig* OR command:tasklist*)"
                          }
                  }
  }

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.