Kibana 8.2.0 Filter event_data.TargetUserName ending with $ (service accounts etc)

mcn1k · June 6, 2022, 3:20pm

Good day guys,

Opening this post after search for an hour without finding any response that actually works for my case.

I am trying to build detection rules based on windows security event id 4662 and I need to exclude all computer or service accounts ending with $ like -> domainController$ , FileServer$ etc.

Running query like AND NOT winlog.event_data.SubjectUserName:($ OR MSOL_) works for MSQL_* but not for *$ . Tried to escape in all possible ways the dollar sign but it simply does not accept it and search never ends.

Tried with DSL query like:


{
"query": {
"regexp": {
"event_data.TargetUserName": "[^$]{1,64}"
}
}
}

OR 

"event_data.TargetUserName": ".*\\$$"

But none of this works. How can I effectively filter all accounts ending with $ sign from query and does same apply for alert later on?

Thank you in advance.
Nick.

jsanz · June 28, 2022, 1:52pm

That's likely because you are searching against a field than has been indexed with the standard analyzer that removes the dollar character.

Check this example to see how it works:

# Create a sample index with both text and keyword fields
PUT delete_test_dollar
{
  "mappings": {
    "properties": {
      "desc": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      }
    }
  }
}

# Add some documents
PUT delete_test_dollar/_bulk
{ "index": {}}
{ "desc": "Lorem"}
{ "index": {}}
{ "desc": "Vestibulum"}
{ "index": {}}
{ "desc": "Curabitur"}
{ "index": {}}
{ "desc": "Mauris$"}
{ "index": {}}
{ "desc": "Suspendisse$"}
{ "index": {}}
{ "desc": "Quisque$"}
{ "index": {}}
{ "desc": "$Pellentesque"}
{ "index": {}}
{ "desc": "$Donec"}
{ "index": {}}
{ "desc": "$Nam"}

# Search against the desc.keyword field, it should work
GET delete_test_dollar/_search
{
  "query": {
    "regexp": {
      "desc.keyword": {
        "value": ".*$"
      }
    }
  }
}

# Search against the desc field, it should not find any results
GET delete_test_dollar/_search
{
  "query": {
    "regexp": {
      "desc": {
        "value": ".*$"
      }
    }
  }
}

So the outcome is that you need to understand your field mapping and update it to your needs, maybe using the analyzer parameter on your mapping to specify one that suits your needs, or switch to keyword type that is not analyzed, even it is not recommended to use it for full text search.

system · July 26, 2022, 1:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.