Kibana dashboard multiple wildcard filters

mathurin68 · December 20, 2017, 12:34am

I want to build a dashboard with filters that check for a list of phrases with wildcards to a kibana dashboard

so if any one of these(or multiple) appear in the log field I want it to appear in the dash, if not, the dash should be empty

as examples :
net use *
net user user_name * /domain
netsh firewall *
net localgroup *

The goal is to be able to see if a workstation, adding something to the registry, added a user, mapped a network drive etc. I wan t to be able to see if activity on a workstation did one or multiple.

Please tell me this is possible, would be very cool.

Something like this -

Computer	Command
VICTIMWORKSTATION	reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
VICTIMWORKSTATION	netsh firewall set service remoteadmin enable
VICTIMWORKSTATION	netsh firewall set service remotedesktop enable

Starting with this query but it doesn't want to work -
But this doesn't want to work --

{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "event_data.CommandLine": "net *"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "reg *"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "netsh firewall*"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "net localgroup *"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "putty.exe *"
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

Thanks!!!

mathurin68 · December 20, 2017, 4:17am

I think I might be close to it...

{
  "query": {
    "bool": {
      "should": [
        {
          "wildcard": {
            "event_data.Suspicious": "net  *"
          }
        },
        {
          "wildcard": {
            "event_data.Suspicious": "reg *"
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

mathurin68 · December 20, 2017, 7:39pm

I'm stuck...

'should' seems to be perfect for checking for a list of things. BUT can I add a 'NOT' to it? I.E. this won't work -

 {
  "query": {
    "bool": {
      "minimum_should_match": 1,
      "should": [
        {
          "wildcard": {
            "event_data.Suspicious": "net *"
          }
        },
        {
          "wildcard": {
            "event_data.Suspicious": "reg *"
          }
        }
      ],
  "must_not": [
    {
      "match_phrase": {
        "event_data.Suspicious": "reg add HKLM\\SOFTWARE\\Microsoft\\windows\\currentversion\\policies\\system"
      }
    }
    }
  }
}

mathurin68 · December 21, 2017, 4:58pm

Whew got it to work but it had to be an exact match. Trick that helped me --
Find what you want to filter in the dashboard, hit the '-' sign that will add the filter to the top of the dashboard. Edit that filter and that should give the DSL elasticsearch uses to see that data! Copy that into your own filter and boom it works.

Court · December 22, 2017, 3:39pm

Sorry no one was able to help you, but thanks for posting the solution you came up with! That'll help folks in the future that are trying to do the same thing.

system · January 19, 2018, 3:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.