I want to build a dashboard with filters that check for a list of phrases with wildcards to a kibana dashboard
so if any one of these(or multiple) appear in the log field I want it to appear in the dash, if not, the dash should be empty
as examples :
net use *
net user user_name * /domain
netsh firewall *
net localgroup *
The goal is to be able to see if a workstation, adding something to the registry, added a user, mapped a network drive etc. I wan t to be able to see if activity on a workstation did one or multiple.
Please tell me this is possible, would be very cool.
Something like this -
Computer | Command |
---|---|
VICTIMWORKSTATION | reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0 |
VICTIMWORKSTATION | netsh firewall set service remoteadmin enable |
VICTIMWORKSTATION | netsh firewall set service remotedesktop enable |
Starting with this query but it doesn't want to work -
But this doesn't want to work --
{
"query": {
"bool": {
"must": [
{
"wildcard": {
"event_data.CommandLine": "net *"
}
},
{
"wildcard": {
"event_data.CommandLine": "reg *"
}
},
{
"wildcard": {
"event_data.CommandLine": "netsh firewall*"
}
},
{
"wildcard": {
"event_data.CommandLine": "net localgroup *"
}
},
{
"wildcard": {
"event_data.CommandLine": "putty.exe *"
}
}
],
"minimum_should_match": 1
}
}
}
Thanks!!!