Kibana dashboard multiple wildcard filters


(Matt Oney) #1

I want to build a dashboard with filters that check for a list of phrases with wildcards to a kibana dashboard

so if any one of these(or multiple) appear in the log field I want it to appear in the dash, if not, the dash should be empty

as examples :
net use *
net user user_name * /domain
netsh firewall *
net localgroup *

The goal is to be able to see if a workstation, adding something to the registry, added a user, mapped a network drive etc. I wan t to be able to see if activity on a workstation did one or multiple.

Please tell me this is possible, would be very cool.

Something like this -

Computer Command
VICTIMWORKSTATION reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
VICTIMWORKSTATION netsh firewall set service remoteadmin enable
VICTIMWORKSTATION netsh firewall set service remotedesktop enable

Starting with this query but it doesn't want to work -
But this doesn't want to work --

{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "event_data.CommandLine": "net *"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "reg *"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "netsh firewall*"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "net localgroup *"
          }
        },
        {
          "wildcard": {
            "event_data.CommandLine": "putty.exe *"
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

Thanks!!!


(Matt Oney) #2

I think I might be close to it...

{
  "query": {
    "bool": {
      "should": [
        {
          "wildcard": {
            "event_data.Suspicious": "net  *"
          }
        },
        {
          "wildcard": {
            "event_data.Suspicious": "reg *"
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

(Matt Oney) #3

I'm stuck...

'should' seems to be perfect for checking for a list of things. BUT can I add a 'NOT' to it? I.E. this won't work -

 {
  "query": {
    "bool": {
      "minimum_should_match": 1,
      "should": [
        {
          "wildcard": {
            "event_data.Suspicious": "net *"
          }
        },
        {
          "wildcard": {
            "event_data.Suspicious": "reg *"
          }
        }
      ],
  "must_not": [
    {
      "match_phrase": {
        "event_data.Suspicious": "reg add HKLM\\SOFTWARE\\Microsoft\\windows\\currentversion\\policies\\system"
      }
    }
    }
  }
}

(Matt Oney) #4

Whew got it to work but it had to be an exact match. Trick that helped me --
Find what you want to filter in the dashboard, hit the '-' sign that will add the filter to the top of the dashboard. Edit that filter and that should give the DSL elasticsearch uses to see that data! Copy that into your own filter and boom it works.


(Court Ewing) #5

Sorry no one was able to help you, but thanks for posting the solution you came up with! That'll help folks in the future that are trying to do the same thing.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.