Kibana KQL issue, Greater than does not work for event.duration field

geekzy · August 31, 2021, 4:22pm

I am currently on using Kibana v7.13.3. I am ingesting zeek logs into my elastic stack and trying to filter by event duration that exceeds a specific time frame. I have tried using the following basic KQL to filter by:

event.duration > 10.0

However this does not filter the results at all. All other number data fields work for with the greater than it just appears to be event.duration that does not filter. Has anyone else experienced this issue.

lukas · August 31, 2021, 6:14pm

Could you click on "Inspect" and copy/paste the request that is being sent here?

Does it work if you simply put event.duration > 10?

Could you also copy/paste your mapping for this field?

geekzy · September 1, 2021, 9:15am

"event.duration > 10" by itself does not work either.

This is the Request being sent:

{
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "version": true,
  "fields": [
    {
      "field": "*",
      "include_unmapped": "true"
    },
    {
      "field": "@timestamp",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.created",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.end",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.ingested",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.start",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.accessed",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.created",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.ctime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.mtime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "kafka.block_timestamp",
      "format": "strict_date_optional_time"
    },
    {
      "field": "microsoft.defender_atp.lastUpdateTime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "microsoft.defender_atp.resolvedTime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "microsoft.m365_defender.alerts.creationTime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "process.parent.start",
      "format": "strict_date_optional_time"
    },
    {
      "field": "process.start",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.kerberos.valid.from",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.kerberos.valid.until",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.org_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.rec_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.ref_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.xmt_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ocsp.revoke.time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ocsp.update.next",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ocsp.update.this",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.pe.compile_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.accessed",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.changed",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.created",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.modified",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smtp.date",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.snmp.up_since",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.x509.certificate.valid.from",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.x509.certificate.valid.until",
      "format": "strict_date_optional_time"
    },
  ],
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "30m",
        "time_zone": "Europe/London",
        "min_doc_count": 1
      }
    }
  },
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": false,
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "range": {
                        "event.duration": {
                          "gt": "10.0"
                        }
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              },
              {
                "bool": {
                  "should": [
                    {
                      "range": {
                        "zeek.dns.rtt": {
                          "gte": "0.002"
                        }
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-08-31T08:54:15.634Z",
              "lte": "2021-09-01T08:54:15.634Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "fragment_size": 2147483647
  }
}

This is the current mapping:

 "event": {
          "properties": {
            "action": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "category": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "created": {
              "type": "date"
            },
            "dataset": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "duration": {
              "type": "long"
            },

geekzy · September 2, 2021, 10:01am

Additionally this is the pipeline rule we have applied to populate event.duration:

system · September 30, 2021, 10:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.