ML Advanced datafeed Elasticsearch Query

Elk_huh · January 5, 2021, 2:44pm

How do i do query for
event.code == 4625
winlog.event_data.targetusername != "*svc"

this is what i have and doesnt seem to work
{
"bool": {
"must": [
{
"match_all": {}
}
],
"filter": [
{
"match_phrase": {
"event.code": "4625"
}
}
],
"must_not": [
{
"term": {
"winlog.event_data.TargetUserName": "*svc"
}
}
]
}
}

Elk_huh · January 5, 2021, 3:49pm

Ive tried this too

{
  "bool": {
    "must": [
      {
        "match_all": {}
      }
    ],
    "filter": [
      {
        "match_phrase": {
          "event.code": "4625"
        }
      }
    ],
    "must_not": [
      {
        "regexp": {
          "winlog.event_data.TargetUserName": {
            "value": "*$"
          }
        }
      }
    ]
  }
}