How do i do query for
event.code == 4625
winlog.event_data.targetusername != "*svc"
this is what i have and doesnt seem to work
{
"bool": {
"must": [
{
"match_all": {}
}
],
"filter": [
{
"match_phrase": {
"event.code": "4625"
}
}
],
"must_not": [
{
"term": {
"winlog.event_data.TargetUserName": "*svc"
}
}
]
}
}
Ive tried this too
{
"bool": {
"must": [
{
"match_all": {}
}
],
"filter": [
{
"match_phrase": {
"event.code": "4625"
}
}
],
"must_not": [
{
"regexp": {
"winlog.event_data.TargetUserName": {
"value": "*$"
}
}
}
]
}
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.