Query for Unicode Character in process.name

Elastic Stack Kibana
1

Hi there,

I am trying to query for a right-to-left override (RTLO) character (U+202E) within a process name.

My query in Dev Tools in Kibana is this:

GET /[index_name]/_eql/search
{
  "query": """
    process where process.name like "*Up\u{200f}date.exe"
  """
}

I use the unicode syntax based on what I had found from a section in the documentation.

This is the error that I received:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "parsing_exception",
        "reason" : "line 2:37: token recognition error at: '\"*Up\\u'"
      }
    ],
    "type" : "parsing_exception",
    "reason" : "line 2:37: token recognition error at: '\"*Up\\u'",
    "caused_by" : {
      "type" : "lexer_no_viable_alt_exception",
      "reason" : null
    }
  },
  "status" : 400
}

Leaving a white-space where my query is process where process.name like "*Up \u{200f} date.exe", leads to the same error.

I have tried changing the query to process where process.name like "*Up\\u{200f}date.exe", which adds an extra backslash. While the query executes successfully, no results are returned.

This is how the process name looks like in Kibana:

image
image1040×185 13.4 KB

As can be seen from my cursor highlight, the RTLO character is inserted after Up.

Thank you for your time!

Note-to-self: I should change like to ==.
Note-to-self-2: Found an old post about replacing unicode characters, but it is for Logstash.

2

You need to escape this twice. So first time you do the escape for the eql unicode character and the you do a JSON escape on top of those characters.

3

Thanks a lot for replying to this - I just found out that my original findings were most likely due to the page (that I referenced in my original post) being "preliminary documentation for a future release".

When visiting the documentation for the current, latest release, I do not see the section about escaping unicode characters at all.

In the event that the current documentation is inaccurate, I would still like to try out your suggestion of the double-escaping in the meantime. Just to confirm that I interpreted what you said correctly, would this turn out to be Up\\u\{200f\}date.exe?

Thank you!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.