I found an Elastic blog on a possible dashboard for Winlogbeat logs: Monitoring Windows Logons with Winlogbeat | Elastic Blog
I was trying to remove the dollar sign "$" from usernames in the field winlog.event_data.TargetUserName - sourced from a windows AD server running Winlogbeat.
This is a follow up on the same topic that was close - see Removing the "$" sign from event_data.TargetUserName
My working solution seems to be a search filter - negated:
{
"query": {
"bool": {
"must": {
"bool": {
"should": [
{
"query_string": {
"fields": [
"winlog.event_data.TargetUserName.keyword"
],
"query": "*$"
}
}
],
"minimum_should_match": 1
}
},
"filter": []
}
}
}
The complete Kibana request looks like this:
{
"aggs": {
"2": {
"terms": {
"field": "user.name",
"order": {
"_count": "desc"
},
"size": 50
}
}
},
"size": 0,
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@original_event_timestamp",
"format": "date_time"
},
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "event.created",
"format": "date_time"
},
{
"field": "event.end",
"format": "date_time"
},
{
"field": "event.ingested",
"format": "date_time"
},
{
"field": "event.start",
"format": "date_time"
},
{
"field": "file.accessed",
"format": "date_time"
},
{
"field": "file.created",
"format": "date_time"
},
{
"field": "file.ctime",
"format": "date_time"
},
{
"field": "file.mtime",
"format": "date_time"
},
{
"field": "observer.timestamp.collector",
"format": "date_time"
},
{
"field": "observer.timestamp.file_ingestion",
"format": "date_time"
},
{
"field": "package.installed",
"format": "date_time"
},
{
"field": "process.parent.start",
"format": "date_time"
},
{
"field": "process.start",
"format": "date_time"
},
{
"field": "tls.client.not_after",
"format": "date_time"
},
{
"field": "tls.client.not_before",
"format": "date_time"
},
{
"field": "tls.server.not_after",
"format": "date_time"
},
{
"field": "tls.server.not_before",
"format": "date_time"
}
],
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"match_all": {}
},
{
"range": {
"event.ingested": {
"gte": "2021-09-30T15:00:00.000Z",
"lte": "2021-10-02T16:05:16.784Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": [
{
"match_phrase": {
"winlog.event_data.LogonType.keyword": "0"
}
},
{
"match_phrase": {
"winlog.event_data.LogonType.keyword": "5"
}
},
{
"match_phrase": {
"winlog.event_data.TargetUserName.keyword": "ANONYMOUS LOGON"
}
},
{
"match_phrase": {
"winlog.event_data.TargetDomainName.keyword": "Windows Manager"
}
},
{
"bool": {
"must": {
"bool": {
"should": [
{
"query_string": {
"fields": [
"winlog.event_data.TargetUserName.keyword"
],
"query": "*$"
}
}
],
"minimum_should_match": 1
}
},
"filter": []
}
},
{
"match_phrase": {
"tags": "dc"
}
},
{
"match_phrase": {
"winlog.event_data.LogonType.keyword": "0"
}
},
{
"match_phrase": {
"winlog.event_data.LogonType.keyword": "5"
}
},
{
"match_phrase": {
"winlog.event_data.TargetUserName.keyword": "ANONYMOUS LOGON"
}
},
{
"match_phrase": {
"winlog.event_data.TargetDomainName.keyword": "Windows Manager"
}
},
{
"bool": {
"must": {
"bool": {
"should": [
{
"query_string": {
"fields": [
"winlog.event_data.TargetUserName.keyword"
],
"query": "*$"
}
}
],
"minimum_should_match": 1
}
},
"filter": []
}
},
{
"match_phrase": {
"tags": "dc"
}
}
]
}
}
}
Hope this is helpful