Removing the “$” sign from event_data.TargetUserName

schroray · October 2, 2021, 4:18pm

I found an Elastic blog on a possible dashboard for Winlogbeat logs: Monitoring Windows Logons with Winlogbeat | Elastic Blog

I was trying to remove the dollar sign "$" from usernames in the field winlog.event_data.TargetUserName - sourced from a windows AD server running Winlogbeat.

This is a follow up on the same topic that was close - see Removing the "$" sign from event_data.TargetUserName

My working solution seems to be a search filter - negated:

{
  "query": {
    "bool": {
      "must": {
        "bool": {
          "should": [
            {
              "query_string": {
                "fields": [
                  "winlog.event_data.TargetUserName.keyword"
                ],
                "query": "*$"
              }
            }
          ],
          "minimum_should_match": 1
        }
      },
      "filter": []
    }
  }
}

The complete Kibana request looks like this:

{
  "aggs": {
    "2": {
      "terms": {
        "field": "user.name",
        "order": {
          "_count": "desc"
        },
        "size": 50
      }
    }
  },
  "size": 0,
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "@original_event_timestamp",
      "format": "date_time"
    },
    {
      "field": "@timestamp",
      "format": "date_time"
    },
    {
      "field": "event.created",
      "format": "date_time"
    },
    {
      "field": "event.end",
      "format": "date_time"
    },
    {
      "field": "event.ingested",
      "format": "date_time"
    },
    {
      "field": "event.start",
      "format": "date_time"
    },
    {
      "field": "file.accessed",
      "format": "date_time"
    },
    {
      "field": "file.created",
      "format": "date_time"
    },
    {
      "field": "file.ctime",
      "format": "date_time"
    },
    {
      "field": "file.mtime",
      "format": "date_time"
    },
    {
      "field": "observer.timestamp.collector",
      "format": "date_time"
    },
    {
      "field": "observer.timestamp.file_ingestion",
      "format": "date_time"
    },
    {
      "field": "package.installed",
      "format": "date_time"
    },
    {
      "field": "process.parent.start",
      "format": "date_time"
    },
    {
      "field": "process.start",
      "format": "date_time"
    },
    {
      "field": "tls.client.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.client.not_before",
      "format": "date_time"
    },
    {
      "field": "tls.server.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.server.not_before",
      "format": "date_time"
    }
  ],
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "match_all": {}
        },
        {
          "range": {
            "event.ingested": {
              "gte": "2021-09-30T15:00:00.000Z",
              "lte": "2021-10-02T16:05:16.784Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": [
        {
          "match_phrase": {
            "winlog.event_data.LogonType.keyword": "0"
          }
        },
        {
          "match_phrase": {
            "winlog.event_data.LogonType.keyword": "5"
          }
        },
        {
          "match_phrase": {
            "winlog.event_data.TargetUserName.keyword": "ANONYMOUS LOGON"
          }
        },
        {
          "match_phrase": {
            "winlog.event_data.TargetDomainName.keyword": "Windows Manager"
          }
        },
        {
          "bool": {
            "must": {
              "bool": {
                "should": [
                  {
                    "query_string": {
                      "fields": [
                        "winlog.event_data.TargetUserName.keyword"
                      ],
                      "query": "*$"
                    }
                  }
                ],
                "minimum_should_match": 1
              }
            },
            "filter": []
          }
        },
        {
          "match_phrase": {
            "tags": "dc"
          }
        },
        {
          "match_phrase": {
            "winlog.event_data.LogonType.keyword": "0"
          }
        },
        {
          "match_phrase": {
            "winlog.event_data.LogonType.keyword": "5"
          }
        },
        {
          "match_phrase": {
            "winlog.event_data.TargetUserName.keyword": "ANONYMOUS LOGON"
          }
        },
        {
          "match_phrase": {
            "winlog.event_data.TargetDomainName.keyword": "Windows Manager"
          }
        },
        {
          "bool": {
            "must": {
              "bool": {
                "should": [
                  {
                    "query_string": {
                      "fields": [
                        "winlog.event_data.TargetUserName.keyword"
                      ],
                      "query": "*$"
                    }
                  }
                ],
                "minimum_should_match": 1
              }
            },
            "filter": []
          }
        },
        {
          "match_phrase": {
            "tags": "dc"
          }
        }
      ]
    }
  }
}

Hope this is helpful

system · October 30, 2021, 4:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Removing the "$" sign from event_data.TargetUserName Kibana	8	2103	October 10, 2018
Filtering out "managed service accounts" Kibana	3	579	July 8, 2020
Kibana 8.2.0 Filter event_data.TargetUserName ending with $ (service accounts etc) Kibana	2	342	July 26, 2022
Filtering out event_data.TargetUserName ending in $ Elasticsearch	3	2353	December 20, 2017
Query Help search for $ Kibana	7	1442	July 6, 2017

Removing the “$” sign from event_data.TargetUserName

Related topics