Searching Does not Return Results - Challenge

Gary_Blackwell · December 29, 2020, 10:02pm

I have this log message in Elastic:
ExtendedProperties
[{"Name":"UserAgent","Value":"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.13426; Pro)"} {"Name":"UserAuthenticationMethod","Value":"1"} {"Name":"RequestType","Value":"OAuth2:Token"} {"Name":"ResultStatusDetail","Value":"Success"} {"Name":"KeepMeSignedIn","Value":"false"}].

I have tried searching various ways for "OAuth2". Do you know how I can successfully search for it and get results?

Thanks,
Gary

warkolm · December 29, 2020, 10:41pm

Can you share what you have tried?

Gary_Blackwell · December 30, 2020, 4:28pm

'\*.keyword:(OAuth2)'
OAuth2
"OAuth2"
"OAuth2:Token"
OAuth2:Token
(OAuth2:Token)
(OAuth2)
text:(OAuth2)
OAuth2
fuzzy:OAuth2
*.keyword:(OAuth2)
keyword:(OAuth2)
text:OAuth2

Christian_Dahlqvist · December 30, 2020, 4:57pm

Is ExtendedProperties by any chance mapped as a nested field?

Gary_Blackwell · December 30, 2020, 6:40pm

Do you know where the "path" comes from for a nested query or what query would I use to tell if there were nested fields?

warkolm · December 30, 2020, 7:54pm

Check the INDEXNAME/_mapping endpoint.

Gary_Blackwell · December 30, 2020, 8:08pm

Does this help?

"ExtendedProperties" : {
"properties" : {
"*" : {
"type" : "object"
}
}

There is a bunch of these.
"ExtendedProperties" : {
"type" : "keyword",
"ignore_above" : 1024

Gary_Blackwell · January 5, 2021, 4:01pm

Is there a way of knowing if it is a nested field or how to search and find this data?

warkolm · January 5, 2021, 7:15pm

It'd be useful if you posted the entire thing please. Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

Gary_Blackwell · January 6, 2021, 8:37pm

The post is limited to 13000 characters. The output is over 58000. I am not finding a way to attach it as a text file. Do you have any suggestions?

warkolm · January 6, 2021, 8:41pm

Use gist/pastebin/etc.

Gary_Blackwell · January 6, 2021, 8:55pm

Gary_Blackwell · January 13, 2021, 4:37pm

Were you able to review the index? What started this query is that there is a detection rule that looks at OAuth2; however, I am not able to confirm that it is working.
The paste bin post will be deleted in 4 hours, but I can repost it if necessary.

Gary_Blackwell · January 18, 2021, 7:24pm

Any movement on this request?
Thanks

Gary_Blackwell · January 27, 2021, 2:15pm

Keeping this alive.
Thanks

Gary_Blackwell · February 12, 2021, 7:42pm

Any word on being able to complete the search?

Gary_Blackwell · February 22, 2021, 3:34pm

Keep alive

Gary_Blackwell · March 1, 2021, 3:43pm

Keep alive

dadoonet · March 1, 2021, 10:19pm

If you don't get an answer, my recommendation would be to provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

Gary_Blackwell · March 2, 2021, 4:21pm

I'm using Kibana.
I can browse in the logs and find {"Name":"RequestType","Value":"OAuth2:Token"} in the log message. I haven't found a way to search for log messages that contain "OAuth2".
Does that help?