I would like to know how to fix this search (if is possible of course):
(winlog.channel:"Security" AND (winlog.event_id:"4624" AND winlog.event_data.LogonType:"10") AND (NOT (source.ip:(10.* OR 192.168.* OR 172.31* OR 172.30.* OR 172.29.* OR 172.28.* OR 172.27.* OR 172.26.* OR 172.25.* OR 172.24.* OR 172.23.* OR 172.21.* OR 172.20.* OR 172.19.* OR 172.18.* OR 172.17.* OR 172.16.* OR fd* OR fc* OR 127.0.0.1* OR \:\:1*))))
The results I got back is always:
Can only use prefix queries on keyword, text and wildcard fields - not on [source.ip] which is of type [ip]"
Ok, understood! Now I´m trying to use a rule from Elastic using the same schema you just pointed above, but still receiving errors:
Rule:
event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
not source.ip:(
10.0.0.0/8 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.2.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.168.0.0/16 or
192.88.99.0/24 or
224.0.0.0/4 or
100.64.0.0/10 or
192.175.48.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
) and
destination.ip:(
10.0.0.0/8 or
172.16.0.0/12 or
192.168.0.0/16
)
Results:
Can only use regexp queries on keyword and text fields - not on [source.ip] which is of type [ip]
What I´m doing wrong? Just copied and pasted from the elastic page this rule
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
