17 January 2024

Kibana KQL escape character

Need to escape these characters:
    \():<>"*



with quotes, does not need to escape:
    http.request.referrer: "https://example.com"
 
without quotes, must escape:
    http.request.referrer: https\://example.com

 

This not work as expected because * is interprate as literal *:
    http.request.referrer: "https://example.com*"

Instead use this:
    http.request.referrer: https\://example.com*


File path issue in windows:
Kibana display value as:
    C:\WINDOWS\system32\MRT.exe

But if you check in json, actual value stored in elastic is:
    "c:\\windows\\system32\\mrt.exe"

Thus, to find all files in folder system32(and sub folder) you need to escape the backslash character:
    file.path.caseless : c\:\\\\windows\\\\system32\\\\*

    

To find all files in folder system32(exclude sub folder):
    file.path.caseless : c\:\\\\windows\\\\system32\\\\* and not file.path.caseless : c\:\\\\windows\\\\system32\\\\*\\\\*





ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html
Posted by at No comments:
Labels: ,

Kibana KQL Wild Card

thefield.caseless: system32*    
    will match system32\\calc.exe (* is wildcard)


thefield: "system32*"
    Not match system32\\calc.exe.(* is literal because it in quotes)



ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)