Quick Tips:
- semak dulu bagaimana data disimpan dalam elastic (lihat json, bukan table view)
- kemudian letak escape character utk setiap character yang perlu
Lihat Contoh 3
Contoh 1)
Data Display in Kibana:
process.command_line : wc -l
Data Display in Json(Actual Data in Elastic)
process.command_line : wc -l
(sama sebab tiada special character)
Filter kql
process.command_line : * -l*
DSL query:
{ "wildcard": { "process.command_line": { "value": "* -l*" } } }
Contoh 2)
Data Display in Kibana:
process.command_line: "certutil -encode fee449ee0e3965a5246f000e87fde2a065fd89d4.crt temp.cer"
Data Display in Json(Actual Data in Elastic)
"command_line": "certutil -encode cdd4eeae6000ac7f40c3802c171e30148030c072.crt temp.cer "
(sama sebab tiada special character) Filter KQL
process.command_line : * -encode *
DSL Query
Kql above will translate by kibana to following DSL
Contoh 3)
Data Display in Kibana:
"C:\Users\Asus\AppData\Local\Programs\Opera GX\autoupdate\opera_autoupdate.exe" --scheduledtask --bypasslauncher $(Arg0)
Data Display in Json(Actual String in Elastic):
DSL Query
Kql above will translate by kibana to following DSL
{ "wildcard": { "process.command_line": {"value": "* \\-encode *" } } }
Contoh 3)
Data Display in Kibana:
"C:\Users\Asus\AppData\Local\Programs\Opera GX\autoupdate\opera_autoupdate.exe" --scheduledtask --bypasslauncher $(Arg0)
Data Display in Json(Actual String in Elastic):
"command_line": "\"C:\\Users\\Asus\\AppData\\Local\\Programs\\Opera GX\\autoupdate\\opera_autoupdate.exe\"
--scheduledtask --bypasslauncher $(Arg0)"
(tak sama sebab ada special character)
Filter KQL
process.command_line: *\\Users\\*
DSL Query
DSL Query
{ "wildcard": { "process.command_line": { "value": "*\\\\Users\\\\*" } } }
