elasticsearch Elasticsearch查询DSL多个“;查询「;s
这项工作:elasticsearch Elasticsearch查询DSL多个“;查询「;s,elasticsearch,kibana,querydsl,elasticsearch,Kibana,Querydsl,这项工作: { “查询”:{ “固定分数”:{ “过滤器”:{ “布尔”:{ “必须”:[ { “匹配短语”:{ “EventID”:“4732” } } ] } } } } } 但我如何才能将多个这样的“查询”添加到一起?例如,“EventID”:“4732”或“EventID”:“4728” 实际上,基于Sigma规则,查询更加复杂,否则我知道我可以: { "query": { "bool": { "should&q
{
“查询”:{
“固定分数”:{
“过滤器”:{
“布尔”:{
“必须”:[
{
“匹配短语”:{
“EventID”:“4732”
}
}
]
}
}
}
}
}
但我如何才能将多个这样的“查询”添加到一起?例如,“EventID”:“4732”
或“EventID”:“4728”
实际上,基于Sigma规则,查询更加复杂,否则我知道我可以:
{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"data.win.system.eventID": "4732"
}
},
{
"match_phrase": {
"data.win.system.eventID": "4728"
}
}
],
"minimum_should_match": 1
}
}
}
西格玛的输出格式如下:
[
{
“查询”:{
“固定分数”:{
“过滤器”:{
“布尔”:{
“必须”:[
{
“匹配短语”:{
“EventID”:“4732”
}
}
]
}
}
}
}
},
{
“查询”:{
“固定分数”:{
“过滤器”:{
“布尔”:{
“必须”:[
{
“匹配短语”:{
“EventID”:“4728”
}
}
]
}
}
}
}
}
]
然而,这给了我:
[parsing_exception]未知查询[query],带有{line=1&col=1065}
在开发工具中根本不起作用。在“发现”部分中,它将自动转换为:
{
"0": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
"1": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
}
开发工具中的哪些工具提供:
“原因”:“在[0]中启动\u对象的密钥未知”,
研究建议将“查询”封装在查询bool-should中,即:
{
"query": {
"bool": {
"should": [
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
],
"minimum_should_match": 1
}
}
}
这也提供了:
[parsing_exception]未知查询[query],带有{line=1&col=1065}
或者,在开发工具中:
“原因”:“未知查询[查询]”
可以进行多个“查询”吗
我要转换的Sigma脚本示例:
[
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "* -NoP *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -W Hidden *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* JAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SUVYI*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SQBFAFgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aWV4I*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* IAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* PAA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aQBlAHgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*vssadmin delete shadows*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*reg SAVE HKLM\\\\SAM*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -ma *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadstring(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadfile(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /ticket:*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* sekurlsa*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* p::d *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*;iex(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*schtasks* /create *AppData*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,MiniDump*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,#24*"
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"ParentImage.keyword": "*\\\\WINWORD.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\EXCEL.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\POWERPNT.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\MSPUB.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\VISIO.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\OUTLOOK.EXE*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\\\cmd.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\powershell.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\wscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\cscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\schtasks.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\scrcons.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\regsvr32.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\hh.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\wmic.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\mshta.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\msiexec.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\forfiles.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\AppData\\\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\\\apache*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\tomcat*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\w3wp.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\php-cgi.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\nginx.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\httpd.exe*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "*whoami*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*net user *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*ping -n *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*systeminfo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*&cd&echo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*cd /d *"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"wildcard": {
"Image.keyword": "*\\\\whoami.exe*"
}
},
{
"match_phrase": {
"User": "NT AUTHORITY\\SYSTEM"
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventLog": "Microsoft-Windows-Sysmon"
}
},
{
"bool": {
"should": [
{
"bool": {
"must": [
{
"match_phrase": {
"EventID": "11"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetFilename.keyword": "*.dmp*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\\\how*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\\\decrypt*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*UserInitMprLogonScript*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\\\CurrentVersion\\\\Image File Execution Options\\\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Details.keyword": "*AppData*"
}
},
{
"wildcard": {
"Details.keyword": "*\\\\Users\\\\Public\\\\*"
}
},
{
"wildcard": {
"Details.keyword": "*\\\\Temp\\\\*"
}
},
{
"wildcard": {
"Details.keyword": "*powershell*"
}
},
{
"wildcard": {
"Details.keyword": "*wscript*"
}
},
{
"wildcard": {
"Details.keyword": "*cscript*"
}
}
]
}
}
]
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "7045"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"ServiceName.keyword": "*WCESERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*WCE SERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*winexesvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*DumpSvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*pwdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*gsecdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*cachedump*"
}
}
]
}
}
]
}
}
}
}
}
]
最简单的方法是使用
terms
查询(具有或语义):
问题是它不适用于更复杂的脚本。我已经在我的第一篇文章中添加了
godmode
示例。哇,这个查询是完美的反模式:大量的通配符查询带有前导通配符,这是最大的性能消耗之一。你真的应该调查这不是我自己写的,这是一个示范西格玛规则。是的,那个特定的有很多通配符,但其他的没有。这只是多个“查询”
s:)的一个示例
{
"query": {
"bool": {
"filter": [
{
"terms": {
"EventID": [
"4732", "4728"
]
}
}
]
}
}
}