Trying to capture Add/Remove/Changes for Microsoft DNS objects in the security logs by admins, and not system.
Attempt to capture a create event:
EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)
This does captures the event, but also a bunch of other messages that dont (appear) to match any of the params. Similar issues with a delete.
What am I doing wrong here?
jan
(Jan Doberstein)
2
AND created
that searches in messages
, full_messages
and source
in addition this is analyzed what means elasticsearch will split all found content.
AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)
Depending if the SubjectUserName is analysed or not that might behave different on the regex *
and the unescaped $
without knowledge about the data, that is not really to answer
Thanks for the reply. Have tried to narrow this down and its certainly realted to the AND NOT search
AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:-)
Specifically
AND NOT SubjectUserName:*$
This does filter out the field with *$ but then also seems to bring up messages which that field is NULL.
Any suggestions on how to construct the search to ignore any message with SubjectUserName ?
AND _exists_:SubjectUserName
system
(system)
Closed
5
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.