Query Help - DNS Events in MS Security Logs

Trying to capture Add/Remove/Changes for Microsoft DNS objects in the security logs by admins, and not system.

Attempt to capture a create event:

EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)

This does captures the event, but also a bunch of other messages that dont (appear) to match any of the params. Similar issues with a delete.

What am I doing wrong here?

AND created

that searches in messages, full_messages and source in addition this is analyzed what means elasticsearch will split all found content.

AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)

Depending if the SubjectUserName is analysed or not that might behave different on the regex * and the unescaped $

without knowledge about the data, that is not really to answer

Thanks for the reply. Have tried to narrow this down and its certainly realted to the AND NOT search

AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:-)


AND NOT SubjectUserName:*$

This does filter out the field with *$ but then also seems to bring up messages which that field is NULL.

Any suggestions on how to construct the search to ignore any message with SubjectUserName ?

  • *$
  • NULL
AND _exists_:SubjectUserName


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.