So I am ingesting EDR data and we have a the field CommandLine that monitors commandlines that are executed. I have the following below which returns the results in a query just fine, however when there is other data in the CommandLine it does not return the data. Does an “*” need to be used? How do i return a search result that contains “net localgroups” no matter what other data is in there.
CommandLine:“net localgroups”
If i understand your question correctly, you are looking to do partial text matching for a specific field.
You have a couple of options, but i think using regular expression syntax to search may be the most flexible for you. While this does require at least a base understanding of regular expressions, it is very powerful. You can even use it do simple “contains” queries. For example:
instead of CommandLine:"net localgroups" you would instead do:
CommandLine:"/.*net localgroups.*/"
In the above the . and * are saying to search for any amount of any character.
The other alternative, which i don’t recommend due to it causing performance issues with your Elasticsearch/OpenSearch cluster is using leading wildcards. This would allow you to use * in the normal string search before and after your search term, e.g. CommandLine:"*net localgroups*". This does require modifying your graylog server.conf and setting allow_leading_wildcard_searches = true
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.