Step: Query Elasticsearch

This step allows you to perform queries on Elasticsearch databases based on the Elasticsearch indexing field. Common objectives of this step include saving results of an Elasticsearch query to package variable.


Operates on a reified package graph

Uses Elasticsearch Query syntax

  • Query Elasticsearch : Choose which Elasticsearch data source will provide the relevant data input.
  • Elasticsearch Index: Choose the index of the variable to query. This is the mapping to the variable to be queried.
  • Output Variable Name: Any results returned by the query will be placed in the specified variable.
  • Query DSL (Elasticsearch Query): Use this space to enter in a Elasticsearch Query. Line returns, spaces, and tabs are all allowed and stored after saving.

This Query Elasticsearch step queries for any logon event(s) (4624) that have occurred in the past hour that share the same logon user and is not on the same host.

{
	"query": {
		"constant_score": {
			"filter": {
				"bool": {
					"must": [{
						"term": {
							"event_id": "4624"
						}
					}, {
						"term": {
							"event_data.TargetUserName": "${userhost[0][0]}"
						}
					}, {
						"range": {
							"@timestamp": {
								"gte": "now-24h"
							}
						}
					}],
					"must_not": [{
						"terms": {
							"event_data.LogonType": ["3", "4", "5", "0"]
						}
					}, {
						"match": {
							"host": "${userhost[0][1]}"
						}
					}]
				}
			}
		}
	},
	"size": "100"
}

Queries Elasticsearch to test for account crawling. Condition: Successful logon event (4624) by a user (not system/service account) and occurs within the last hour and the logon must be on multiple hosts.

{
	"query": {
		"constant_score": {
			"filter": {
				"bool": {
					"must": [{
						"term": {
							"event_id": "4624"
						}
					}, {
						"term": {
							"event_data.TargetUserName": "${userhost[0][0]}"
						}
					}, {
						"range": {
							"@timestamp": {
								"gte": "now-1h"
							}
						}
					}],
					"must_not": [{
						"match": {
							"beat.hostname": "${userhost[0][1]}"
						}
					}, {
						"terms": {
							"event_data.LogonType": ["3", "4", "5", "0"]
						}
					}]
				}
			}
		}
	},
	"size": "100"
}

Queries Elasticsearch for the most recent related 2003 event with the USB instance ID from a previous step.

{
	"query": {
		"constant_score": {
			"filter": {
				"bool": {
					"must": [{
						"match": {
							"event_id": "2003"
						}
					}, {
						"match": {
							"user_data.InstanceId": "${instanceID[0][0]}"
						}
					}]
				}
			}
		}
	},
	"size": 1,
	"sort": [{
		"@timestamp": {
			"order": "desc"
		}
	}]
}
  • step/query-elastisearch
  • Last modified: 2018/09/14 21:30