小贝子编程

弹性搜索查询 DSL 多个"query" s



这很有效:

{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
}

但是我怎样才能添加多个这样的";查询";是在一起吗?例如,"EventID": "4732""EventID": "4728"

在实践中,基于西格玛规则的查询更为复杂,否则我知道我可以这样做:

{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"data.win.system.eventID": "4732"
}
},
{
"match_phrase": {
"data.win.system.eventID": "4728"
}
}
],
"minimum_should_match": 1
}
}
}

西格玛的输出格式为:

[
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
]

然而,这给了我:

[parsing_exception] unknown query [query], with { line=1 & col=1065 }

而且在开发工具中根本不起作用。在Discover部分,它被自动转换为:

{
"0": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
"1": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
}

开发工具中提供的内容:

"reason" : "Unknown key for a START_OBJECT in [0].",

研究表明;查询";查询布尔中的s应该,即:

{
"query": {
"bool": {
"should": [
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
],
"minimum_should_match": 1
}
}
}

这也给出了:

[parsing_exception] unknown query [query], with { line=1 & col=1065 }

或者,在开发工具中:

"reason" : "unknown query [query]"

是否可以进行多次";查询";s

我想转换的西格玛脚本示例:

[
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "* -NoP *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -W Hidden *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* JAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SUVYI*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SQBFAFgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aWV4I*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* IAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* PAA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aQBlAHgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*vssadmin delete shadows*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*reg SAVE HKLM\\SAM*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -ma *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*Microsoft\\Windows\\CurrentVersion\\Run*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadstring(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadfile(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /ticket:*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* sekurlsa*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* p::d *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*;iex(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*schtasks* /create *AppData*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,MiniDump*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,#24*"
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"ParentImage.keyword": "*\\WINWORD.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\EXCEL.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\POWERPNT.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\MSPUB.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\VISIO.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\OUTLOOK.EXE*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\cmd.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\powershell.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\wscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\cscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\schtasks.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\scrcons.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\regsvr32.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\hh.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\wmic.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\mshta.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\msiexec.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\forfiles.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\AppData\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\apache*"
}
},
{
"wildcard": {
"Image.keyword": "*\\tomcat*"
}
},
{
"wildcard": {
"Image.keyword": "*\\w3wp.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\php-cgi.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\nginx.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\httpd.exe*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "*whoami*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*net user *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*ping -n *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*systeminfo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*&cd&echo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*cd /d *"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"wildcard": {
"Image.keyword": "*\\whoami.exe*"
}
},
{
"match_phrase": {
"User": "NT AUTHORITY\SYSTEM"
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventLog": "Microsoft-Windows-Sysmon"
}
},
{
"bool": {
"should": [
{
"bool": {
"must": [
{
"match_phrase": {
"EventID": "11"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetFilename.keyword": "*.dmp*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\how*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\decrypt*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*UserInitMprLogonScript*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\CurrentVersion\\Image File Execution Options\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*\\Microsoft\\Windows\\CurrentVersion\\Run\\*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Details.keyword": "*AppData*"
}
},
{
"wildcard": {
"Details.keyword": "*\\Users\\Public\\*"
}
},
{
"wildcard": {
"Details.keyword": "*\\Temp\\*"
}
},
{
"wildcard": {
"Details.keyword": "*powershell*"
}
},
{
"wildcard": {
"Details.keyword": "*wscript*"
}
},
{
"wildcard": {
"Details.keyword": "*cscript*"
}
}
]
}
}
]
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "7045"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"ServiceName.keyword": "*WCESERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*WCE SERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*winexesvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*DumpSvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*pwdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*gsecdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*cachedump*"
}
}
]
}
}
]
}
}
}
}
}
]

最简单的方法是使用terms查询(具有OR语义(:

{
"query": {
"bool": {
"filter": [
{
"terms": {
"EventID": [
"4732", "4728"
]
}
}
]
}
}
}

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium