This works:
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
}
But how can I add multiple such "query"s together? For example, "EventID": "4732" or "EventID": "4728"
In practise the queries are more complex, based on Sigma rules, otherwise I know I could do:
{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"data.win.system.eventID": "4732"
}
},
{
"match_phrase": {
"data.win.system.eventID": "4728"
}
}
],
"minimum_should_match": 1
}
}
}
The output from Sigma would be of the format:
[
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
]
However, this gives me:
[parsing_exception] unknown query [query], with { line=1 & col=1065 }
And doesn't work in Dev Tools at all. In the Discover section, it is is automatically converted to:
{
"0": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
"1": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
}
Which in Dev Tools gives:
"reason" : "Unknown key for a START_OBJECT in [0].",
Research suggested to wrap the "query"s in a query bool should, i.e.:
{
"query": {
"bool": {
"should": [
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
],
"minimum_should_match": 1
}
}
}
This also gives gives:
[parsing_exception] unknown query [query], with { line=1 & col=1065 }
or, in Dev Tools:
"reason" : "unknown query [query]"
Is it possible to do multiple "query"s?
Example of Sigma script I want to convert:
[
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "* -NoP *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -W Hidden *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* JAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SUVYI*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SQBFAFgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aWV4I*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* IAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* PAA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aQBlAHgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*vssadmin delete shadows*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*reg SAVE HKLM\\\\SAM*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -ma *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadstring(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadfile(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /ticket:*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* sekurlsa*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* p::d *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*;iex(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*schtasks* /create *AppData*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,MiniDump*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,#24*"
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"ParentImage.keyword": "*\\\\WINWORD.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\EXCEL.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\POWERPNT.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\MSPUB.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\VISIO.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\OUTLOOK.EXE*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\\\cmd.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\powershell.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\wscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\cscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\schtasks.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\scrcons.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\regsvr32.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\hh.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\wmic.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\mshta.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\msiexec.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\forfiles.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\AppData\\\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\\\apache*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\tomcat*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\w3wp.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\php-cgi.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\nginx.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\httpd.exe*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "*whoami*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*net user *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*ping -n *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*systeminfo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*&cd&echo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*cd /d *"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"wildcard": {
"Image.keyword": "*\\\\whoami.exe*"
}
},
{
"match_phrase": {
"User": "NT AUTHORITY\\SYSTEM"
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventLog": "Microsoft-Windows-Sysmon"
}
},
{
"bool": {
"should": [
{
"bool": {
"must": [
{
"match_phrase": {
"EventID": "11"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetFilename.keyword": "*.dmp*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\\\how*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\\\decrypt*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*UserInitMprLogonScript*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\\\CurrentVersion\\\\Image File Execution Options\\\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Details.keyword": "*AppData*"
}
},
{
"wildcard": {
"Details.keyword": "*\\\\Users\\\\Public\\\\*"
}
},
{
"wildcard": {
"Details.keyword": "*\\\\Temp\\\\*"
}
},
{
"wildcard": {
"Details.keyword": "*powershell*"
}
},
{
"wildcard": {
"Details.keyword": "*wscript*"
}
},
{
"wildcard": {
"Details.keyword": "*cscript*"
}
}
]
}
}
]
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "7045"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"ServiceName.keyword": "*WCESERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*WCE SERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*winexesvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*DumpSvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*pwdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*gsecdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*cachedump*"
}
}
]
}
}
]
}
}
}
}
}
]
