Security event log was cleared
Closed this issue · 0 comments
SaidaniMohamed commented
In this saved search we searching for Security event log was cleared which means we search for event id 517 and 1102 but the problem is your query search for the inverse, your query is like this
"must_not": [
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
]
and the correct is searching for these event ids and the query will be like this
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
],
"minimum_should_match": 1
}
}