Security event log was cleared

Question

Security event log was cleared

Closed this issue 5 years ago · 0 comments

In this saved search we searching for Security event log was cleared which means we search for event id 517 and 1102 but the problem is your query search for the inverse, your query is like this

"must_not": [
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
]

and the correct is searching for these event ids and the query will be like this

"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
],
"minimum_should_match": 1
}
}