Solvedsigma Es-dsl and es-qs wildcards incorrect

I tested the outputs of the sigma es-dsl and es-qs but they output with errors that mean they won't work. While sytactically correct they handle * wildcards as string literals. In the qs the terms shouldn't be in quotes. In the dsl, you need to use "wildcard" not "match_phrase".

22 Answers

✔️Accepted Answer

Thank you for the information. However, I think it would be worth it to add an option to the elastalert backend to not use the .keyword subfields? There's already an option not to use it for specific fields, but an option use_keyword_subfields which is true by default and could be disabled would make sense to me.

What do you think?

Related Issues:

3
sigma Es-dsl and es-qs wildcards incorrect
Thank you for the information However I tested the outputs of the sigma es-dsl and es-qs but they ou...
180
elasticsearch es crashes with "Native controller process has stopped - no new native processes can be started"
@martin-g Did you find it out? having the same issue Update: setting: - discovery.type=single-node s...
131
searchkick FORBIDDEN/12/index read-only / allow delete (api)
this is solution source: https://benjaminknofe.com/blog/2017/12/23/forbidden-12-index-read-only-allo...
96
kibana Kibana stays read only when ES high disk watermark has been exceeded and later gone beneath the limit
I just got hit by this It's not just Kibana all indexes get locked when the disk threshold is reache...
95
grafana HTTP Error Bad Gateway when using prometheus
I still face this error after explicitly writing the URL (in my case it was http://localhost:9090) ...
89
elasticsearch Red Cluster State: failed to obtain in-memory shard lock
It looks like there was a primary with no replicas allocated to the node when it got disconnected fr...
57
kibana Kibana 7+ can't search saved_objects, FieldData error thrown on .kibana index
for those finding this thread what I've done on my cluster to make it works: delete the kibana index...
45
elasticsearch py New ConnectionError [Errno 111] Connection Refused using Docker
You have 2 containers on the same network Are you using Docker-compose? Localhost is probably the wr...
34
elasticsearch Unrecognized VM option 'UseConcMarkSweepGC' on OpenJDK 15
I encountered the same problem (CentOS 7 elasticsearch 7.9.2) I made some research and found this el...
31
ansible elasticsearch Permissions on elasticsearch.keystore prevent Elasticsearch from starting
This entire problem is being caused by an incorrect mixing of static read-only configuration (elasti...
31
elasticsearch Can't use Java client due to NoClassDefFoundError: org/apache/log4j/Priority
As I just ran into the same issue I would like to share my solution to this I know this is rather cr...
31
elk docker sysctl: setting key "vm.max_map_count": Read-only file system
Guys use this command sudo sysctl -w vm.max_map_count=262144 in the host system not in the container...
26
kibana Your Kibana index is out of date, reset it or use the X-Pack upgrade assistant.
Deleting Kibana index worked for me (CAUTION: I had a brand new install) Good morning I am trying to...
26
elasticsearch dump Content-Type header [] is not supported
I answered my own question with a simple read of the documentation In order to help us troubleshoot ...
25
elasticsearch py ssl verification fails despite verify_certs=false
I went through the debugger a bunch and found that verify_certs is ignored if ca_certs is None or se...
24
kibana [securitySolution] Jest memory leaks
Removed all the stubs from moduleNameMapper of the jest config and stubbed elastic-apm-node instead:...
22
elasticsearch php "No alive nodes found in your cluster" using aws elasticsearch
Hmm The output definitely looks like it is just timing out Are you using the cluster sniffing mode (...
22
elasticsearch Debian package needs java dependency
If elasticsearch needs java please have it as a dependency in the deb I just spent ages trying to wo...
22
grafana Automatically chose retention policy based on time range
In Grafana v6.0.2 I'm using an workaround which seems to work pretty well Hi ...
21
elasticsearch windows elasticsearch.bat file has problems with certains paths
Still the same issue in v6.3.0 Another issue that is in the elasticsearch.bat is just 2 lines above ...
20
kibana [resolved] Courier Fetch Error: unhandled courier request error: Authorization Exception in Chrome/Safari on Kibana 4.5.0
I'm going to leave this open for a bit since I suspect more people are going to be searching for thi...
20
grafana Loki: label_values() - Use series API instead of labels API
+1 This feature request would be great - label_values({compose_service=~$service compose_project=~$p...
19
elasticsearch [Springboot]Rest High Level Client 7.0 can't use search method, missing org.elasticsearch.action.search.SearchRequest
Just pasting here the answer I gave on discuss as I can see that a lot of people (including myself) ...
19
elasticsearch OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
yes,I think this error is caused by the little memory refer to another issue #45170 I run the es on ...
19
grafana Unable to invite new user in 7.3.1
I had the same issue also Although this indeed fixes it I think it's a rather horrible thing to do e...
18
elasticsearch NoSuchFileException: /usr/share/elasticsearch/config
Indeed I just tested with Ubuntu 14.04 and it started with sudo service elasticsearch start. ...
17
elasticsearch 0-day in log4j package
Added this to my /etc/elasticsearch/jvm.options file to set the flag. Hi Elastic ...
17
grafana Docker: ARM images doesn't work since v6.4.x
Thanks all We've merged this to master but decided to include this fix in Grafana v6.5.0 to be relea...
17
grafana AWS IAM: Support for AWS EKS ServiceAccount roles
@hugohaggmark / @marefr Shouldn't grafana follow the default AWS credential chain in the SDK and the...
16
elasticsearch js socket hang up error on high volume transactions..
This issue was reported 7 months ago and it still wastes people's time There are in fact two bugs: t...
15
elasticsearch dsl py how to use bulk save
For example if I were to make a base class that looks like this: How would I change this to do a bul...
15
elasticsearch rails Elasticsearch::Transport::Transport::Errors::NotFound on object.destroy()
I was also getting the same error on my rails console whenever i was calling destroy method on ES-en...
13
kibana Kibana server is not ready yet
First After upgrading ELK to 6.5 from 6.4.3 I get error message in browser: Kibana server is not rea...
12
elasticsearch rails Faraday::ConnectionFailed - threads problem
I was able to use this in an initializer to fix my threads issue and have now been running threaded ...
11
elasticsearch Add option to combine several query scores with multiply or other
This is a neat example @PeledYuval I really hadn't through through how I'd implement text score mult...
11
elasticsearch Better ways to combine relevance signals
Definition of better I think it is useful to define what better means To me it is making the manual ...
11
kibana Anonymous access
This is definitely a very important feature It is not uncommon for Admins to need to be able to gran...
11
kibana start kibana error with 7.0.1
In my case I resolved as follows added this config in ElasticSearch elasticsearch: 7.0.1 kibana: 7.0...
11
grafana Trouble with Kubernetes volumes and the 5.1.3+ Docker image
The following worked for me: If anyone has suggestions to improve this config please tell me. ...
11
grafana Question How Can I Hide a Column From Table Panel?
For reference you can hide a column by using Column Styles in Grafana and seeting the Column Type to...
8
grafana Alert in Grafana with Loki as datasource is not working
https://github.com/grafana/loki/blob/v1.5.0/docs/api.md The API endpoints starting with /loki/ are P...
6
elasticsearch Painless script_fields don't have access to a _source variable
Give 5.0 is almost ready there is an existing workaround I think we can promote for now but know tha...
5
kibana Pie chart scaling in 6.1 results in unusable visualizations.
I spent even more time on this today as there where actually some worse offenders with excessive pad...
5
grafana InfluxDB: improve the UX for InfluxDB 1.8 so it does not require Organization
Took a while to get this to work but I was finally able to do so with 1.8.1 Steps to reproduce: crea...
5
elastiflow ERROR] [org.logstash.Logstash] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
Listing how I fixed this error: my pipelines.yml file didn't have an emply line in between each new ...
4
grafana failed to look up user based on cookie
Same here on 6.2.0-beta1 just now: t=2019-05-13T15:14:15+0000 lvl=eror msg=failed to look up user ba...
4
grafana Upgrading from 8.1.7 to 8.2.0 broke grafana with render plugin error
Can confirm Works again on CentOs 8 with Grafana 8.2.0 and Renderer 3.2.1 :) What happened: The auto...
3
reactivesearch Option to clear all filters programmatically
Hi @Arvind6353 we had an internal discussion on this and it seems it's not as trivial as it seemed i...
3
haystack Haystack with Albert is awesome! XLNet question
If you update FARM on latest master you should be able to increase the batch size a lot @Timoeller Y...