Created
July 12, 2023 19:09
-
-
Save ajosh0504/d722fd6f3b97145cb5623f69453ac61c to your computer and use it in GitHub Desktop.
session_summarization_queries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Select important fields to extract from session logs | |
| # Get top 10 unique values for each of the fields, and a representative document for each unique value | |
| # Sample query on Infosec cluster: | |
| GET logs-*/_search | |
| { | |
| "query":{ | |
| "bool": { | |
| "must": [ | |
| {"match": {"host.os.type": "linux"}}, | |
| {"match": {"process.session_leader.entity_id": "ODBjMTU4YmEtZDkzYy00YTU2LTg5MGItZjZhZGViM2JlNmQ5LTUyOTEwLTE2ODYxNjE2ODU="}}, | |
| {"range": { | |
| "@timestamp": { | |
| "gte": "now-1M/h", | |
| "lte": "now" | |
| } | |
| }} | |
| ] | |
| } | |
| }, | |
| "size": 0, | |
| "aggs": { | |
| "unique_process_names": { | |
| "terms": { | |
| "field": "process.name", | |
| "size": 10 | |
| }, | |
| "aggs":{ | |
| "representative_docs": { | |
| "top_hits": { | |
| "size": 1 | |
| } | |
| } | |
| } | |
| }, | |
| "unique_file_paths": { | |
| "terms": { | |
| "field": "file.path", | |
| "size": 10 | |
| }, | |
| "aggs":{ | |
| "representative_docs": { | |
| "top_hits": { | |
| "size": 1 | |
| } | |
| } | |
| } | |
| }, | |
| "unique_event_actions": { | |
| "terms": { | |
| "field": "event.action", | |
| "size": 10 | |
| }, | |
| "aggs":{ | |
| "representative_docs": { | |
| "top_hits": { | |
| "size": 1 | |
| } | |
| } | |
| } | |
| }, | |
| "unique_event_categories": { | |
| "terms": { | |
| "field": "event.category", | |
| "size": 10 | |
| }, | |
| "aggs":{ | |
| "representative_docs": { | |
| "top_hits": { | |
| "size": 1 | |
| } | |
| } | |
| } | |
| }, | |
| "session_duration": { | |
| "scripted_metric": { | |
| "init_script": "state.minTimestamp = Long.MAX_VALUE; state.maxTimestamp = Long.MIN_VALUE;", | |
| "map_script": "def docTimestamp = doc['@timestamp'].value.millis; if (docTimestamp < state.minTimestamp) { state.minTimestamp = docTimestamp } if (docTimestamp > state.maxTimestamp) { state.maxTimestamp = docTimestamp }", | |
| "combine_script": "return state", | |
| "reduce_script": "def minTimestamp = Long.MAX_VALUE; def maxTimestamp = Long.MIN_VALUE; for (s in states) { if (s.minTimestamp < minTimestamp) { minTimestamp = s.minTimestamp } if (s.maxTimestamp > maxTimestamp) { maxTimestamp = s.maxTimestamp } } return maxTimestamp - minTimestamp" | |
| } | |
| } | |
| } | |
| } | |
| # Can also nest fields within each other to get representative documents for all combinations of the top 10 values of each field. | |
| # Sample query on Infosec cluster: | |
| GET logs-*/_search | |
| { | |
| "query":{ | |
| "bool": { | |
| "must": [ | |
| {"match": {"host.os.type": "linux"}}, | |
| {"match": {"process.session_leader.entity_id": "ODBjMTU4YmEtZDkzYy00YTU2LTg5MGItZjZhZGViM2JlNmQ5LTUyOTEwLTE2ODYxNjE2ODU="}}, | |
| {"range": { | |
| "@timestamp": { | |
| "gte": "now-1M/h", | |
| "lte": "now" | |
| } | |
| }} | |
| ] | |
| } | |
| }, | |
| "size": 0, | |
| "aggs": { | |
| "top_process_names": { | |
| "terms": { | |
| "field": "process.name", | |
| "size": 10 | |
| }, | |
| "aggs": { | |
| "top_event_categories": { | |
| "terms": { | |
| "field": "event.category", | |
| "size": 10 | |
| }, | |
| "aggs": { | |
| "top_event_actions": { | |
| "terms": { | |
| "field": "event.action", | |
| "size": 10 | |
| }, | |
| "aggs": { | |
| "representative_docs": { | |
| "top_hits": { | |
| "size": 1 | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment