Wildcards in Event Filter

[Chad Linderman]

Hello,

Sorry if this question had been posted in the past. I looked through the posts for Wildcard and most of them seem to be related to configurations.

I was looking to see if there's possibly a way to add a wild card to a filter on the events. For example, let's say I wanted to filter out WinExecutable for all users users on data.win.eventdata.processName:

C:\\Users\\ABC\\Desktop\\WinExecutable.exe

C:\\Users\\DEF\\Desktop\\WinExecutable.exe

C:\\Users\\GHI\\Desktop\\WinExecutable.exe

C:\\Users\\JKL\\Desktop\\WinExecutable.exe

How could I change the filter to just be something like: C:\\*\\WinExecutable.exe?

I know it will probably have to be done in DSQL, but I have tried an asterisk (*), Amersand (&), Percentile (%) and nothing seems to work.

Thank you.

[Leandro David Sayanes]

Hi Chad Linderman!

I will try to help you 

To add a wildcard to a filter on the events, you can use the "like" operator in the query parameter.
The "like" operator allows you to perform wildcard filtering by comparing text in a column against a search pattern

here more information: https://documentation.wazuh.com/current/user-manual/api/queries.html

Here's an example of ow you can change the filter to match the desired pattern:
Field name: data.win.eventdata.processName
Operator: ~ (like)
Value: C:*\WinExecutable.exe
By using the asterisk (*) as a wildcard character, you can match any characters in the specified position of the filter

This will filter out WinExecutable for all users on data.win.eventdata.processName with the specified pattern:

C:\Users\ABC\Desktop\WinExecutable.exe
C:\Users\DEF\Desktop\WinExecutable.exe
C:\Users\GHI\Desktop\WinExecutable.exe
C:\Users\JKL\Desktop\WinExecutable.exe

Please note that the exact syntax and implementation may vary depending on the specific tool or API you are using with Wazuh. 

[Chad Linderman]

This is perfect Leandro. I'm a former SQL guy so this is awesome!

Thank you so much.

Chad