Writing Filters For Rules
This document describes how to create a filter section for your rule config file.
The filters used in rules are part of the Elasticsearch query DSL, further documentation for which can be found at https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html This document contains a small subset of particularly useful filters.
The filter section is passed to Elasticsearch exactly as follows:
filter:
and:
filters:
- [filters from rule.yaml]
Every result that matches these filters will be passed to the rule for processing.
Common Filter Types:
query_string
The query_string type follows the Lucene query format and can be used for partial or full matches to multiple fields. See http://lucene.apache.org/core/2_9_4/queryparsersyntax.html for more information:
filter:
- query:
query_string:
query: "username: bob"
- query:
query_string:
query: "_type: login_logs"
- query:
query_string:
query: "field: value OR otherfield: othervalue"
- query:
query_string:
query: "this: that AND these: those"
term
The term type allows for exact field matches:
filter:
- term:
name_field: "bob"
- term:
_type: "login_logs"
Note that a term query may not behave as expected if a field is analyzed. By default, many string fields will be tokenized by whitespace, and a term query for “foo bar” may not match a field that appears to have the value “foo bar”, unless it is not analyzed. Conversely, a term query for “foo” will match analyzed strings “foo bar” and “foo baz”. For full text matching on analyzed fields, use query_string. See https://www.elastic.co/guide/en/elasticsearch/guide/current/term-vs-full-text.html
terms
Terms allows for easy combination of multiple term filters:
filter:
- terms:
field: ["value1", "value2"] # value1 OR value2
You can also match on multiple fields (All terms must match at least one of the given values):
- terms:
fieldX: ["value1", "value2"]
- terms:
fieldY: ["something", "something_else"]
- terms:
fieldZ: ["foo", "bar", "baz"]
wildcard
For wildcard matches:
filter:
- query:
wildcard:
field: "foo*bar"
range
For ranges on fields:
filter:
- range:
status_code:
from: 500
to: 599
Negation, and, or
Below is a more complex example for Elasticsearch 7.x, provided by a community user.:
filter:
- term:
action: order
- terms:
dining:
- pickup
- delivery
- bool:
#exclude common/expected orders
must_not:
#Alice usually gets a pizza
- bool:
must: [ {term: {uid: alice}}, {term: {menu_item: pizza}} ]
#Bob loves his hoagies
- bool:
must: [ {term: {uid: bob}}, {term: {menu_item: sandwich}} ]
#Charlie has a few favorites
- bool:
must:
- term:
uid: charlie
- match:
menu_item: "burrito pasta salad pizza"
EQL (Event Query Language)
EQL is partially supported as of version 2.12.0. To use EQL, include a filter item as follows:
filter:
- eql: any where machine.os == "win 8"
Note that only one eql filter can be defined in a filter.
It is also possible to use standard query filters in combination with EQL filters:
filter:
- eql: any where machine.os == "win 8"
- query:
query_string:
query: "test.field: 123"
EQL is only partially supported due to the following limitations:
Cannot be used with aggregation rule types.
Cannot be used with blacklist/whitelist rule types.
Cannot be used with percentage match rule types.
Cannot be used with
use_count_queryproperty.Does not support scrolling, so large result sets may have unexpected results. Be sure to filter your queries thoroughly to avoid returning excessive numbers of events.
Not supported with OpenSearch