I want to build a dashboard with filters that check for a list of phrases with wildcards to a kibana dashboard

so if any one of these(or multiple) appear in the log field I want it to appear in the dash, if not, the dash should be empty

as examples :
net use *
net user user_name * /domain
netsh firewall *
net localgroup *

The goal is to be able to see if a workstation, adding something to the registry, added a user, mapped a network drive etc. I wan t to be able to see if activity on a workstation did one or multiple.

Please tell me this is possible, would be very cool.

Something like this -

VICTIMWORKSTATION reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0 VICTIMWORKSTATION netsh firewall set service remoteadmin enable VICTIMWORKSTATION netsh firewall set service remotedesktop enable

Starting with this query but it doesn't want to work -
But this doesn't want to work --

"query": { "bool": { "must": [ "wildcard": { "event_data.CommandLine": "net *" "wildcard": { "event_data.CommandLine": "reg *" "wildcard": { "event_data.CommandLine": "netsh firewall*" "wildcard": { "event_data.CommandLine": "net localgroup *" "wildcard": { "event_data.CommandLine": "putty.exe *" "minimum_should_match": 1

Thanks!!!

I'm stuck...

'should' seems to be perfect for checking for a list of things. BUT can I add a 'NOT' to it? I.E. this won't work -

"query": { "bool": { "minimum_should_match": 1, "should": [ "wildcard": { "event_data.Suspicious": "net *" "wildcard": { "event_data.Suspicious": "reg *" "must_not": [ "match_phrase": { "event_data.Suspicious": "reg add HKLM\\SOFTWARE\\Microsoft\\windows\\currentversion\\policies\\system"