Help with term filter

[rn-horreum]

Hi - I need assistance with this the following filter

filter:
- term:
    dst: "*:3389"
- term:
    usr: "*"

What I desire is to filter for logs that have ":3389" at the end of the dst port but also a usr field that contains a value (meaning it can't be empty). So basically a dst port with :3398 AND an existing user in the usr field will cause an alert hit. Can you help with the syntax if what I have so far is not correct?

[jertel]

This is more of an elasticsearch question since it's focused on Elastic/Lucene query syntax. This link may help you: https://discuss.elastic.co/t/elastic-search-query-to-check-if-property-is-empty-non-empty/308290

[rn-horreum]

So I should put "exists" instead of the "*" in my ElastAlert rule yaml ?
Also is the dst field correct using the wildcard?

[jertel]

This is an example based on the Kibana sample eCommerce data, which you can easily modify for your fields.

filter:
  - query:
      wildcard:
        customer_gender: "*ALE"
  - bool: 
      must:
        - exists: 
            field: currency
      must_not:
        - term: 
            currency: ""

Please contact the Elasticsearch community for further help with writing queries.