Skip to content

Instantly share code, notes, and snippets.

View FrankHassanabad's full-sized avatar
🎧
Eat Sleep Code Repeat

Frank Hassanabad FrankHassanabad

🎧
Eat Sleep Code Repeat
61 followers · 59 following
  • https://radicl.com/
  • Boulder, Co
View GitHub Profile
@FrankHassanabad
FrankHassanabad / nested_kql_testing
Last active June 16, 2020 22:07
Tests around Nesting and KQL with references
#
# Create two mappings, one with nesting and one without:
#
# Optinally clean up any old index data
DELETE /delme-test-categories
DELETE /delme-test-categories2
# Without nesting
PUT /delme-test-categories
@FrankHassanabad
FrankHassanabad / queries_const_keyword.json
Last active May 28, 2021 16:02
Elastic Queries with aliases const keyword and non-const keyword
# Mapping with a "constant_keyword" for "data_stream.dataset"
# Mapping with an alias from "event.dataset" -> "data_stream.dataset"
DELETE const-keyword-frank-delme-1
PUT const-keyword-frank-delme-1
{
"mappings": {
"dynamic":"false",
"properties": {
"@timestamp": {
"type": "date"
@FrankHassanabad
FrankHassanabad / slow_data_stream_runtimefields.json
Created May 28, 2021 22:34
Slow queries using runtime fields to split against "data_stream.dataset" to create "event.module"
# Create an index which has a runtime field to do a split against a "constant_keyword"
# of "data_stream.dataset" and use the first value found as the "event.module"
# I add an additional "host.name" type of keyword to compare
# * Profile of aggregating against the runtime field which does a split against the "constant_keyword"
# * Profile of aggregating against the const_keyword
# * Profile of aggregating against a normal keyword
# * Profile against a field alias against the "constant_keyword" field
DELETE const-logs-frank-delme-1
PUT const-logs-frank-delme-1
{
@FrankHassanabad
FrankHassanabad / per_test_const_keyword_alias.json
Last active June 1, 2021 16:01
Perf testing across const keyword and regular keyword and aliases
```json
# Adds an index for testing where we can test across:
# * keyword
# * const keyword
# * And a corner case where someone reindexes non-compatible const data into const data from _source.
DELETE const-logs-frank-delme-2
PUT const-logs-frank-delme-2
{
"mappings": {
"dynamic": "false",
@FrankHassanabad
FrankHassanabad / doc_valuefields.test.md
Last active June 2, 2021 19:06
Mixing doc_valuefields with fields can lead to unexpected results

I want to return @timestamp as a different format such as "YYYY" but am mixing together doc_valuefields with fields. Fields takes priority over doc_valuefields it looks like.

Ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-fields.html

We might have a slight bug here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts#L109-L125

Where we mix these two. I test this by trying override the date times below but it only works when we remove doc_valuefields and not mix it with fields

@FrankHassanabad
FrankHassanabad / runtimefields_dots.md
Last active June 7, 2021 17:44
Elasticsearch runtime fields are very loose and liberal with dots for field names.

Steps are, add a simple static mapping:

# Add our mapping of just a keyword called "test"
DELETE frank-test-delme-5
PUT frank-test-delme-5
{
  "mappings": {
    "dynamic": "false",
    "properties": {
 "test": {
@FrankHassanabad
FrankHassanabad / shadowing_runtimefields.md
Last active June 9, 2021 18:29
Shadowing runtime fields 
# Add a mapping of with a text field
DELETE frank-test-delme-6
PUT frank-test-delme-6
{
  "mappings": {
    "dynamic": "strict",
    "properties": {
      "@timestamp": {
@FrankHassanabad
FrankHassanabad / behavioral_bug_aggs_terms.json
Last active July 8, 2021 00:14
Behavioral bug between the terms_enum and terms_agg for the KQL bar.
# New behavior which does NOT allow us to use "-*elastic-cloud-logs-*" if it does not exist
# to subtract. Instead this blows up with a 404 error which causes a cascading 500 internal server error
POST /auditbeat-*,filebeat-*,logs-*,winlogbeat-*,-*elastic-cloud-logs-*/_terms_enum
{
"field": "host.name",
"string": "",
"index_filter": {
"bool": {
"must": [
{
@FrankHassanabad
FrankHassanabad / microsoft_co_pilot_do_do_dream_of_sheep.md
Last active July 8, 2021 17:05
Microsoft co-pilot, do you dream of sheep?

Public gist of Microsoft co-pilot and the interesting things it will return for entertainment values. I choose the best few examples from the co-pilot suggestions and add them here. This is all typescript examples. I do cherry pick the examples and do not just take the first one found.

What does co-pilot dream of?

Starting text:

// return a string of a dream 
export const dreamString = () => {
@FrankHassanabad
FrankHassanabad / legacy_notification.json
Created September 22, 2021 20:19
Legacy notification system, actions side car
# Get the alert type of "siem-notifications" which is part of the legacy system.
GET .kibana-hassanabad22/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}