ESQL Bug: ENRICH with Binary Operator != and Cyrillic Filters Not Working

[Gelios7]

Elasticsearch Version

8.15.3

Installed Plugins

No response

Java Version

bundled

OS Version

debian

Problem Description

While using ESQL, the following issues were encountered:

1. Issue with ENRICH and != Binary Operator
   The search stops functioning entirely when combining the ENRICH command with the binary inequality operator (!=).

Example Query:
FROM logs-system.* METADATA _id, _version, _index
| WHERE event.category == "iam" AND winlog.api == "wineventlog" AND event.action == "added-member-to-group"
| ENRICH policy_role_idm ON user.name WITH user.role_name, user.role_type
| WHERE user.role_type != "Multirole"

The above query fails to return results or crashes unexpectedly.

2. Partial Issues with Cyrillic Values in Filters
   Filters using Cyrillic values in WHERE clauses show inconsistent behavior.

Example Queries:

Fails:
| WHERE user.role_name == "Адміністратор WIndows"

Works:
| WHERE user.role_name == "Локальный администратор на ПК"

Expected Behavior
The != operator should work seamlessly with ENRICH.
Filters with Cyrillic (Ukrainian) characters should behave consistently and return expected results.
Actual Behavior
The != operator fails in combination with ENRICH, causing the query to stop functioning.
Filters with specific Cyrillic strings (e.g., Ukrainian characters) do not return expected results.

Steps to Reproduce

1. Run the provided ESQL queries.
2. Observe the inconsistent behavior with != and Cyrillic values.

Logs (if relevant)

No response

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[jackpan123]

@Gelios7 Could you give some curl query for insert test data ? like below:

curl -u elastic:password -HContent-Type:application/json 'localhost:9200/test/_doc?refresh' -d'{"x": 4}'

[Gelios7]

test data in json format for event:

{
  "_index": "test-000162",
  "_id": "Qevq95MBpMpxvyrIHJ23",
  "_version": 1,
  "_score": 0,
  "_source": {
    "@log_hostname": "test01",
    "agent": {
      "hostname": "test01",
      "name": "test01",
      "id": "1612eca3-c228-4fab-8c6d-b5ec010438d4",
      "ephemeral_id": "fb4d25b2-d00b-4fa9-9617-ecae679d223c",
      "type": "winlogbeat",
      "version": "8.14.1"
    },
    "winlog": {
      "computer_name": "test01.test",
      "record_id": "98434589",
      "task": "Security Group Management",
      "event_id": "4732",
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x815e8296"
      },
      "channel": "Security",
      "activity_id": "{d131a39a-3c08-0001-a6a3-31d1083cdb01}",
      "api": "wineventlog",
      "event_data": {
        "SubjectUserName": "test-user1",
        "MemberSid": "S-1-5-21-2151172857-3681106787-1926047232-80501",
        "TargetSid": "S-1-5-32-544",
        "SubjectDomainName": "TEST",
        "MemberName": "tech-user2",
        "SubjectLogonId": "0x815e8296",
        "TargetUserName": "Administrators",
        "TargetDomainName": "Builtin",
        "SubjectUserSid": "S-1-5-21-2151172857-3681106787-1926047232-41868",
        "PrivilegeList": "-"
      },
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "event.logstashed": "2024-12-24T09:05:35.030185Z",
    "log": {
      "level": "information"
    },
    "@proto_type": "test",
    "message": "A member was added to a security-enabled local group.",
    "tags": [
      "test_win",
      "v_test"
    ],
    "@timestamp": "2024-12-24T09:05:25.429Z",
    "ecs": {
      "version": "1.12.0"
    },
    "related": {
      "user": [
        "tech-user2",
        "test-user1"
      ]
    },
    "@log_type": "WINLOGBEAT",
    "host": {
      "hostname": "test01",
      "os": {
        "build": "17763.2928",
        "kernel": "10.0.17763.2928 (WinBuild.160101.0800)",
        "name": "Windows Server 2022 Standard",
        "type": [
          "windows",
          "windows"
        ],
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.1.10"
      ],
      "name": "test01",
      "id": "ed516938-12c3-4a5d-9f66-349c277a7abb",
      "mac": [
        "00-50-56-97-D6-B7"
      ],
      "architecture": "x86_64"
    },
    "@log_source": "test01 @ OS",
    "event": {
      "ingested": "2024-12-24T09:05:35.415150961Z",
      "code": "4732",
      "provider": "Microsoft-Windows-Security-Auditing",
      "kind": "event",
      "created": "2024-12-24T09:05:27.116Z",
      "module": "security",
      "action": "added-member-to-group",
      "category": [
        "iam"
      ],
      "type": [
        "group",
        "change"
      ],
      "outcome": "success"
    },
    "user": {
      "domain": "TEST",
      "name": "test-user1",
      "id": "S-1-5-21-2151172857-3681106787-1926047232-41868",
      "target": {
        "domain": "TEST",
        "name": "tech-user2",
        "group": {
          "domain": "Builtin",
          "name": "Administrators",
          "id": "S-1-5-32-544"
        }
      }
    },
    "event.dataset": "test01 @ OS",
    "group": {
      "domain": "Builtin",
      "name": "Administrators",
      "id": "S-1-5-32-544"
    }
  },
  "fields": {
    "event.category": [
      "iam"
    ],
    "host.os.name.text": [
      "Windows Server 2022 Standard"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "user.target.group.domain": [
      "Builtin"
    ],
    "host.hostname": [
      "test01"
    ],
    "winlog.computer_name": [
      "test01.test"
    ],
    "host.mac": [
      "00-50-56-97-B6-C7"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "98434589"
    ],
    "winlog.logon.id": [
      "0x815e8296"
    ],
    "host.os.name": [
      "Windows Server 2022 Standard"
    ],
    "log.level": [
      "information"
    ],
    "agent.name": [
      "test01"
    ],
    "host.name": [
      "test01"
    ],
    "user.target.name.text": [
      "tech-user2"
    ],
    "event.kind": [
      "event"
    ],
    "winlog.activity_id": [
      "{d131a39a-3c08-0001-a6a3-31d1083cdb01}"
    ],
    "event.outcome": [
      "success"
    ],
    "group.name": [
      "Administrators"
    ],
    "winlog.event_data.TargetUserName": [
      "Administrators"
    ],
    "event.logstashed": [
      "2024-12-24T09:05:35.030Z"
    ],
    "host.os.type": [
      "windows",
      "windows"
    ],
    "user.id": [
      "S-1-5-21-2151172857-3681106787-1926047232-41868"
    ],
    "user.target.group.id": [
      "S-1-5-32-544"
    ],
    "agent.hostname": [
      "test01"
    ],
    "related.user": [
      "tech-user2",
      "test-user1"
    ],
    "tags": [
      "test_win",
      "v_test"
    ],
    "user.target.name": [
      "tech-user2"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4732"
    ],
    "agent.id": [
      "1612eca3-c228-4fab-8c6d-b5ec010438d4"
    ],
    "ecs.version": [
      "1.12.0"
    ],
    "@log_type": [
      "winlogbeat"
    ],
    "event.created": [
      "2024-12-24T09:05:27.116Z"
    ],
    "agent.version": [
      "8.14.1"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-21-2151172857-3681106787-1926047232-41868"
    ],
    "user.target.group.name": [
      "Administrators"
    ],
    "winlog.event_data.PrivilegeList": [
      "-"
    ],
    "group.id": [
      "S-1-5-32-544"
    ],
    "user.name": [
      "test-user1"
    ],
    "host.os.build": [
      "17763.2928"
    ],
    "host.ip": [
      "192.168.1.10"
    ],
    "agent.type": [
      "winlogbeat"
    ],
    "winlog.event_data.MemberName": [
      "tech-user2"
    ],
    "event.module": [
      "security"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x815e8296"
    ],
    "winlog.event_data.TargetSid": [
      "S-1-5-32-544"
    ],
    "group.domain": [
      "Builtin"
    ],
    "host.os.kernel": [
      "10.0.17763.2928 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "user.target.domain": [
      "TEST"
    ],
    "@log_source": [
      "test01 @ os"
    ],
    "user.domain": [
      "TEST"
    ],
    "host.id": [
      "ed516938-12c3-4a5d-9f66-349c277a7abb"
    ],
    "@log_hostname": [
      "test01"
    ],
    "winlog.task": [
      "Security Group Management"
    ],
    "winlog.event_data.SubjectUserName": [
      "test-user1"
    ],
    "@proto_type": [
      "test"
    ],
    "message": [
      "A member was added to a security-enabled local group."
    ],
    "winlog.event_id": [
      "4732"
    ],
    "event.action": [
      "added-member-to-group"
    ],
    "event.ingested": [
      "2024-12-24T09:05:35.415Z"
    ],
    "@timestamp": [
      "2024-12-24T09:05:25.429Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "winlog.event_data.MemberSid": [
      "S-1-5-21-2151172857-3681106787-1926047232-80501"
    ],
    "event.type": [
      "group",
      "change"
    ],
    "winlog.event_data.TargetDomainName": [
      "Builtin"
    ],
    "agent.ephemeral_id": [
      "fb4d25b2-d00b-4fa9-9617-ecae679d223c"
    ],
    "winlog.event_data.SubjectDomainName": [
      "TEST"
    ],
    "event.dataset": [
      "test01 @ OS"
    ],
    "user.name.text": [
      "test-user1"
    ]
  }
}

[Gelios7]

test data to enrich policy:

{
  "_index": "policy-role-idm-000001",
  "_id": "8701n186-c9b2-4e85-aef8-60ee8b98a9yy",
  "_version": 39348,
  "_score": 0,
  "_source": {
    "user.uid_person": "8701n186-c9b2-4e85-aef8-60ee8b98a9yy",
    "user.role_name": [
      "Адміністратор WIndows",
      "Администратор проекта"
    ],
    "@proto_type": "JDBC_IDM",
    "@timestamp": "2024-12-25T13:20:17.772312106Z",
    "@log_source": "test @ APP IDM",
    "user.role_type": "Multirole",
    "user.full_name": "Тестовий користувач",
    "user.exit_date": null,
    "user.name": "test-user1",
    "user.is_fired": false,
    "user.role_category": [
      "Рабочее место\\Вход",
      "Cистемы\\Test Systems"
    ]
  },
  "fields": {
    "user.role_type": [
      "Multirole"
    ],
    "user.is_fired": [
      false
    ],
    "@log_source.keyword": [
      "test @ APP IDM"
    ],
    "@proto_type.keyword": [
      "JDBC_IDM"
    ],
    "@proto_type": [
      "JDBC_IDM"
    ],
    "user.name": [
      "test-user1"
    ],
    "user.role_name": [
      "Адміністратор WIndows",
      "Администратор проекта"
    ],
    "@timestamp": [
      "2024-12-25T13:20:17.772Z"
    ],
    "user.role_category": [
      "Рабочее место\\Вход",
      "Cистемы\\Test Systems"
    ],
    "user.full_name": [
      "Тестовий користувач"
    ],
    "@log_source": [
      "test @ APP IDM"
    ],
    "user.uid_person": [
      "8701n186-c9b2-4e85-aef8-60ee8b98a9yy"
    ]
  }
}

[Gelios7]

test data in json format for event another user:

{
  "_index": "test-000162",
  "_id": "3ScP_pMBu5G4XTHybGyy",
  "_version": 1,
  "_score": 0,
  "_source": {
    "@log_hostname": "test02",
    "agent": {
      "hostname": "test02",
      "name": "test02",
      "id": "50ed2562-fe1b-4493-b135-f48b02f30599",
      "ephemeral_id": "b19e1c6b-7387-445b-8b4c-492d86c4910b",
      "type": "winlogbeat",
      "version": "8.14.1"
    },
    "winlog": {
      "computer_name": "test02.test",
      "record_id": "254960473",
      "task": "Security Group Management",
      "event_id": "4732",
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x3e7"
      },
      "channel": "Security",
      "activity_id": "{64f2dfda-5669-0001-e9df-f2646956db01}",
      "api": "wineventlog",
      "event_data": {
        "SubjectUserName": "user2",
        "MemberSid": "S-1-5-21-2151172857-3681106787-1926047232-73940",
        "TargetSid": "S-1-5-32-555",
        "SubjectDomainName": "TEST",
        "MemberName": "tech3",
        "SubjectLogonId": "0x3e7",
        "TargetUserName": "Remote Desktop Users",
        "TargetDomainName": "Builtin",
        "SubjectUserSid": "S-1-5-18",
        "PrivilegeList": "-"
      },
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "event.logstashed": "2024-12-25T13:44:03.833843Z",
    "log": {
      "level": "information"
    },
    "@proto_type": "test",
    "message": "A member was added to a security-enabled local group.",
    "tags": [
      "test_win",
      "v_test"
    ],
    "@timestamp": "2024-12-25T13:43:58.650Z",
    "ecs": {
      "version": "1.12.0"
    },
    "related": {
      "user": [
        "tech3",
        "user2"
      ]
    },
    "@log_type": "WINLOGBEAT",
    "host": {
      "hostname": "test02",
      "os": {
        "build": "20348.2159",
        "kernel": "10.0.20348.2141 (WinBuild.160101.0800)",
        "name": "Windows Server 2022 Standard",
        "type": [
          "windows",
          "windows"
        ],
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.1.20"
      ],
      "name": "test02",
      "id": "33899f9d-a9bf-48df-bfb5-1c26f515c2ca",
      "mac": [
        "00-50-56-BD-53-1T"
      ],
      "architecture": "x86_64"
    },
    "@log_source": "test02 @ OS",
    "event": {
      "ingested": "2024-12-25T13:44:04.017441701Z",
      "code": "4732",
      "provider": "Microsoft-Windows-Security-Auditing",
      "kind": "event",
      "created": "2024-12-25T13:43:59.146Z",
      "module": "security",
      "action": "added-member-to-group",
      "category": [
        "iam"
      ],
      "type": [
        "group",
        "change"
      ],
      "outcome": "success"
    },
    "user": {
      "domain": "TEST",
      "name": "user2",
      "id": "S-1-5-18",
      "target": {
        "domain": "TEST",
        "name": "tech3",
        "group": {
          "domain": "Builtin",
          "name": "Remote Desktop Users",
          "id": "S-1-5-32-555"
        }
      }
    },
    "event.dataset": "test02 @ OS",
    "group": {
      "domain": "Builtin",
      "name": "Remote Desktop Users",
      "id": "S-1-5-32-555"
    }
  },
  "fields": {
    "event.category": [
      "iam"
    ],
    "host.os.name.text": [
      "Windows Server 2022 Standard"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "user.target.group.domain": [
      "Builtin"
    ],
    "host.hostname": [
      "test02"
    ],
    "winlog.computer_name": [
      "test02.test"
    ],
    "host.mac": [
      "00-50-56-DC-53-1T"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "254960473"
    ],
    "winlog.logon.id": [
      "0x3e7"
    ],
    "host.os.name": [
      "Windows Server 2022 Standard"
    ],
    "log.level": [
      "information"
    ],
    "agent.name": [
      "test02"
    ],
    "host.name": [
      "test02"
    ],
    "user.target.name.text": [
      "tech3"
    ],
    "event.kind": [
      "event"
    ],
    "winlog.activity_id": [
      "{64f2dfda-5669-0001-e9df-f2646956db01}"
    ],
    "event.outcome": [
      "success"
    ],
    "group.name": [
      "Remote Desktop Users"
    ],
    "winlog.event_data.TargetUserName": [
      "Remote Desktop Users"
    ],
    "event.logstashed": [
      "2024-12-25T13:44:03.833Z"
    ],
    "host.os.type": [
      "windows",
      "windows"
    ],
    "user.id": [
      "S-1-5-18"
    ],
    "user.target.group.id": [
      "S-1-5-32-555"
    ],
    "agent.hostname": [
      "test02"
    ],
    "related.user": [
      "tech3",
      "user2"
    ],
    "tags": [
      "test_win",
      "v_test"
    ],
    "user.target.name": [
      "tech3"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4732"
    ],
    "agent.id": [
      "50ed2562-fe1b-4493-b135-f48b02f30599"
    ],
    "ecs.version": [
      "1.12.0"
    ],
    "@log_type": [
      "winlogbeat"
    ],
    "event.created": [
      "2024-12-25T13:43:59.146Z"
    ],
    "agent.version": [
      "8.14.1"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-18"
    ],
    "user.target.group.name": [
      "Remote Desktop Users"
    ],
    "winlog.event_data.PrivilegeList": [
      "-"
    ],
    "group.id": [
      "S-1-5-32-555"
    ],
    "user.name": [
      "user2"
    ],
    "host.os.build": [
      "20348.2159"
    ],
    "host.ip": [
      "192.168.1.20"
    ],
    "agent.type": [
      "winlogbeat"
    ],
    "winlog.event_data.MemberName": [
      "tech3"
    ],
    "event.module": [
      "security"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x3e7"
    ],
    "winlog.event_data.TargetSid": [
      "S-1-5-32-555"
    ],
    "group.domain": [
      "Builtin"
    ],
    "host.os.kernel": [
      "10.0.20348.2141 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "user.target.domain": [
      "TEST"
    ],
    "@log_source": [
      "test02 @ os"
    ],
    "user.domain": [
      "TEST"
    ],
    "host.id": [
      "33899f9d-a9bf-48df-bfb5-1c26f515c2ca"
    ],
    "@log_hostname": [
      "test02"
    ],
    "winlog.task": [
      "Security Group Management"
    ],
    "winlog.event_data.SubjectUserName": [
      "user2"
    ],
    "@proto_type": [
      "test"
    ],
    "message": [
      "A member was added to a security-enabled local group."
    ],
    "winlog.event_id": [
      "4732"
    ],
    "event.action": [
      "added-member-to-group"
    ],
    "event.ingested": [
      "2024-12-25T13:44:04.017Z"
    ],
    "@timestamp": [
      "2024-12-25T13:43:58.650Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "winlog.event_data.MemberSid": [
      "S-1-5-21-2151172857-3681106787-1926047232-73940"
    ],
    "event.type": [
      "group",
      "change"
    ],
    "winlog.event_data.TargetDomainName": [
      "Builtin"
    ],
    "agent.ephemeral_id": [
      "b19e1c6b-7387-445b-8b4c-492d86c4910b"
    ],
    "winlog.event_data.SubjectDomainName": [
      "TEST"
    ],
    "event.dataset": [
      "test02 @ OS"
    ],
    "user.name.text": [
      "user2"
    ]
  }
}

[Gelios7]

When you search without a filter, you get 1000 documents, and when you search with a filter and the binary operator ==, you get 43 documents. After that, if you change the binary operator to !=, the search returns zero results.
Here are the screenshots:

[Gelios7]

I provided examples of logs in json format in the comments on github, as well as several screenshots of productive logs. There are no such test logs, everything is productive. If you still need to generate test data, write and I will try to do it, but in my opinion the test is very simple, the filter for the fields of the enrich policy for exclusion does not work at all. I will say even more, I have not written about this problem yet, but in ESQL the "where" filter works with bugs, for example, I have a separate example, when depending on where the "where" filter is placed in the middle of the code or at the end, the output result is different, despite the fact that the logic of use is correct, also the "where" filter does not work correctly with the "tags" field, when filtering values, the query stops working correctly. вт, 7 січ. 2025 р. о 04:01 Jack Pan ***@***.***> пише:

…

"event": { "ingested": "2024-12-24T09:05:35.415150961Z", "code": "4732", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "created": "2024-12-24T09:05:27.116Z", "module": "security", "action": "added-member-to-group", "category": [ "iam" ], "type": [ "group", "change" ], "outcome": "success" }, @Gelios7 <https://github.com/Gelios7> Does event field mapping type is 'nested' type? — Reply to this email directly, view it on GitHub <#118283 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BJOXKGVOFXJXKX6HSXZQVS32JMYRBAVCNFSM6AAAAABTJGMTLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZUGI2DSMBYGU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Gelios7]

[image: image.png]  пт, 10 січ. 2025 р. о 13:10 Рома Меркурий ***@***.***> пише:

…

пт, 10 січ. 2025 р. о 13:01 Рома Меркурий ***@***.***> пише: > I provided examples of logs in json format in the comments on github, as > well as several screenshots of productive logs. There are no such test > logs, everything is productive. If you still need to generate test data, > write and I will try to do it, but in my opinion the test is very simple, > the filter for the fields of the enrich policy for exclusion does not work > at all. I will say even more, I have not written about this problem yet, > but in ESQL the "where" filter works with bugs, for example, I have a > separate example, when depending on where the "where" filter is placed in > the middle of the code or at the end, the output result is different, > despite the fact that the logic of use is correct, also the "where" filter > does not work correctly with the "tags" field, when filtering values, the > query stops working correctly. > > вт, 7 січ. 2025 р. о 04:01 Jack Pan ***@***.***> пише: > >> "event": { >> "ingested": "2024-12-24T09:05:35.415150961Z", >> "code": "4732", >> "provider": "Microsoft-Windows-Security-Auditing", >> "kind": "event", >> "created": "2024-12-24T09:05:27.116Z", >> "module": "security", >> "action": "added-member-to-group", >> "category": [ >> "iam" >> ], >> "type": [ >> "group", >> "change" >> ], >> "outcome": "success" >> }, >> >> @Gelios7 <https://github.com/Gelios7> Does event field mapping type is >> 'nested' type? >> >> — >> Reply to this email directly, view it on GitHub >> <#118283 (comment)>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/BJOXKGVOFXJXKX6HSXZQVS32JMYRBAVCNFSM6AAAAABTJGMTLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZUGI2DSMBYGU> >> . >> You are receiving this because you were mentioned.Message ID: >> ***@***.***> >> >

[Gelios7]

During additional testing, it was noticed that when the ENRICH fields contain not just a single value, but an array of values (e.g., AD group names or multiple user role names), filtering these values becomes completely unavailable.

[jackpan123]

@Gelios7 Thank you for your patient explanation. I have a question: how is the enrich policy created in your example, specifically the index named policy_role_idm?