honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Add diagrams for sequence matching (#65898) (#65940)

This commit is contained in:
James Rodewig 2020-12-07 08:39:41 -05:00 committed by GitHub
parent d562caf9b2
commit 24b48230cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 130 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
docs/reference/eql/syntax.asciidoc
View File

@ -766,27 +766,27 @@ order:
[source,js] [source,js]
---- ----
{ "index" : { "_id" : "1" } } { "index" : { "_id": "1" } }
{ "user": { "name": "root" }, "process": { "name": "attrib" }, ...} { "user": { "name": "root" }, "process": { "name": "attrib" }, ...}
{ "index" : { "_id" : "2" } } { "index" : { "_id": "2" } }
{ "user": { "name": "root" }, "process": { "name": "attrib" }, ...} { "user": { "name": "root" }, "process": { "name": "attrib" }, ...}
{ "index" : { "_id" : "3" } } { "index" : { "_id": "3" } }
{ "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...}
{ "index" : { "_id" : "4" } } { "index" : { "_id": "4" } }
{ "user": { "name": "root" }, "process": { "name": "bash" }, ...} { "user": { "name": "root" }, "process": { "name": "bash" }, ...}
{ "index" : { "_id" : "5" } } { "index" : { "_id": "5" } }
{ "user": { "name": "root" }, "process": { "name": "bash" }, ...} { "user": { "name": "root" }, "process": { "name": "bash" }, ...}
{ "index" : { "_id" : "6" } } { "index" : { "_id": "6" } }
{ "user": { "name": "elkbee" }, "process": { "name": "attrib" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "attrib" }, ...}
{ "index" : { "_id" : "7" } } { "index" : { "_id": "7" } }
{ "user": { "name": "root" }, "process": { "name": "attrib" }, ...} { "user": { "name": "root" }, "process": { "name": "attrib" }, ...}
{ "index" : { "_id" : "8" } } { "index" : { "_id": "8" } }
{ "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...}
{ "index" : { "_id" : "9" } } { "index" : { "_id": "9" } }
{ "user": { "name": "root" }, "process": { "name": "cat" }, ...} { "user": { "name": "root" }, "process": { "name": "cat" }, ...}
{ "index" : { "_id" : "10" } } { "index" : { "_id": "10" } }
{ "user": { "name": "elkbee" }, "process": { "name": "cat" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "cat" }, ...}
{ "index" : { "_id" : "11" } } { "index" : { "_id": "11" } }
{ "user": { "name": "root" }, "process": { "name": "cat" }, ...} { "user": { "name": "root" }, "process": { "name": "cat" }, ...}
---- ----
// NOTCONSOLE // NOTCONSOLE
@ -807,81 +807,166 @@ The query's event items correspond to the following states:
* State B: `[process where process.name == "bash"]` * State B: `[process where process.name == "bash"]`
* Complete: `[process where process.name == "cat"]` * Complete: `[process where process.name == "cat"]`
image::images/eql/sequence-state-machine.svg[align="center"]
To find matching sequences, the query uses separate state machines for each To find matching sequences, the query uses separate state machines for each
unique `user.name` value. Pending sequence matches move through each machine's unique `user.name` value. Based on the data set, you can expect two state
states as follows: machines: one for the `root` user and one for `elkbee`.
image::images/eql/separate-state-machines.svg[align="center"]
Pending sequence matches move through each machine's states as follows:
[source,txt] [source,txt]
---- ----
{ "index" : { "_id" : "1" } } { "index" : { "_id": "1" } }
{ "user": { "name": "root" }, "process": { "name": "attrib" }, ...} { "user": { "name": "root" }, "process": { "name": "attrib" }, ...}
// Creates sequence [1] in state A for the "root" user. // Creates sequence [1] in state A for the "root" user.
// //
// root: A=[1] // +------------------------"root"------------------------+
// | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | [1] | | | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "2" } } { "index" : { "_id": "2" } }
{ "user": { "name": "root" }, "process": { "name": "attrib" }, ...} { "user": { "name": "root" }, "process": { "name": "attrib" }, ...}
// Creates sequence [2] in state A for "root", overwriting sequence [1]. // Creates sequence [2] in state A for "root", overwriting sequence [1].
// //
// root: A=[2] // +------------------------"root"------------------------+
// | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | [2] | | | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "3" } } { "index" : { "_id": "3" } }
{ "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...}
// Nothing happens. The "elkbee" user has no pending sequence to move from state A to state B // Nothing happens. The "elkbee" user has no pending sequence to move
// from state A to state B.
{ "index" : { "_id" : "4" } }
{ "user": { "name": "root" }, "process": { "name": "bash" }, ...}
// Sequence [2] moves out of state A for "root". State B for "root" now contains [2, 4]
// State A for "root" is now empty.
// //
// root: A=[] // +-----------------------"elkbee"-----------------------+
// root: B=[2, 4] // | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | | | | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "5" } } { "index" : { "_id": "4" } }
{ "user": { "name": "root" }, "process": { "name": "bash" }, ...}
// Sequence [2] moves out of state A for "root".
// State B for "root" now contains [2, 4].
// State A for "root" is empty.
//
// +------------------------"root"------------------------+
// | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ --> +-----------+ +------------+ |
// | | | | [2, 4] | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id": "5" } }
{ "user": { "name": "root" }, "process": { "name": "bash" }, ...} { "user": { "name": "root" }, "process": { "name": "bash" }, ...}
// Nothing happens. State A is empty for "root". // Nothing happens. State A is empty for "root".
//
// +------------------------"root"------------------------+
// | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | | | [2, 4] | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "6" } } { "index" : { "_id": "6" } }
{ "user": { "name": "elkbee" }, "process": { "name": "attrib" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "attrib" }, ...}
// Creates sequence [6] in state A for "elkbee". // Creates sequence [6] in state A for "elkbee".
// //
// elkbee: A=[6] // +-----------------------"elkbee"-----------------------+
// | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | [6] | | | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "7" } } { "index" : { "_id": "7" } }
{ "user": { "name": "root" }, "process": { "name": "attrib" }, ...} { "user": { "name": "root" }, "process": { "name": "attrib" }, ...}
// Creates sequence [7] in state A for "root". // Creates sequence [7] in state A for "root".
// Sequence [2, 4] remains in state B for "root". // Sequence [2, 4] remains in state B for "root".
// //
// root: A=[7] // +------------------------"root"------------------------+
// root: B=[2, 4] // | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | [7] | | [2, 4] | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "8" } } { "index" : { "_id": "8" } }
{ "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "bash" }, ...}
// Sequence [6, 8] moves to state B for "elkbee". // Sequence [6, 8] moves to state B for "elkbee".
// State A for "elkbee" is now empty. // State A for "elkbee" is now empty.
// //
// elkbee: A=[] // +-----------------------"elkbee"-----------------------+
// elkbee: B=[6, 8] // | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ --> +-----------+ +------------+ |
// | | | | [6, 8] | | | |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "9" } } { "index" : { "_id": "9" } }
{ "user": { "name": "root" }, "process": { "name": "cat" }, ...} { "user": { "name": "root" }, "process": { "name": "cat" }, ...}
// Sequence [2, 4, 9] is complete for "root". // Sequence [2, 4, 9] is complete for "root".
// State B for "root" is now empty. // State B for "root" is now empty.
// Sequence [7] remains in state A. // Sequence [7] remains in state A.
// //
// root: A=[7] // +------------------------"root"------------------------+
// root: B=[] // | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ --> +------------+ |
// | | [7] | | | | [2, 4, 9] |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "10" } } { "index" : { "_id": "10" } }
{ "user": { "name": "elkbee" }, "process": { "name": "cat" }, ...} { "user": { "name": "elkbee" }, "process": { "name": "cat" }, ...}
// Sequence [6, 8, 10] is complete for "elkbee". // Sequence [6, 8, 10] is complete for "elkbee".
// State A and B for "elkbee" are now empty. // State A and B for "elkbee" are now empty.
// //
// elkbee: A=[] // +-----------------------"elkbee"-----------------------+
// elkbee: B=[] // | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ --> +------------+ |
// | | | | | | [6, 8, 10] |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
{ "index" : { "_id" : "11" } } { "index" : { "_id": "11" } }
{ "user": { "name": "root" }, "process": { "name": "cat" }, ...} { "user": { "name": "root" }, "process": { "name": "cat" }, ...}
// Nothing happens. State B for "root" is empty. // Nothing happens.
// The machines for "root" and "elkbee" remain the same.
//
// +------------------------"root"------------------------+
// | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | [7] | | | | [2, 4, 9] |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
//
// +-----------------------"elkbee"-----------------------+
// | +-----------+ +-----------+ +------------+ |
// | | State A | | State B | | Complete | |
// | +-----------+ +-----------+ +------------+ |
// | | | | | | [6, 8, 10] |
// | +-----------+ +-----------+ +------------+ |
// +------------------------------------------------------+
---- ----
==== ====

1
docs/reference/images/eql/separate-state-machines.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

1
docs/reference/images/eql/sequence-state-machine.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB