honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Update EQL search response format (#59554) (#59668)

This commit is contained in:
James Rodewig 2020-07-15 17:23:48 -04:00 committed by GitHub
parent 2b70758a05
commit 43481441e9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 106 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
docs/reference/eql/eql-search-api.asciidoc
View File

@ -18,16 +18,18 @@ event.
[source,console] [source,console]
---- ----
PUT /my_index/_bulk?refresh PUT /my_index/_bulk?refresh
{"index":{"_index" : "my_index", "_id" : "1"}} {"index":{ }}
{ "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "edwCRnyD","sequence": 1 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "edwCRnyD", "sequence": 1 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "my_index", "_id" : "2"}} {"index":{ }}
{ "@timestamp": "2020-12-06T11:04:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-06T11:04:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "my_index", "_id" : "3"}} {"index":{ }}
{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "my_index", "_id" : "4"}} {"index":{ }}
{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "bYA7gPay", "sequence": 4 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "bYA7gPay", "sequence": 4 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "my_index", "_id" : "5"}} {"index":{ }}
{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "aR3NWVOs", "sequence": 5 }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } } { "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "aR3NWVOs", "sequence": 5 }, "process": { "name": "regsvr32.exe", "executable": "C:\\Windows\\System32\\regsvr32.exe" } }
{"index":{ }}
{ "@timestamp": "2020-12-07T11:07:10.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "GTSmSqgz0U", "sequence": 6, "type": "termination" }, "process": { "name": "regsvr32.exe", "executable": "C:\\Windows\\System32\\regsvr32.exe" } }
---- ----
// TESTSETUP // TESTSETUP
//// ////
@ -304,6 +306,7 @@ parameter. If both parameters are specified, only the query parameter is used.
`id`:: `id`::
+ +
-- --
(string)
Identifier for the search. Identifier for the search.
This search ID is only provided if one of the following conditions is met: This search ID is only provided if one of the following conditions is met:
@ -433,10 +436,25 @@ Name of the index containing the event.
`_id`:: `_id`::
(string) (string)
(string)
Unique identifier for the event. Unique identifier for the event.
This ID is only unique within the index. This ID is only unique within the index.
`_version`::
(integer)
Version of the document (event). This version is incremented each time the document is
updated.
`_seq_no`::
(integer)
Sequence number assigned to the document (event).
+
Sequence numbers are used to ensure an older version of a document
doesnt overwrite a newer version. See <<optimistic-concurrency-control>>.
`_primary_term`::
(integer)
Primary term assigned to the document. See <<optimistic-concurrency-control>>.
`_score`:: `_score`::
(float) (float)
Positive 32-bit floating point number used to determine the relevance of the Positive 32-bit floating point number used to determine the relevance of the
@ -445,14 +463,6 @@ Positive 32-bit floating point number used to determine the relevance of the
`_source`:: `_source`::
(object) (object)
Original JSON body passed for the event at index time. Original JSON body passed for the event at index time.
`sort`::
(array)
Array of field values used to sort the event.
+
By default, the first item in the array is the event's
<<eql-search-api-timestamp-field,timestamp value>>, converted to milliseconds
since the https://en.wikipedia.org/wiki/Unix_time[Unix epoch].
====== ======
===== =====
@ -483,14 +493,6 @@ Positive 32-bit floating point number used to determine the relevance of the
`_source`:: `_source`::
(object) (object)
Original JSON body passed for the event at index time. Original JSON body passed for the event at index time.
`sort`::
(array)
Array of field values used to sort the event.
+
By default, the first item in the array is the event's
<<eql-search-api-timestamp-field,timestamp value>>, converted to milliseconds
since the https://en.wikipedia.org/wiki/Unix_time[Unix epoch].
===== =====
==== ====
@ -542,7 +544,7 @@ the events in ascending, lexicographic order.
{ {
"_index": "my_index", "_index": "my_index",
"_type": "_doc", "_type": "_doc",
"_id": "2", "_id": "fwGeywNsBl8Y9Ys1x51b",
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-06T11:04:07.000Z", "@timestamp": "2020-12-06T11:04:07.000Z",
@ -563,14 +565,14 @@ the events in ascending, lexicographic order.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
}, },
{ {
"_index": "my_index", "_index": "my_index",
"_type": "_doc", "_type": "_doc",
"_id": "4", "_id": "AtOJ4UjUBAAx3XR5kcCM",
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:07:08.000Z", "@timestamp": "2020-12-07T11:07:08.000Z",
@ -591,7 +593,7 @@ the events in ascending, lexicographic order.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
} }
@ -600,6 +602,8 @@ the events in ascending, lexicographic order.
} }
---- ----
// TESTRESPONSE[s/"took": 6/"took": $body.took/] // TESTRESPONSE[s/"took": 6/"took": $body.took/]
// TESTRESPONSE[s/"_id": "fwGeywNsBl8Y9Ys1x51b"/"_id": $body.hits.events.0._id/]
// TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.events.1._id/]
[[eql-search-api-sequence-ex]] [[eql-search-api-sequence-ex]]
===== Sequence query example ===== Sequence query example
@ -618,7 +622,7 @@ that:
+ +
-- --
* An `event.category` of `process` * An `event.category` of `process`
* A `process.path` that contains the substring `regsvr32` * A `process.executable` that contains the substring `regsvr32`
-- --
These events must also share the same `agent.id` value. These events must also share the same `agent.id` value.
@ -630,11 +634,10 @@ GET /my_index/_eql/search
"query": """ "query": """
sequence by agent.id sequence by agent.id
[ file where file.name == "cmd.exe" and agent.id != "my_user" ] [ file where file.name == "cmd.exe" and agent.id != "my_user" ]
[ process where stringContains(process.path, "regsvr32") ] [ process where stringContains(process.executable, "regsvr32") ]
""" """
} }
---- ----
// TEST[s/search/search\?filter_path\=\-\*\.sequences\.\*events\.\*fields/]
The API returns the following response. The `hits.sequences.join_keys` property The API returns the following response. The `hits.sequences.join_keys` property
contains the shared `agent.id` value for each matching event. Matching events in contains the shared `agent.id` value for each matching event. Matching events in
@ -667,7 +670,10 @@ the events in ascending, lexicographic order.
{ {
"_index": "my_index", "_index": "my_index",
"_type": "_doc", "_type": "_doc",
"_id": "4", "_id": "AtOJ4UjUBAAx3XR5kcCM",
"_version": 1,
"_seq_no": 3,
"_primary_term": 1,
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:07:08.000Z", "@timestamp": "2020-12-07T11:07:08.000Z",
@ -688,14 +694,17 @@ the events in ascending, lexicographic order.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
}, },
{ {
"_index": "my_index", "_index": "my_index",
"_type": "_doc", "_type": "_doc",
"_id": "5", "_id": "yDwnGIJouOYGBzP0ZE9n",
"_version": 1,
"_seq_no": 4,
"_primary_term": 1,
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:07:09.000Z", "@timestamp": "2020-12-07T11:07:09.000Z",
@ -709,7 +718,7 @@ the events in ascending, lexicographic order.
}, },
"process": { "process": {
"name": "regsvr32.exe", "name": "regsvr32.exe",
"path": "C:\\Windows\\System32\\regsvr32.exe" "executable": "C:\\Windows\\System32\\regsvr32.exe"
} }
} }
} }
@ -720,4 +729,5 @@ the events in ascending, lexicographic order.
} }
---- ----
// TESTRESPONSE[s/"took": 6/"took": $body.took/] // TESTRESPONSE[s/"took": 6/"took": $body.took/]
// TESTRESPONSE[skip: response format updated] // TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]

100
docs/reference/eql/search.asciidoc
View File

@ -23,18 +23,18 @@ The following <<docs-bulk,bulk API>> request adds some example log data to the
[source,console] [source,console]
---- ----
PUT /sec_logs/_bulk?refresh PUT /sec_logs/_bulk?refresh
{"index":{"_index" : "sec_logs", "_id" : "1"}} {"index":{ }}
{ "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "edwCRnyD","sequence": 1 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "edwCRnyD", "sequence": 1 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs", "_id" : "2"}} {"index":{ }}
{ "@timestamp": "2020-12-06T11:04:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-06T11:04:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs", "_id" : "3"}} {"index":{ }}
{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs", "_id" : "4"}} {"index":{ }}
{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "bYA7gPay", "sequence": 4 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "file", "id": "bYA7gPay", "sequence": 4 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe", "type": "file", "size": 16384 }, "process": { "name": "cmd.exe", "executable": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs", "_id" : "5"}} {"index":{ }}
{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "aR3NWVOs", "sequence": 5 }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } } { "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "aR3NWVOs", "sequence": 5 }, "process": { "name": "regsvr32.exe", "executable": "C:\\Windows\\System32\\regsvr32.exe" } }
{"index":{"_index" : "sec_logs", "_id" : "6"}} {"index":{ }}
{ "@timestamp": "2020-12-07T11:07:10.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "GTSmSqgz0U", "sequence": 6, "type": "termination" }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } } { "@timestamp": "2020-12-07T11:07:10.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process", "id": "GTSmSqgz0U", "sequence": 6, "type": "termination" }, "process": { "name": "regsvr32.exe", "executable": "C:\\Windows\\System32\\regsvr32.exe" } }
---- ----
// TESTSETUP // TESTSETUP
@ -88,7 +88,7 @@ https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "1", "_id": "OQmfCaduce8zoHT93o4H",
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-06T11:04:05.000Z", "@timestamp": "2020-12-06T11:04:05.000Z",
@ -102,14 +102,14 @@ https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
}, },
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "3", "_id": "xLkCaj4EujzdNSxfYLbO",
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:06:07.000Z", "@timestamp": "2020-12-07T11:06:07.000Z",
@ -123,7 +123,7 @@ https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
} }
@ -132,6 +132,8 @@ https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
} }
---- ----
// TESTRESPONSE[s/"took": 60/"took": $body.took/] // TESTRESPONSE[s/"took": 60/"took": $body.took/]
// TESTRESPONSE[s/"_id": "OQmfCaduce8zoHT93o4H"/"_id": $body.hits.events.0._id/]
// TESTRESPONSE[s/"_id": "xLkCaj4EujzdNSxfYLbO"/"_id": $body.hits.events.1._id/]
==== ====
[discrete] [discrete]
@ -170,7 +172,6 @@ GET /sec_logs/_eql/search
""" """
} }
---- ----
// TEST[s/search/search\?filter_path\=\-\*\.sequences\.events\.\*fields/]
The API returns the following response. Matching events in The API returns the following response. Matching events in
the `hits.sequences.events` property are sorted by the `hits.sequences.events` property are sorted by
@ -195,7 +196,10 @@ the https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "4", "_id": "AtOJ4UjUBAAx3XR5kcCM",
"_version" : 1,
"_seq_no" : 3,
"_primary_term" : 1,
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:07:08.000Z", "@timestamp": "2020-12-07T11:07:08.000Z",
@ -216,14 +220,17 @@ the https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
}, },
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "5", "_id": "yDwnGIJouOYGBzP0ZE9n",
"_version" : 1,
"_seq_no" : 4,
"_primary_term" : 1,
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:07:09.000Z", "@timestamp": "2020-12-07T11:07:09.000Z",
@ -237,7 +244,7 @@ the https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
}, },
"process": { "process": {
"name": "regsvr32.exe", "name": "regsvr32.exe",
"path": "C:\\Windows\\System32\\regsvr32.exe" "executable": "C:\\Windows\\System32\\regsvr32.exe"
} }
} }
} }
@ -248,7 +255,8 @@ the https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
} }
---- ----
// TESTRESPONSE[s/"took": 60/"took": $body.took/] // TESTRESPONSE[s/"took": 60/"took": $body.took/]
// TESTRESPONSE[skip: response format updated] // TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
You can use the <<eql-with-maxspan-keywords,`with maxspan` keywords>> to You can use the <<eql-with-maxspan-keywords,`with maxspan` keywords>> to
constrain a sequence to a specified timespan. constrain a sequence to a specified timespan.
@ -268,7 +276,6 @@ GET /sec_logs/_eql/search
""" """
} }
---- ----
// TEST[s/search/search\?filter_path\=\-\*\.sequences\.events\.\*fields/]
You can further constrain matching event sequences using the You can further constrain matching event sequences using the
<<eql-by-keyword,`by` keyword>>. <<eql-by-keyword,`by` keyword>>.
@ -303,7 +310,6 @@ GET /sec_logs/_eql/search
""" """
} }
---- ----
// TEST[s/search/search\?filter_path\=\-\*\.sequences\.\*events\.\*fields/]
The API returns the following response. The `hits.sequences.join_keys` property The API returns the following response. The `hits.sequences.join_keys` property
contains the shared `agent.id` value for each matching event. contains the shared `agent.id` value for each matching event.
@ -329,7 +335,10 @@ contains the shared `agent.id` value for each matching event.
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "4", "_id": "AtOJ4UjUBAAx3XR5kcCM",
"_version": 1,
"_seq_no": 3,
"_primary_term": 1,
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:07:08.000Z", "@timestamp": "2020-12-07T11:07:08.000Z",
@ -350,14 +359,17 @@ contains the shared `agent.id` value for each matching event.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
}, },
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "5", "_id": "yDwnGIJouOYGBzP0ZE9n",
"_version": 1,
"_seq_no": 4,
"_primary_term": 1,
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:07:09.000Z", "@timestamp": "2020-12-07T11:07:09.000Z",
@ -371,7 +383,7 @@ contains the shared `agent.id` value for each matching event.
}, },
"process": { "process": {
"name": "regsvr32.exe", "name": "regsvr32.exe",
"path": "C:\\Windows\\System32\\regsvr32.exe" "executable": "C:\\Windows\\System32\\regsvr32.exe"
} }
} }
} }
@ -382,7 +394,8 @@ contains the shared `agent.id` value for each matching event.
} }
---- ----
// TESTRESPONSE[s/"took": 60/"took": $body.took/] // TESTRESPONSE[s/"took": 60/"took": $body.took/]
// TESTRESPONSE[skip: response format updated] // TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
You can use the <<eql-until-keyword,`until` keyword>> to specify an expiration You can use the <<eql-until-keyword,`until` keyword>> to specify an expiration
event for sequences. Matching sequences must end before this event. event for sequences. Matching sequences must end before this event.
@ -403,7 +416,6 @@ GET /sec_logs/_eql/search
""" """
} }
---- ----
// TEST[s/search/search\?filter_path\=\-\*\.sequences\.\*events\.\*fields/]
==== ====
[discrete] [discrete]
@ -480,7 +492,7 @@ GET /sec_logs/_eql/search
{ {
"tiebreaker_field": "event.id", "tiebreaker_field": "event.id",
"query": """ "query": """
process where process.name == "cmd.exe" and stringContains(process.path, "System32") process where process.name == "cmd.exe" and stringContains(process.executable, "System32")
""" """
} }
---- ----
@ -501,10 +513,10 @@ The API returns the following response.
"relation": "eq" "relation": "eq"
}, },
"events": [ "events": [
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "1", "_id": "OQmfCaduce8zoHT93o4H",
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-06T11:04:05.000Z", "@timestamp": "2020-12-06T11:04:05.000Z",
@ -518,14 +530,14 @@ The API returns the following response.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
} }
}, },
{ {
"_index": "sec_logs", "_index": "sec_logs",
"_type": "_doc", "_type": "_doc",
"_id": "3", "_id": "xLkCaj4EujzdNSxfYLbO",
"_score": null, "_score": null,
"_source": { "_source": {
"@timestamp": "2020-12-07T11:06:07.000Z", "@timestamp": "2020-12-07T11:06:07.000Z",
@ -539,15 +551,17 @@ The API returns the following response.
}, },
"process": { "process": {
"name": "cmd.exe", "name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe" "executable": "C:\\Windows\\System32\\cmd.exe"
} }
}
} }
}
] ]
} }
} }
---- ----
// TESTRESPONSE[s/"took": 34/"took": $body.took/] // TESTRESPONSE[s/"took": 34/"took": $body.took/]
// TESTRESPONSE[s/"_id": "OQmfCaduce8zoHT93o4H"/"_id": $body.hits.events.0._id/]
// TESTRESPONSE[s/"_id": "xLkCaj4EujzdNSxfYLbO"/"_id": $body.hits.events.1._id/]
==== ====
@ -852,11 +866,11 @@ search API's `case_sensitive` parameter to toggle case sensitivity on or off.
[%collapsible] [%collapsible]
==== ====
The following search request contains a query that matches `process` events The following search request contains a query that matches `process` events
with a `process.path` containing `System32`. with a `process.executable` containing `System32`.
Because the `case_sensitive` parameter is `true`, this query only matches Because the `case_sensitive` parameter is `true`, this query only matches
`process.path` values containing `System32` with the exact same capitalization. `process.executable` values containing `System32` with the exact same capitalization.
A `process.path` value containing `system32` or `SYSTEM32` would not match this A `process.executable` value containing `system32` or `SYSTEM32` would not match this
query. query.
[source,console] [source,console]
@ -866,7 +880,7 @@ GET /sec_logs/_eql/search
"keep_on_completion": true, "keep_on_completion": true,
"case_sensitive": true, "case_sensitive": true,
"query": """ "query": """
process where stringContains(process.path, "System32") process where stringContains(process.executable, "System32")
""" """
} }
---- ----