parent
a1100bb770
commit
c0fa582df4
|
@ -211,17 +211,17 @@ buildRestTests.setups['sec_logs'] = '''
|
||||||
refresh: true
|
refresh: true
|
||||||
body: |
|
body: |
|
||||||
{"index":{}}
|
{"index":{}}
|
||||||
{"@timestamp": "2020-12-06T11:04:05.000Z", "event": { "category": "process", "id": "edwCRnyD", "sequence": 1 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
|
{"@timestamp": "2099-12-06T11:04:05.000Z", "event": { "category": "process", "id": "edwCRnyD", "sequence": 1 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
|
||||||
{"index":{}}
|
{"index":{}}
|
||||||
{"@timestamp": "2020-12-06T11:04:07.000Z", "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\\\Windows\\\\System32\\\\cmd.exe", "type": "file", "size": 16384 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
|
{"@timestamp": "2099-12-06T11:04:07.000Z", "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2099-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\\\Windows\\\\System32\\\\cmd.exe", "type": "file", "size": 16384 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
|
||||||
{"index":{}}
|
{"index":{}}
|
||||||
{"@timestamp": "2020-12-07T11:06:07.000Z", "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" } }
|
{"@timestamp": "2099-12-07T11:06:07.000Z", "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" } }
|
||||||
{"index":{}}
|
{"index":{}}
|
||||||
{"@timestamp": "2020-12-07T11:07:08.000Z", "event": { "category": "file", "id": "bYA7gPay", "sequence": 4 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\\\Windows\\\\System32\\\\cmd.exe", "type": "file", "size": 16384 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" } }
|
{"@timestamp": "2099-12-07T11:07:09.000Z", "event": { "category": "process", "id": "aR3NWVOs", "sequence": 4 }, "process": { "pid": 2012, "name": "regsvr32.exe", "command_line": "regsvr32.exe /s /u /i:https://...RegSvr32.sct scrobj.dll", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}
|
||||||
{"index":{}}
|
{"index":{}}
|
||||||
{"@timestamp": "2020-12-07T11:07:09.000Z", "event": { "category": "process", "id": "aR3NWVOs", "sequence": 5 }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}
|
{"@timestamp": "2099-12-07T11:07:10.000Z", "event": { "category": "file", "id": "tZ1NWVOs", "sequence": 5 }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }, "file": { "path": "C:\\\\Windows\\\\System32\\\\scrobj.dll", "name": "scrobj.dll" }}
|
||||||
{"index":{}}
|
{"index":{}}
|
||||||
{"@timestamp": "2020-12-07T11:07:10.000Z", "event": { "category": "process", "id": "GTSmSqgz0U", "sequence": 6, "type": "termination" }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}'''
|
{"@timestamp": "2099-12-07T11:07:10.000Z", "event": { "category": "process", "id": "GTSmSqgz0U", "sequence": 6, "type": "termination" }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}'''
|
||||||
|
|
||||||
buildRestTests.setups['host'] = '''
|
buildRestTests.setups['host'] = '''
|
||||||
# Fetch the http host. We use the host of the master because we know there will always be a master.
|
# Fetch the http host. We use the host of the master because we know there will always be a master.
|
||||||
|
|
|
@ -490,9 +490,9 @@ Original JSON body passed for the event at index time.
|
||||||
===== Basic query example
|
===== Basic query example
|
||||||
|
|
||||||
The following EQL search request searches for events with an `event.category` of
|
The following EQL search request searches for events with an `event.category` of
|
||||||
`file` that meet the following conditions:
|
`process` that meet the following conditions:
|
||||||
|
|
||||||
* A `file.name` of `cmd.exe`
|
* A `process.name` of `cmd.exe`
|
||||||
* An `process.pid` other than `2013`
|
* An `process.pid` other than `2013`
|
||||||
|
|
||||||
[source,console]
|
[source,console]
|
||||||
|
@ -500,7 +500,7 @@ The following EQL search request searches for events with an `event.category` of
|
||||||
GET /my-index-000001/_eql/search
|
GET /my-index-000001/_eql/search
|
||||||
{
|
{
|
||||||
"query": """
|
"query": """
|
||||||
file where (file.name == "cmd.exe" and process.pid != 2013)
|
process where (process.name == "cmd.exe" and process.pid != 2013)
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -532,52 +532,38 @@ the events in ascending, lexicographic order.
|
||||||
{
|
{
|
||||||
"_index": "my-index-000001",
|
"_index": "my-index-000001",
|
||||||
"_type": "_doc",
|
"_type": "_doc",
|
||||||
"_id": "fwGeywNsBl8Y9Ys1x51b",
|
"_id": "babI3XMBI9IjHuIqU0S_",
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-06T11:04:07.000Z",
|
"@timestamp": "2099-12-06T11:04:05.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "file",
|
"category": "process",
|
||||||
"id": "dGCHwoeS",
|
"id": "edwCRnyD",
|
||||||
"sequence": 2,
|
"sequence": 1
|
||||||
},
|
|
||||||
"file": {
|
|
||||||
"accessed": "2020-12-07T11:07:08.000Z",
|
|
||||||
"name": "cmd.exe",
|
|
||||||
"path": "C:\\Windows\\System32\\cmd.exe",
|
|
||||||
"type": "file",
|
|
||||||
"size": 16384
|
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
|
"pid": 2012,
|
||||||
"name": "cmd.exe",
|
"name": "cmd.exe",
|
||||||
"executable": "C:\\Windows\\System32\\cmd.exe",
|
"executable": "C:\\Windows\\System32\\cmd.exe"
|
||||||
"pid": 2012
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"_index": "my-index-000001",
|
"_index": "my-index-000001",
|
||||||
"_type": "_doc",
|
"_type": "_doc",
|
||||||
"_id": "AtOJ4UjUBAAx3XR5kcCM",
|
"_id": "b6bI3XMBI9IjHuIqU0S_",
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:07:08.000Z",
|
"@timestamp": "2099-12-07T11:06:07.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "file",
|
"category": "process",
|
||||||
"id": "bYA7gPay",
|
"id": "cMyt5SZ2",
|
||||||
"sequence": 4
|
"sequence": 3
|
||||||
},
|
|
||||||
"file": {
|
|
||||||
"accessed": "2020-12-07T11:07:08.000Z",
|
|
||||||
"name": "cmd.exe",
|
|
||||||
"path": "C:\\Windows\\System32\\cmd.exe",
|
|
||||||
"type": "file",
|
|
||||||
"size": 16384
|
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
|
"pid": 2012,
|
||||||
"name": "cmd.exe",
|
"name": "cmd.exe",
|
||||||
"executable": "C:\\Windows\\System32\\cmd.exe",
|
"executable": "C:\\Windows\\System32\\cmd.exe"
|
||||||
"pid": 2012
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -586,8 +572,8 @@ the events in ascending, lexicographic order.
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
// TESTRESPONSE[s/"took": 6/"took": $body.took/]
|
// TESTRESPONSE[s/"took": 6/"took": $body.took/]
|
||||||
// TESTRESPONSE[s/"_id": "fwGeywNsBl8Y9Ys1x51b"/"_id": $body.hits.events.0._id/]
|
// TESTRESPONSE[s/"_id": "babI3XMBI9IjHuIqU0S_"/"_id": $body.hits.events.0._id/]
|
||||||
// TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.events.1._id/]
|
// TESTRESPONSE[s/"_id": "b6bI3XMBI9IjHuIqU0S_"/"_id": $body.hits.events.1._id/]
|
||||||
|
|
||||||
[[eql-search-api-sequence-ex]]
|
[[eql-search-api-sequence-ex]]
|
||||||
===== Sequence query example
|
===== Sequence query example
|
||||||
|
@ -651,49 +637,50 @@ shared `process.pid` value for each matching event.
|
||||||
"_type": "_doc",
|
"_type": "_doc",
|
||||||
"_id": "AtOJ4UjUBAAx3XR5kcCM",
|
"_id": "AtOJ4UjUBAAx3XR5kcCM",
|
||||||
"_version": 1,
|
"_version": 1,
|
||||||
"_seq_no": 3,
|
"_seq_no": 1,
|
||||||
"_primary_term": 1,
|
"_primary_term": 1,
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:07:08.000Z",
|
"@timestamp": "2099-12-06T11:04:07.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "file",
|
"category": "file",
|
||||||
"id": "bYA7gPay",
|
"id": "dGCHwoeS",
|
||||||
"sequence": 4
|
"sequence": 2
|
||||||
},
|
},
|
||||||
"file": {
|
"file": {
|
||||||
"accessed": "2020-12-07T11:07:08.000Z",
|
"accessed": "2099-12-07T11:07:08.000Z",
|
||||||
"name": "cmd.exe",
|
"name": "cmd.exe",
|
||||||
"path": "C:\\Windows\\System32\\cmd.exe",
|
"path": "C:\\Windows\\System32\\cmd.exe",
|
||||||
"type": "file",
|
"type": "file",
|
||||||
"size": 16384
|
"size": 16384
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
|
"pid": 2012,
|
||||||
"name": "cmd.exe",
|
"name": "cmd.exe",
|
||||||
"executable": "C:\\Windows\\System32\\cmd.exe",
|
"executable": "C:\\Windows\\System32\\cmd.exe"
|
||||||
"pid": 2012
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"_index": "my-index-000001",
|
"_index": "my-index-000001",
|
||||||
"_type": "_doc",
|
"_type": "_doc",
|
||||||
"_id": "yDwnGIJouOYGBzP0ZE9n",
|
"_id": "OQmfCaduce8zoHT93o4H",
|
||||||
"_version": 1,
|
"_version": 1,
|
||||||
"_seq_no": 4,
|
"_seq_no": 3,
|
||||||
"_primary_term": 1,
|
"_primary_term": 1,
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:07:09.000Z",
|
"@timestamp": "2099-12-07T11:07:09.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "process",
|
"category": "process",
|
||||||
"id": "aR3NWVOs",
|
"id": "aR3NWVOs",
|
||||||
"sequence": 5
|
"sequence": 4
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
|
"pid": 2012,
|
||||||
"name": "regsvr32.exe",
|
"name": "regsvr32.exe",
|
||||||
"executable": "C:\\Windows\\System32\\regsvr32.exe",
|
"command_line": "regsvr32.exe /s /u /i:https://...RegSvr32.sct scrobj.dll",
|
||||||
"pid": 2012
|
"executable": "C:\\Windows\\System32\\regsvr32.exe"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -705,4 +692,4 @@ shared `process.pid` value for each matching event.
|
||||||
----
|
----
|
||||||
// TESTRESPONSE[s/"took": 6/"took": $body.took/]
|
// TESTRESPONSE[s/"took": 6/"took": $body.took/]
|
||||||
// TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
|
// TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
|
||||||
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
|
// TESTRESPONSE[s/"_id": "OQmfCaduce8zoHT93o4H"/"_id": $body.hits.sequences.0.events.1._id/]
|
||||||
|
|
|
@ -49,15 +49,16 @@ category field, you must specify it in the search request. See
|
||||||
You can use the <<eql-search-api,EQL search API>> to run an EQL search.
|
You can use the <<eql-search-api,EQL search API>> to run an EQL search.
|
||||||
|
|
||||||
The following request searches `my-index-000001` for events with an
|
The following request searches `my-index-000001` for events with an
|
||||||
`event.category` of `process` and a `process.name` of `cmd.exe`. Each document
|
`event.category` of `process` and a `process.name` of `regsvr32.exe`. Each
|
||||||
in `my-index-000001` includes a `@timestamp` and `event.category` field.
|
document in `my-index-000001` includes a `@timestamp` and `event.category`
|
||||||
|
field.
|
||||||
|
|
||||||
[source,console]
|
[source,console]
|
||||||
----
|
----
|
||||||
GET /my-index-000001/_eql/search
|
GET /my-index-000001/_eql/search
|
||||||
{
|
{
|
||||||
"query": """
|
"query": """
|
||||||
process where process.name == "cmd.exe"
|
process where process.name == "regsvr32.exe"
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -88,16 +89,17 @@ ascending order.
|
||||||
"_id": "OQmfCaduce8zoHT93o4H",
|
"_id": "OQmfCaduce8zoHT93o4H",
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-06T11:04:05.000Z",
|
"@timestamp": "2099-12-07T11:07:09.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "process",
|
"category": "process",
|
||||||
"id": "edwCRnyD",
|
"id": "aR3NWVOs",
|
||||||
"sequence": 1
|
"sequence": 4
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
"name": "cmd.exe",
|
"pid": 2012,
|
||||||
"executable": "C:\\Windows\\System32\\cmd.exe",
|
"name": "regsvr32.exe",
|
||||||
"pid": 2012
|
"command_line": "regsvr32.exe /s /u /i:https://...RegSvr32.sct scrobj.dll",
|
||||||
|
"executable": "C:\\Windows\\System32\\regsvr32.exe"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -107,16 +109,17 @@ ascending order.
|
||||||
"_id": "xLkCaj4EujzdNSxfYLbO",
|
"_id": "xLkCaj4EujzdNSxfYLbO",
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:06:07.000Z",
|
"@timestamp": "2099-12-07T11:07:10.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "process",
|
"category": "process",
|
||||||
"id": "cMyt5SZ2",
|
"id": "GTSmSqgz0U",
|
||||||
"sequence": 3
|
"sequence": 6,
|
||||||
|
"type": "termination"
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
"name": "cmd.exe",
|
"pid": 2012,
|
||||||
"executable": "C:\\Windows\\System32\\cmd.exe",
|
"name": "regsvr32.exe",
|
||||||
"pid": 2012
|
"executable": "C:\\Windows\\System32\\regsvr32.exe"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -140,14 +143,14 @@ The following EQL search request matches a sequence that:
|
||||||
. Starts with an event with:
|
. Starts with an event with:
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
* An `event.category` of `file`
|
* An `event.category` of `process`
|
||||||
* A `file.name` of `cmd.exe`
|
* A `process.name` of `regsvr32.exe`
|
||||||
--
|
--
|
||||||
. Followed by an event with:
|
. Followed by an event with:
|
||||||
+
|
+
|
||||||
--
|
--
|
||||||
* An `event.category` of `process`
|
* An `event.category` of `file`
|
||||||
* A `process.name` that contains the substring `regsvr32`
|
* A `file.name` that contains the substring `scrobj.dll`
|
||||||
--
|
--
|
||||||
|
|
||||||
[source,console]
|
[source,console]
|
||||||
|
@ -156,8 +159,8 @@ GET /my-index-000001/_eql/search
|
||||||
{
|
{
|
||||||
"query": """
|
"query": """
|
||||||
sequence
|
sequence
|
||||||
[ file where file.name == "cmd.exe" ]
|
[ process where process.name == "regsvr32.exe" ]
|
||||||
[ process where stringContains(process.name, "regsvr32") ]
|
[ file where stringContains(file.name, "scrobj.dll") ]
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -184,29 +187,23 @@ The API returns the following response. Matching sequences are included in the
|
||||||
{
|
{
|
||||||
"_index": "my-index-000001",
|
"_index": "my-index-000001",
|
||||||
"_type": "_doc",
|
"_type": "_doc",
|
||||||
"_id": "AtOJ4UjUBAAx3XR5kcCM",
|
"_id": "OQmfCaduce8zoHT93o4H",
|
||||||
"_version" : 1,
|
"_version": 1,
|
||||||
"_seq_no" : 3,
|
"_seq_no": 3,
|
||||||
"_primary_term" : 1,
|
"_primary_term": 1,
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:07:08.000Z",
|
"@timestamp": "2099-12-07T11:07:09.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "file",
|
"category": "process",
|
||||||
"id": "bYA7gPay",
|
"id": "aR3NWVOs",
|
||||||
"sequence": 4
|
"sequence": 4
|
||||||
},
|
},
|
||||||
"file": {
|
|
||||||
"accessed": "2020-12-07T11:07:08.000Z",
|
|
||||||
"name": "cmd.exe",
|
|
||||||
"path": "C:\\Windows\\System32\\cmd.exe",
|
|
||||||
"type": "file",
|
|
||||||
"size": 16384
|
|
||||||
},
|
|
||||||
"process": {
|
"process": {
|
||||||
"name": "cmd.exe",
|
"pid": 2012,
|
||||||
"executable": "C:\\Windows\\System32\\cmd.exe",
|
"name": "regsvr32.exe",
|
||||||
"pid": 2012
|
"command_line": "regsvr32.exe /s /u /i:https://...RegSvr32.sct scrobj.dll",
|
||||||
|
"executable": "C:\\Windows\\System32\\regsvr32.exe"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -214,21 +211,25 @@ The API returns the following response. Matching sequences are included in the
|
||||||
"_index": "my-index-000001",
|
"_index": "my-index-000001",
|
||||||
"_type": "_doc",
|
"_type": "_doc",
|
||||||
"_id": "yDwnGIJouOYGBzP0ZE9n",
|
"_id": "yDwnGIJouOYGBzP0ZE9n",
|
||||||
"_version" : 1,
|
"_version": 1,
|
||||||
"_seq_no" : 4,
|
"_seq_no": 4,
|
||||||
"_primary_term" : 1,
|
"_primary_term": 1,
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:07:09.000Z",
|
"@timestamp": "2099-12-07T11:07:10.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "process",
|
"category": "file",
|
||||||
"id": "aR3NWVOs",
|
"id": "tZ1NWVOs",
|
||||||
"sequence": 5
|
"sequence": 5
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
|
"pid": 2012,
|
||||||
"name": "regsvr32.exe",
|
"name": "regsvr32.exe",
|
||||||
"executable": "C:\\Windows\\System32\\regsvr32.exe",
|
"executable": "C:\\Windows\\System32\\regsvr32.exe"
|
||||||
"pid": 2012
|
},
|
||||||
|
"file": {
|
||||||
|
"path": "C:\\Windows\\System32\\scrobj.dll",
|
||||||
|
"name": "scrobj.dll"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -239,7 +240,7 @@ The API returns the following response. Matching sequences are included in the
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
// TESTRESPONSE[s/"took": 60/"took": $body.took/]
|
// TESTRESPONSE[s/"took": 60/"took": $body.took/]
|
||||||
// TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
|
// TESTRESPONSE[s/"_id": "OQmfCaduce8zoHT93o4H"/"_id": $body.hits.sequences.0.events.0._id/]
|
||||||
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
|
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
|
||||||
|
|
||||||
You can use the <<eql-with-maxspan-keywords,`with maxspan` keywords>> to
|
You can use the <<eql-with-maxspan-keywords,`with maxspan` keywords>> to
|
||||||
|
@ -255,8 +256,8 @@ GET /my-index-000001/_eql/search
|
||||||
{
|
{
|
||||||
"query": """
|
"query": """
|
||||||
sequence with maxspan=1h
|
sequence with maxspan=1h
|
||||||
[ file where file.name == "cmd.exe" ]
|
[ process where process.name == "regsvr32.exe" ]
|
||||||
[ process where stringContains(process.name, "regsvr32") ]
|
[ file where stringContains(file.name, "scrobj.dll") ]
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -274,8 +275,8 @@ GET /my-index-000001/_eql/search
|
||||||
{
|
{
|
||||||
"query": """
|
"query": """
|
||||||
sequence with maxspan=1h
|
sequence with maxspan=1h
|
||||||
[ file where file.name == "cmd.exe" ] by process.pid
|
[ process where process.name == "regsvr32.exe" ] by process.pid
|
||||||
[ process where stringContains(process.name, "regsvr32") ] by process.pid
|
[ file where stringContains(file.name, "scrobj.dll") ] by process.pid
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -291,8 +292,8 @@ GET /my-index-000001/_eql/search
|
||||||
{
|
{
|
||||||
"query": """
|
"query": """
|
||||||
sequence by process.pid with maxspan=1h
|
sequence by process.pid with maxspan=1h
|
||||||
[ file where file.name == "cmd.exe" ]
|
[ process where process.name == "regsvr32.exe" ]
|
||||||
[ process where stringContains(process.name, "regsvr32") ]
|
[ file where stringContains(file.name, "scrobj.dll") ]
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
@ -322,29 +323,23 @@ contains the shared `process.pid` value for each matching event.
|
||||||
{
|
{
|
||||||
"_index": "my-index-000001",
|
"_index": "my-index-000001",
|
||||||
"_type": "_doc",
|
"_type": "_doc",
|
||||||
"_id": "AtOJ4UjUBAAx3XR5kcCM",
|
"_id": "OQmfCaduce8zoHT93o4H",
|
||||||
"_version": 1,
|
"_version": 1,
|
||||||
"_seq_no": 3,
|
"_seq_no": 3,
|
||||||
"_primary_term": 1,
|
"_primary_term": 1,
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:07:08.000Z",
|
"@timestamp": "2099-12-07T11:07:09.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "file",
|
"category": "process",
|
||||||
"id": "bYA7gPay",
|
"id": "aR3NWVOs",
|
||||||
"sequence": 4
|
"sequence": 4
|
||||||
},
|
},
|
||||||
"file": {
|
|
||||||
"accessed": "2020-12-07T11:07:08.000Z",
|
|
||||||
"name": "cmd.exe",
|
|
||||||
"path": "C:\\Windows\\System32\\cmd.exe",
|
|
||||||
"type": "file",
|
|
||||||
"size": 16384
|
|
||||||
},
|
|
||||||
"process": {
|
"process": {
|
||||||
"name": "cmd.exe",
|
"pid": 2012,
|
||||||
"executable": "C:\\Windows\\System32\\cmd.exe",
|
"name": "regsvr32.exe",
|
||||||
"pid": 2012
|
"command_line": "regsvr32.exe /s /u /i:https://...RegSvr32.sct scrobj.dll",
|
||||||
|
"executable": "C:\\Windows\\System32\\regsvr32.exe"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -357,16 +352,20 @@ contains the shared `process.pid` value for each matching event.
|
||||||
"_primary_term": 1,
|
"_primary_term": 1,
|
||||||
"_score": null,
|
"_score": null,
|
||||||
"_source": {
|
"_source": {
|
||||||
"@timestamp": "2020-12-07T11:07:09.000Z",
|
"@timestamp": "2099-12-07T11:07:10.000Z",
|
||||||
"event": {
|
"event": {
|
||||||
"category": "process",
|
"category": "file",
|
||||||
"id": "aR3NWVOs",
|
"id": "tZ1NWVOs",
|
||||||
"sequence": 5
|
"sequence": 5
|
||||||
},
|
},
|
||||||
"process": {
|
"process": {
|
||||||
|
"pid": 2012,
|
||||||
"name": "regsvr32.exe",
|
"name": "regsvr32.exe",
|
||||||
"executable": "C:\\Windows\\System32\\regsvr32.exe",
|
"executable": "C:\\Windows\\System32\\regsvr32.exe"
|
||||||
"pid": 2012
|
},
|
||||||
|
"file": {
|
||||||
|
"path": "C:\\Windows\\System32\\scrobj.dll",
|
||||||
|
"name": "scrobj.dll"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -377,7 +376,7 @@ contains the shared `process.pid` value for each matching event.
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
// TESTRESPONSE[s/"took": 60/"took": $body.took/]
|
// TESTRESPONSE[s/"took": 60/"took": $body.took/]
|
||||||
// TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
|
// TESTRESPONSE[s/"_id": "OQmfCaduce8zoHT93o4H"/"_id": $body.hits.sequences.0.events.0._id/]
|
||||||
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
|
// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
|
||||||
|
|
||||||
You can use the <<eql-until-keyword,`until` keyword>> to specify an expiration
|
You can use the <<eql-until-keyword,`until` keyword>> to specify an expiration
|
||||||
|
@ -393,8 +392,8 @@ GET /my-index-000001/_eql/search
|
||||||
{
|
{
|
||||||
"query": """
|
"query": """
|
||||||
sequence by process.pid with maxspan=1h
|
sequence by process.pid with maxspan=1h
|
||||||
[ file where file.name == "cmd.exe" ]
|
[ process where process.name == "regsvr32.exe" ]
|
||||||
[ process where stringContains(process.name, "regsvr32") ]
|
[ file where stringContains(file.name, "scrobj.dll") ]
|
||||||
until [ process where event.type == "termination" ]
|
until [ process where event.type == "termination" ]
|
||||||
"""
|
"""
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue