Skip to content

Map EQL sequence/join parts to ES requests #49590

New issue
New issue
Closed
Closed
Map EQL sequence/join parts to ES requests#49590
Labels
:Analytics/EQLEQL queryingTeam:QL (Deprecated)Meta label for query languages team
@colings86

Description

@colings86
colings86
opened on Nov 26, 2019

The first part of executing EQL sequences and joins is to map the elements of the sequence/join to ES Search DSL. Each element of the EQL sequence/join will become a separate search request.

Example

Given the rule:

sequence by pid [process where process_name = "evil.exe"] [network where destination_port = 8080]

We would generate two ES Search requests, one for the process events and one for the network events similar to the following (for illustrative purposes, the actual request may be different):

GET index/_search { size: 1000, query: { bool: { must: [ { match: { event.type: process } }, { match: { process_name: evil.exe } } ] } }, sort: [{ pid: asc }, { timestamp: asc }, { _seq_no: asc}] } GET index/_search { size: 1000, query: { bool: { must: [ { match: { event.type: network } }, { match: { destination_port: 8080 } } ] } }, sort: [{ pid: asc }, { timestamp: asc }, { _seq_no: asc}] }

Metadata

Metadata

Assignees

No one assigned

    Labels

    :Analytics/EQLEQL queryingTeam:QL (Deprecated)Meta label for query languages team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions