Skip to content

Instantly share code, notes, and snippets.

@ijokarumawak

ijokarumawak/README.md

Created July 26, 2021 08:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ijokarumawak/8d798fc07f98459420d5fc9b065e7bd0 to your computer and use it in GitHub Desktop.
Save ijokarumawak/8d798fc07f98459420d5fc9b065e7bd0 to your computer and use it in GitHub Desktop.
Download ZIP
EQL example.
Raw
README.md

Set up a Data Stream

# Delete the stream in order to clear old data
DELETE _data_stream/my-event-stream

# Define a template
PUT /_index_template/my-event-stream-template
{
  "index_patterns": [
    "my-event-stream*"
  ],
  "data_stream": {},
  "template": {
  },
  "priority": 500
}

Data set

POST my-event-stream/_bulk
{"create":{}}
{"@timestamp": "2021-07-26T17:05:00+09:00", "event": {"category": "process", "type": "start"}, "process": {"name": "msxsl.exe", "entity_id": "100"}}
{"create":{}}
{"@timestamp": "2021-07-26T17:05:01+09:00", "event": {"category": "network", "type": "connection"}, "process": {"name": "msxsl.exe", "entity_id": "100"}, "network": {"direction": "outgoing"}}
{"create":{}}
{"@timestamp": "2021-07-26T17:05:02+09:00", "event": {"category": "process", "type": "start"}, "process": {"name": "other_tool.exe", "entity_id": "200"}}
{"create":{}}
{"@timestamp": "2021-07-26T17:05:03+09:00", "event": {"category": "network", "type": "connection"}, "process": {"name": "other_tool.exe", "entity_id": "200"}, "network": {"direction": "outgoing"}}

MsXsl Making Network Connections

GET /my-event-stream/_eql/search
{
  "query": """
sequence by process.entity_id, process.name
  [process where
    event.type in ("start", "process_started") and
    process.name : "msxsl.exe"]
  [network where
    event.type == "connection" and
    network.direction == "outgoing"
  ]
"""}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment