Adding a condition in detection engine

Saurabh_Singh1 · April 9, 2020, 1:31pm

Hi Team,
Can we write an elastic query in condition while defining Detection Rule.
I was generating alert using WATCHERS. IT had input , condition and output.
I wanted to replicate this functionality using DETECTION Rule. Can i write elastic query while defining detection rule.

Frank_Hassanabad · April 10, 2020, 1:35pm

As a filter you can. It's a bit different because we are using more visual builders and tucking more of the JSON under the covers but we have buttons such as the "Edit as Query DSL" for advanced usage to see what the queries look like or to edit them directly.

It's always best to try and use KQL with the filters visually where it makes things more readable if you're translating from a watcher like so below:

You can see that I'm saying find all the existence of host.name but I also clicked the "+ Add filter" and added a filter that is doing something similar as well. But if you look at that "Edit as Query DSL" button (after doing an initial save) it gives you a "hatch door" into the query like so:

You can see in the above query, I am querying against everything but using a filter to construct just a plain match phrase.

Once you "save the filter" and then return to the filter you can see what your JSON is going to look like when it lands in Elastic Search. You can also edit that filter value and add most Elastic query information directly to it and it should accept the query. If you get the JSON wrong though, you will begin seeing errors coming back so you lose a lot of safety when editing directly compared to using the visual editors.

You can add as many filters as you want and KQL translates and combines the filters into a ES filter. KQL is a very simple and easier to understand paradigm for a lot of users which is why we adopted it and encourage it.[1]

You can see some test examples of what the translation looks like here:

github.com

elastic/kibana/blob/7.6/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/get_filter.test.ts#L52-L74


const esQuery = getQueryFilter('host.name: linux', 'kuery', [], ['auditbeat-*']);
expect(esQuery).toEqual({
  bool: {
    must: [],
    filter: [
      {
        bool: {
          should: [
            {
              match: {
                'host.name': 'linux',
              },
            },
          ],
          minimum_should_match: 1,
        },
      },
    ],
    should: [],
    must_not: [],

This file has been truncated. show original

However, you shouldn't be limited in how you want to translate and construct your queries. If you want to you can use mostly a single KQL query line with a lot of "AND", "OR", and parenthesis and no filters for example. Or you could go the other way and use a *:* and a lot of filters instead to create your query. You can also use saved queries too:

And if you change the saved query it will pick up your changes. If you delete the saved query it will fall back on the original saved query you created.

It's kind of subjective on readability of how you want to construct the queries.

[1] https://www.elastic.co/guide/en/kibana/current/kuery-query.html

system · May 8, 2020, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.