Analyze Event Tool - Subgraph Extraction?

Elastic Security
1

Hello,
I am trying to find event correlations using eql. For this I am using the eqlplayground.io with everything set to default. I am using the sample query given by eql:

//This is a placeholder query, please feel free to try your own, or use some of the example in the notes tab.

sequence by process.entity_id with maxspan=10s
  [process where process.name : "rundll32.exe" and event.type == "start"]
  [network where process.name : "rundll32.exe" and not cidrmatch(destination.ip, "10.0.0.0/8",  "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")]

Once the event matches, the resulting analyze event 3D graph generated is:

Screenshot 2022-10-20 at 11.15.02 PM
Screenshot 2022-10-20 at 11.15.02 PM1892×978 85.3 KB

I have the following set of questions:

1) Is it possible to specify to find events in the forward direction (i.e. children of the analyzed process) or in the reverse direction (i.e. parents of the analyzed process)

2) Is it possible to limit the number of events(processes) that are in the graph say we only get 3 events of the same above graph. Something like

Screenshot 2022-10-20 at 11.20.11 PM
Screenshot 2022-10-20 at 11.20.11 PM740×370 24 KB

The goal of this is to match a subgraph based on a query.

Any help, direction is appreciated.

2

Hey @Sheharyar_Khalid , looks like you're trying to build a query that specifically looks for process descendants, and then, the inverse?

This isn't possible unfortunately. Neither is limiting the events in the graph.

Also, thanks for trying out and using eqlplayground!

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.