Analyze Event Tool - Subgraph Extraction?

Sheharyar_Khalid · October 20, 2022, 6:24pm

Hello,
I am trying to find event correlations using eql. For this I am using the eqlplayground.io with everything set to default. I am using the sample query given by eql:

//This is a placeholder query, please feel free to try your own, or use some of the example in the notes tab.

sequence by process.entity_id with maxspan=10s
  [process where process.name : "rundll32.exe" and event.type == "start"]
  [network where process.name : "rundll32.exe" and not cidrmatch(destination.ip, "10.0.0.0/8",  "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")]

Once the event matches, the resulting analyze event 3D graph generated is:

I have the following set of questions:

1) Is it possible to specify to find events in the forward direction (i.e. children of the analyzed process) or in the reverse direction (i.e. parents of the analyzed process)

2) Is it possible to limit the number of events(processes) that are in the graph say we only get 3 events of the same above graph. Something like

The goal of this is to match a subgraph based on a query.

Any help, direction is appreciated.

jamesspi · November 2, 2022, 1:12am

Hey @Sheharyar_Khalid , looks like you're trying to build a query that specifically looks for process descendants, and then, the inverse?

This isn't possible unfortunately. Neither is limiting the events in the graph.

Also, thanks for trying out and using eqlplayground!

system · November 30, 2022, 1:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.